4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

Blue Team Level 1 gold coinを獲得しました。

BTL1(Blue Team Level 1)の概要 試験の準備 申し込み 申し込み段階での自身のBlueTeam関連スキル 申し込み後にアクセスできるコンテンツ 申し込み後の追加学習 試験 最後に一言 BTL1(Blue Team Level 1)の概要 名前の通りBlue Teamのための資格であって、 フ…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 16

Details playbook Analyze Threat Intel Data URL https[:]//pssd-ltdgroup[.]com/ Domain pssd-ltdgroup[.]com 5.188.0.251 Interaction with TI data Log Endpoint Containment Add Artifacts End Details EventID: 16 Event Time: Sept. 20, 2020, 10:54 …

LetsDefend level 1 alert SOC106 - Found Suspicious File - TI Data event-id 17

Details playbook Check if the malware is quarantined/cleaned Analyze Malware Add Artifacts End Details EventID: 17 Event Time: Sept. 22, 2020, 11:10 a.m. Rule: SOC106 - Found Suspicious File - TI Data Level: Security Analyst Source Address…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 18

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment 送信側アドレス cashbank[.]com 172.82.128.241 mail Attachments Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts…

LetsDefend level 1 alert SOC107 - Privilege Escalation Detected event-id 19

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware creditcard -> 27e56f0f4bbb933a9ef25e0e0c2a4aaae578bdc2623e6bcdf664834e4ce60c9d Check If Someone Requested the C2 Add Artifacts End Details…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 20

Details playbook Analyze Threat Intel Data https[:]//raw.githubusercontent[.]com/django/django/master/setup.py 151.101.112.133 Add Artifacts End Details EventID: 20 Event Time: Oct. 19, 2020, 9:54 p.m. Rule: SOC105 - Requested T.I. URL add…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 21

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware F46B0C39FCFDF4C0426C9276A2BB48C6 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 21 Event Time: Oct. 20, …

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 22

Details playbook Search Log Analyze URL Address アクセス先ip 35.189.10.17 Suspicious URL: http[:]//stylefix[.]co/guillotine-cross/CTRNOQ/ Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 22 Event Time: Oct.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 24

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 1ceda3ccc4e450088204e23409904fa8 Check If Mail Delivered to User? Add Artifacts End Details EventID: 24 Event Time: Oct. 25, 2020, 9:32 p.m. Ru…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 25

Details 送信元 157.230.109.166 playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 5a3de19f198269947bb509152678b7d2 Check If Mail Delivered to User? Add Artifacts End Details EventID: 25 Event Time: Oct.…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 26

Details playbook Analyze URL Address 217.8.117.7 http[:]//jamesrlongacre.ac[.]ug/ac.exe User Agent: Firewall Test - Dont Block <- ???? Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 26 Event Time: Oct. 29, 2020, 7:05…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Sender IP 146.56.209.252 Sender Domain zol.co[.]zw Mail URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ hredoybangladesh[.]com Chec…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28

Details playbook Analyze Threat Intel Data http[:]//115.99.150.132:56841/Mozi.m Download file Mozi.m Interaction with TI data Log search Add Artifacts End Details EventID: 28 Event Time: Oct. 29, 2020, 7:34 p.m. Rule: SOC105 - Requested T.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Check If Mail Delivered to User? Add Artifacts End Details EventID: 29 Event Time: Oct. 29, 2020, 7:43 p.m. Rule: SOC101 - Phishing Mail Detected Level: Se…

BTLO Challenge Suspicious USB Stick(Retired Challenge) write up

BTLO Challenge Suspicious USB Stick(Retired Challenge) Scenario Challenge Submission 1. What file is the autorun.inf running? (3 points) 2. Does the pdf file pass virustotal scan? (No malicious results returned) (2 points) 3. Does the file…

BTLO Challenge Memory Analysis - Ransomware(Retired Challenge) write up

BTLOを始めてみました。 このサービスでは防御分野Blue Teamの実践的なスキルを用意されたファイルとシナリオに沿って学べます。環境が用意されているInvestigationsとファイルが渡されて解析を行うChallengesがあります。 サービスの規約により、Retiredと…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 31

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware cdde99520664ac313d43964620019c61 Endpoint - JohnComputer Process History Logsearch Check If Someone Requested the C2 Containment Add Artif…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 32

Details playbook Search Log Analyze URL Address https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU encrypted-tbn0.gstatic[.]com 172.217.17.174 Add Artifacts End Details EventID: 32 Event…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 36

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware f83fb9ce6a83da58b20685c1d7e1e546 Log Search 92.63.8.47 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 36…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 34

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment http[:]//bit.ly/3ecXem52 netflix-payments.com 112.85.42.180 Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts E…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 35

Details playbook Search Log Analyze URL Address 66.198.240.56 http[:]//interalliance.org/ https[:]//interalliance.org/come2/holme/folde/swiftcopy.ps1 Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Aldo(172.16.17.51) Process Hist…

LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 38

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware ff6bbddc34cbd33e2501872b97c4bacd Log search - 172.16.17.33 328 329 Add Artifacts End Details EventID: 38 Event Time: Jan. 1, 2021, 5:36 p.…

LetsDefend level 1 alert SOC110 - Proxy - Cryptojacking Detected event-id 40

Details playbook Search Log 333 Analyze URL Address https[:]//bit.ly/3hNuByx Add Artifacts End Details EventID: 40 Event Time: Jan. 2, 2021, 4:33 a.m. Rule: SOC110 - Proxy - Cryptojacking Detected Level: Security Analyst Source Address 172…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 41

Details mail playbook Are there attachments or URLs in the email? Analyze Url/Attachment 9ed9ad87a1564fbb5e1b652b3e7148c8.zip Check If Mail Delivered to User? Add Artifacts 104.140.188.46 cashbank[.]com Log search - 104.140.188.46 End Deta…

LetsDefend level 1 alert SOC111 - Traffic to Malware Domain event-id 42

Details playbook Search Log 45.80.181.51 casinos-hub[.]com Log search - 45.80.181.51 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts Endpoint - BellaPRD End Details EventID: 42 Event Time: Jan. 30, 2021, 5:25 p.m. Rule…

LetsDefend level 1 alert SOC112 - Traffic to Blacklisted IP event-id 43

Details playbook Search Log 193.239.147.32 Log search 193.239.147.32 Analyze URL Address http[:]//193.239.147.32/OBBBOP.exe OBBOP.exe Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Jack(172.16.17.21) Browser History CMD History …

LetsDefend level 1 alert SOC113 - Suspicious hh.exe Usage event-id 44

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint - BillPRD CMD History Analyze Malware WinRAR.chm Add Artifacts End Details EventID: 44 Event Time: Jan. 31, 2021, 4:59 p.m. Rule: SOC113 - Suspic…

LetsDefend level 1 alert SOC116 - DNS Hijacking Detected event-id 49

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Endpoint - WilsonPRD Browser History CMD History Network Connections update.py Check If Someone Requested the C2 Log search - 49.233.160.2…

LetsDefend level 1 alert SOC117 - Suspicious .reg File event-id 50

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware config.reg importantUpdate.bat Add Artifacts End Details EventID: 50 Event Time: Feb. 6, 2021, 1:58 p.m. Rule: SOC117 - Suspicious .reg Fi…