Seguimos con la seríe de Emulación de ataques mediante Atomic Red Team y Detección con Azure Sentinel Parte. Ver parte 1
Leer másCategoría: DFIR
Emulación de ataques mediante Atomic Red Team y Detección con Azure Sentinel Parte 1 (ATT&CK T1003)
La emulación de ataques juega un papel importante en la identificación de las Técnicas, Tácticas y Procedimientos (TTP) que utilizan los adversarios. Proyectos como Atomic Red Team (ART) pueden ayudar a automatizar la emulación.
El marco MITRE ATT&CK®, que significa MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), es una base de conocimiento para modelar el comportamiento de un adversario cibernético.
¿Que es Atomic Red Team?
Atomic Red Team es una biblioteca de pruebas simples que todo equipo de seguridad puede ejecutar para probar sus defensas. Las pruebas están enfocadas, tienen pocas dependencias y se definen en un formato estructurado que pueden usar los marcos de automatización.
En esta primera entrada vamos a testear las reglas en Azure Sentinel relacionadas con OS Credential Dumping (T1003)
Leer másCyberdefenders – Insider writeup
Scenario:
After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.
You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.
Tools:
Leer másCyberdefenders – Exfiltrated writeup
Scenario
The enterprise EDR alerted for possible exfiltration attempts originating from a developer RedHat Linux machine. A fellow SOC member captured a disk image for the suspected machine and sent it for you to analyze and identify the attacker’s footprints.
Tools
Leer másCyberdefenders – Hacked writeup
You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
Tools:
Leer másCyberdefenders – BSidesJeddah-Part2 writeup
Scenario
The #NSM gear flagged suspicious traffic coming from one of the organization’s web servers. Analyze the server’s captured memory image and figure out what happened.
Tools
Leer másCyberdefenders – DetectLog4j writeup
Scenario
For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.
Tools:
Leer másCyberdefenders – MalDoc101 writeup
It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.
Suggested Tools:
- REMnux Virtual Machine (remnux.org)
- Terminal/Command prompt w/ Python installed
- Oledump
- Text editor
En primer lugar vamos a instalar el software necesario para realizar el reto
Descargamos OLEDUMP
mkdir /opt/oledump
cd /opt/oledump
wget http://didierstevens.com/files/software/oledump_V0_0_60.zip
unzip oledump_V0_0_60.zipInstalamos oletools
pip install -U oletoolsCyberdefenders – DumpMe writeup
Scenario:
One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
Tools:
Leer másCyberdefenders – DeepDive writeup
En esta entrada nuevamente vamos a resolver un reto de Cyberdefenders. Vamos concretamente DeepDive en la cual vamos a tener que realizar mediante Volatility un análisis forense.
Dado que mis conocimientos de Volatility y análisis forense es bajo me a parecido un reto muy difícil la cual me a ayudado a saber mas sobre el funcionamiento de la memoria.
Scenario
You have given a memory image for a compromised machine. Analyze the image and figure out attack details.
Tools
Resources
Leer más