PS Eclipse
Last updated
Last updated
Start Machine
Scenario: You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe.
A customer sent an email asking for an analyst to investigate the events that occurred on Keegan's machine on Monday, May 16th, 2022. The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan's device.
Your manager has tasked you to check the events in Splunk to determine what occurred in Keegan's device.
Happy Hunting!
Virtual Machine
You can use the Attack Box or OpenVPN to access the Splunk instance. The IP for the Splunk instance is MACHINE_IP.
Note: Wait for the virtual machine to fully load. If you see errors after 2 minutes, refresh the URL until it loads.
Answer the questions below
A suspicious binary was downloaded to the endpoint. What was the name of the binary?
OUTSTANDING_GUTTER.exe
What is the address the binary was downloaded from? Add http:// to your answer & defang the URL.
Cyberchef can help with defanging the URL.
What Windows executable was used to download the suspicious binary? Enter full path.
What command was executed to configure the suspicious binary to run with elevated privileges?
Event Code 12 will help here. Note that the attacker tried multiple attempts to configure this command correctly
What permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? (Format: User + ; + CommandLine)
The suspicious binary connected to a remote server. What address did it connect to? Add http:// to your answer & defang the URL.
Cyberchef can help with defanging the URL.
A PowerShell script was downloaded to the same location as the suspicious binary. What was the name of the file?
script.ps1
The malicious script was flagged as malicious. What do you think was the actual name of the malicious script?
Check VirusTotal for the hash of the PowerShell script.
BlackSun.ps1
A ransomware note was saved to disk, which can serve as an IOC. What is the full path to which the ransom note was saved?
The script saved an image file to disk to replace the user's desktop wallpaper, which can also serve as an IOC. What is the full path of the image?
[[NahamStore]]