Forensics – Red-Orbita

Cyberdefenders – Reveal Blue Team Lab writeup

23 agosto, 202423 agosto, 2024 rokitoh Deja un comentario

Instructions:

Uncompress the lab (pass: cyberdefenders.org)

Scenario:

As a cybersecurity analyst for a leading financial institution, an alert from your SIEM solution has flagged unusual activity on an internal workstation. Given the sensitive financial data at risk, immediate action is required to prevent potential breaches.

Your task is to delve into the provided memory dump from the compromised system. You need to identify basic Indicators of Compromise (IOCs) and determine the extent of the intrusion. Investigate the malicious commands or files executed in the environment, and report your findings in detail to aid in remediation and enhance future defenses.

Tools:

Volatility 3

Cyberdefenders – Exfiltrated writeup

30 marzo, 202230 marzo, 2022 rokitoh Deja un comentario

Scenario

The enterprise EDR alerted for possible exfiltration attempts originating from a developer RedHat Linux machine. A fellow SOC member captured a disk image for the suspected machine and sent it for you to analyze and identify the attacker’s footprints.

Tools

Cyberdefenders – Hacked writeup

28 marzo, 202228 marzo, 2022 rokitoh Deja un comentario

You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).

Tools:

Cyberdefenders – BSidesJeddah-Part2 writeup

9 marzo, 20229 marzo, 2022 rokitoh Deja un comentario

Scenario

The #NSM gear flagged suspicious traffic coming from one of the organization’s web servers. Analyze the server’s captured memory image and figure out what happened.

Tools

Volatility

Cyberdefenders – DetectLog4j writeup

17 febrero, 202217 febrero, 2022 rokitoh Deja un comentario

Scenario

For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.

Tools:

Cyberdefenders – MalDoc101 writeup

11 febrero, 202211 febrero, 2022 rokitoh Deja un comentario

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

Suggested Tools:

REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
Oledump
Text editor

En primer lugar vamos a instalar el software necesario para realizar el reto

Descargamos OLEDUMP

mkdir /opt/oledump
cd /opt/oledump
wget http://didierstevens.com/files/software/oledump_V0_0_60.zip
unzip oledump_V0_0_60.zip

Instalamos oletools

pip install -U oletools

Cyberdefenders – DumpMe writeup

26 enero, 202226 enero, 2022 rokitoh Deja un comentario

Scenario:

One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.

Tools:

Volatility 2

Cyberdefenders – DeepDive writeup

23 enero, 202224 enero, 2022 rokitoh Deja un comentario

En esta entrada nuevamente vamos a resolver un reto de Cyberdefenders. Vamos concretamente DeepDive en la cual vamos a tener que realizar mediante Volatility un análisis forense.

Dado que mis conocimientos de Volatility y análisis forense es bajo me a parecido un reto muy difícil la cual me a ayudado a saber mas sobre el funcionamiento de la memoria.

Scenario

You have given a memory image for a compromised machine. Analyze the image and figure out attack details.

Tools

Volatility 2

Resources

https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ob/inc/header/infomask.htm