• All Posts
Data Science
Business and Consulting
Climate and Energy
Cognition and Learning
• Book Notes
• Course Notes
• Other
Contemplations and Society
IT and Technology
• How-Tos
• Scripts
  • Bookmarkletss
  • Linux / Bash
  • Userscripts
Projects
• Android
• Arduino
• Python
• Web
Cyber Security
• Challenges
• Operational Technology (OT)
• Other

HoneyBOT (pcap Analysis)

https://cyberdefenders.org/labs/45 Contents Description Tools Questions 1. What is the attackers IP address? 2. What is the targets IP address? 3. Provide the country code for the attackers IP address (a.k.a geo-location). 4. How many TCP sessions are present in the captured traffic? 5. How long did it take to perform the attack (in seconds)? 6. No question 6 . . . 7. Provide the CVE number of the exploited vulnerability. 8.

• CyberDefenders

Monday, October 11, 2021 | 5 minutes Read

Network Analysis - Web Shell

https://blueteamlabs.online/home/challenge/12 Contents Introduction Questions What is the IP responsible for conducting the port scan activity? What is the port range scanned by the suspicious host? What is the type of port scan conducted? Two more tools were used to perform reconnaissance against open ports, what were they? What is the name of the php file through which the attacker uploaded a web shell? What is the name of the web shell that the attacker uploaded?

• Blue Team Labs Online

Monday, September 6, 2021 | 6 minutes Read

XLM Macros (Document Analysis)

https://cyberdefenders.org/labs/55 Contents Description Helpful Tools Questions 1: Sample1: What is the document decryption password? 2. There is no question 2 . . . 3: Sample1: This document contains six hidden sheets. What are their names? Provide the value of the one starting with S. 4: Sample1: What URL is the malware using to download the next stage? 5: Sample1: What malware family was this document attempting to drop? 6: Sample2: This document has a very hidden sheet.

• CyberDefenders

Wednesday, September 1, 2021 | 6 minutes Read

L'Espion (OSINT)

https://cyberdefenders.org/labs/73 Contents Description Questions 1: Github.txt: What is the API key the insider added to his GitHub repositories? 2: Github.txt: What is the plaintext password the insider added to his GitHub repositories? 3: Github.txt: What cryptocurrency mining tool did the insider use? 4: What university did the insider go to? 5: What gaming website the insider had an account on? 6: What is the link to the insider Instagram profile? 7: Where did the insider go on the holiday?

• CyberDefenders

Tuesday, August 17, 2021 | 5 minutes Read

Log Analysis - Privilege Escalation

https://blueteamlabs.online/home/challenge/4 Contents Introduction Questions What user (other than ‘root’) is present on the server? What script did the attacker try to download to the server? What packet analyzer tool did the attacker try to use? What file extension did the attacker use to bypass the file upload filter implemented by the developer? Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access?

• Blue Team Labs Online

Monday, August 9, 2021 | 3 minutes Read

AfricaFalls (Disk Image Forensics)

https://cyberdefenders.org/labs/66 Contents Introduction Tools Preparation Questions #1: What is the MD5 hash value of the suspect disk? #2: What phrase did the suspect search for on 2021-04-29 18:17:38 UTC? #3: What is the IPv4 address of the FTP server the suspect connected to? #4: What date and time was a password list deleted in UTC? #5: How many times was Tor Browser ran on the suspects computer? #6: What is the suspects email address?

• CyberDefenders

Sunday, July 18, 2021 | 6 minutes Read

Memory Analysis - Ransomware

https://blueteamlabs.online/home/challenge/1 Introduction Questions Run “vol.py -f infected.vmem –profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process? What is the parent process ID for the suspicious process? What is the initial malicious executable that created this process? If you drill down on the suspicious PID (vol.py -f infected.vmem –profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files Find the path where the malicious file was first executed Can you identify what ransomware it is?

• Blue Team Labs Online

Monday, July 12, 2021 | 5 minutes Read

SANS June 2021 Forensic Contest

Update The answers have been released and are available here: https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/ They said it was hard, and it was. I’m proud of what I found! Reflecting back: For some reason, I thought they meant not all the machines are infected. It turns out all three were! So I skipped over .93 entirely. Similarly, I was thinking each infected machine only had one piece of malware. Wrong again! Because I was looking for the answers and not thinking as if it was a real investigation, I stopped looking too early.

• Digital Forensics

Tuesday, June 29, 2021 | 10 minutes Read

The Planet's Prestige (Email and Attachment Analysis)

https://blueteamlabs.online/home/challenge/10 What is the email service used by the malicious actor? What is the Reply-To email address? What is the filetype of the received attachment which helped to continue the investigation What is the name of the malicious actor? What is the location of the attacker in this Universe? What could be the probable C2 domain to control the attacker’s autonomous bots? What is the email service used by the malicious actor?

• Blue Team Labs Online

Sunday, June 20, 2021 | 3 minutes Read

Hammered (Log Analysis)

https://cyberdefenders.org/labs/42 Contents Initial Analysis Initial Findings Manipulating the Logs auth.log - sorted by command then time auth.log - all unique lines sorted by command (excluding timestamp) auth.log - extract commands auth.log - extract IPs www-access.log - extract IPs www-access.log - extract user agents Questions #1 Which service did the attackers use to gain access to the system? #2 What is the operating system version of the targeted system? (one word) #3 What is the name of the compromised account #4 #5 Consider that each unique IP represents a different attacker.

• CyberDefenders

Thursday, May 27, 2021 | 7 minutes Read

Malicious PowerShell Analysis

https://blueteamlabs.online/home/challenge/7 Open the file Decode the file Deobfuscating the script Spacing Fillers Chars Variables Format Strings Replaces Splits Questions What security protocol is being used for the communication with a malicious domain? What directory does the obfuscated PowerShell create? (Starting from \HOME) What file is being downloaded (full name)? What is used to execute the downloaded file? What is the domain name of the URI ending in ‘/6F2gd/’ Based on the analysis of the obfuscated code, what is the name of the malware?

• Blue Team Labs Online

Sunday, May 16, 2021 | 4 minutes Read

MalDoc101 (Document Analysis)

https://cyberdefenders.org/labs/51 Contents Tools Used 1. Multiple streams contain macros in this document. Provide the number of highest one. 2. What event is used to begin the execution of the macros? 3. What malware family was this maldoc attempting to drop? 4. What stream is responsible for the storage of the base64-encoded string? 5. This document contains a user-form. Provide the name? 6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

• CyberDefenders

Monday, April 26, 2021 | 5 minutes Read

• ««
• «
• 1
• 2
• »
• »»