IR – Red-Orbita

Cyberdefenders – XLM Macros writeup

22 diciembre, 202316 agosto, 2024 rokitoh Deja un comentario

Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you’ll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.

Samples:

Sample1: MD5: fb5ed444ddc37d748639f624397cff2a
Sample2: MD5: b5d469a07709b5ca6fee934b1e5e8e38

Helpful Tools:

REMnux VM
XLMDeobfuscator
OLEDUMP with PLUGIN_BIFF
Office IDE

Cyberdefenders – Insider writeup

30 marzo, 202230 marzo, 2022 rokitoh Deja un comentario

Scenario:

After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

Tools:

FTK Imager

Cyberdefenders – Exfiltrated writeup

30 marzo, 202230 marzo, 2022 rokitoh Deja un comentario

Scenario

The enterprise EDR alerted for possible exfiltration attempts originating from a developer RedHat Linux machine. A fellow SOC member captured a disk image for the suspected machine and sent it for you to analyze and identify the attacker’s footprints.

Tools

Cyberdefenders – Hacked writeup

28 marzo, 202228 marzo, 2022 rokitoh Deja un comentario

You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).

Tools:

Cyberdefenders – DetectLog4j writeup

17 febrero, 202217 febrero, 2022 rokitoh Deja un comentario

Scenario

For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.

Tools:

Cyberdefenders – MalDoc101 writeup

11 febrero, 202211 febrero, 2022 rokitoh Deja un comentario

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

Suggested Tools:

REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
Oledump
Text editor

En primer lugar vamos a instalar el software necesario para realizar el reto

Descargamos OLEDUMP

mkdir /opt/oledump
cd /opt/oledump
wget http://didierstevens.com/files/software/oledump_V0_0_60.zip
unzip oledump_V0_0_60.zip

Instalamos oletools

pip install -U oletools

Cyberdefenders – Bucket writeup

15 enero, 202215 enero, 2022 rokitoh Deja un comentario

Scenario

Welcome, Defender! As an incident responder, we’re granting you access to the AWS account called «Security» as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the «Security» role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.

Credentials

Your IAM credentials for the Security account:

Login: https://flaws2-security.signin.aws.amazon.com/console
Account ID: 322079859186
Username: security
Password: password
Access Key: AKIAIUFNQ2WCOPTEITJQ
Secret Key: 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

Environment

The credentials above give you access to the Security account, which can assume the role of «security» in the Target account. You also have access to an S3 bucket, named flaws2_logs, in the Security account, that contains the CloudTrail logs recorded during a successful compromise