4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

redhat系Linuxのvolatility3プロファイルの作成 rocky linuxでの作業例

volatility3のプロファイル volatility3でWindowsのメモリ解析を行う場合には,解析時にインターネットから自動的に必要なプロファイルがダウンロードされる. Linuxの場合はメモリに合わせたプロファイルを作成する必要がある. Linuxの場合には,基本的に…

volatility3 ubuntu 22.04.2 LTS へのインストール

Volatility(https://github.com/volatilityfoundation/volatility3)はメモリダンプを解析するためのフレームワークである. 元々python2で書かれたvolatilit2が主流であったが,2019年にpython3に対応したvolatility3がリリースされ, 現在はvolatility3への…

LetsDefend Challenge Malware Analysis: Malicious Doc

LetsDefend Challenge Malware Analysis: Malicious Doc What type of exploit is running as a result of the relevant file running on the victim machine? What is the relevant Exploit CVE code obtained as a result of the analysis? What is the na…

LetsDefend Challenge Malware Analysis: Malicious VBA

LetsDefend Challenge Malware Analysis: Malicious VBA The document initiates the download of a payload after the execution, can you tell what website is hosting it? What is the filename of the payload (include the extension)? What method is…

LetsDefend Challenge Malware Analysis: Remote Working

LetsDefend Challenge Malware Analysis: Remote Working What is the date the file was created? With what name is the file detected by Bitdefender antivirus? How many files are dropped on the disk? What is the sha-256 hash of the file with em…

LetsDefend Challenge Malware Analysis: Presentation As a Malware

LetsDefend Challenge Malware Analysis: Presentation As a Malware What was the general name / category of the malicious file in the analyzed ppt file? Which of the url addresses it communicates with has been detected as harmful by sandboxes…

LetsDefend Challenge DFIR: Memory Analysis writeup

LetsDefend Challenge DFIR: Memory Analysis What was the date and time when Memory from the compromised endpoint was acquired? What was the suspicious process running on the system? (Format : name.extension) Analyze and find the malicious t…

LetsDefend Challenge DFIR: IcedID Malware Family writeup

LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…

LetsDefend level 1 alert SOC164 - Suspicious Mshta Behavior event-id 114

今回のアラート Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix 今回のアラート SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.e…

LetsDefend level 2 alert SOC154 - Service Configuration File Changed by Non Admin User event-id 102

Details playbook Connect Machine Verify Determine whether alert was TP or FP Choose Incident Type What is the initial access method used in the attack? Determines Scope of Threat/Risk to the Organization What is the persistence method used…

LetsDefend level 1 alert SOC165 - Possible SQL Injection Payload Detected event-id 115

Details playbook Is Traffic Malicious? What Is The Attack Type? Check If It Is a Planned Test What Is the Direction of Traffic? Was the Attack Successful? Add Artifacts Do You Need Tier 2 Escalation? End Details EventID : 115 Event Time : …

LetsDefend Challenge DFIR: Port Scan Activity writeup

LetsDefend Challenge DFIR: Port Scan Activity Question1: What is the IP address scanning the environment? 一番沢山パケットを飛ばしていそうなのが怪しい. $ tshark -r port\ scan.pcap -z conv,ip -q ============================================…

Blue Team Level 1 gold coinを獲得しました。

BTL1(Blue Team Level 1)の概要 試験の準備 申し込み 申し込み段階での自身のBlueTeam関連スキル 申し込み後にアクセスできるコンテンツ 申し込み後の追加学習 試験 最後に一言 BTL1(Blue Team Level 1)の概要 名前の通りBlue Teamのための資格であって、 フ…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 16

Details playbook Analyze Threat Intel Data URL https[:]//pssd-ltdgroup[.]com/ Domain pssd-ltdgroup[.]com 5.188.0.251 Interaction with TI data Log Endpoint Containment Add Artifacts End Details EventID: 16 Event Time: Sept. 20, 2020, 10:54 …

LetsDefend level 1 alert SOC106 - Found Suspicious File - TI Data event-id 17

Details playbook Check if the malware is quarantined/cleaned Analyze Malware Add Artifacts End Details EventID: 17 Event Time: Sept. 22, 2020, 11:10 a.m. Rule: SOC106 - Found Suspicious File - TI Data Level: Security Analyst Source Address…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 18

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment 送信側アドレス cashbank[.]com 172.82.128.241 mail Attachments Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts…

LetsDefend level 1 alert SOC107 - Privilege Escalation Detected event-id 19

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware creditcard -> 27e56f0f4bbb933a9ef25e0e0c2a4aaae578bdc2623e6bcdf664834e4ce60c9d Check If Someone Requested the C2 Add Artifacts End Details…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 20

Details playbook Analyze Threat Intel Data https[:]//raw.githubusercontent[.]com/django/django/master/setup.py 151.101.112.133 Add Artifacts End Details EventID: 20 Event Time: Oct. 19, 2020, 9:54 p.m. Rule: SOC105 - Requested T.I. URL add…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 21

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware F46B0C39FCFDF4C0426C9276A2BB48C6 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 21 Event Time: Oct. 20, …

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 22

Details playbook Search Log Analyze URL Address アクセス先ip 35.189.10.17 Suspicious URL: http[:]//stylefix[.]co/guillotine-cross/CTRNOQ/ Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 22 Event Time: Oct.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 24

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 1ceda3ccc4e450088204e23409904fa8 Check If Mail Delivered to User? Add Artifacts End Details EventID: 24 Event Time: Oct. 25, 2020, 9:32 p.m. Ru…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 25

Details 送信元 157.230.109.166 playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 5a3de19f198269947bb509152678b7d2 Check If Mail Delivered to User? Add Artifacts End Details EventID: 25 Event Time: Oct.…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 26

Details playbook Analyze URL Address 217.8.117.7 http[:]//jamesrlongacre.ac[.]ug/ac.exe User Agent: Firewall Test - Dont Block <- ???? Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 26 Event Time: Oct. 29, 2020, 7:05…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Sender IP 146.56.209.252 Sender Domain zol.co[.]zw Mail URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ hredoybangladesh[.]com Chec…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28

Details playbook Analyze Threat Intel Data http[:]//115.99.150.132:56841/Mozi.m Download file Mozi.m Interaction with TI data Log search Add Artifacts End Details EventID: 28 Event Time: Oct. 29, 2020, 7:34 p.m. Rule: SOC105 - Requested T.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Check If Mail Delivered to User? Add Artifacts End Details EventID: 29 Event Time: Oct. 29, 2020, 7:43 p.m. Rule: SOC101 - Phishing Mail Detected Level: Se…

BTLO Challenge Suspicious USB Stick(Retired Challenge) write up

BTLO Challenge Suspicious USB Stick(Retired Challenge) Scenario Challenge Submission 1. What file is the autorun.inf running? (3 points) 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points) 3. Does the file…

BTLO Challenge Memory Analysis - Ransomware(Retired Challenge) write up

BTLOを始めてみました。 このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。 サービスの規約により、Retiredと…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 31

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware cdde99520664ac313d43964620019c61 Endpoint - JohnComputer Process History Logsearch Check If Someone Requested the C2 Containment Add Artif…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 32

Details playbook Search Log Analyze URL Address https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU encrypted-tbn0.gstatic[.]com 172.217.17.174 Add Artifacts End Details EventID: 32 Event…