-
These will cover core competencies of CTI work:
- File Triage
- Network Triage
- Mitre ATT&CK TTPs
- OSINT Research
-
The first question is done for you as an example of how the answers should look 🙂
-
There is a PDF (see below) containing the answers. Decrypt it with the password after you've had a go at the quiz 📝
| File Hash | File Contents | Function | Verdict | Comment |
|---|---|---|---|---|
| ec9f9bdd04f17a36a860c946a9468ad931efb5ab3ba1dcb7292f965043c445aa | Agent Tesla | Infostealer | Malicious | Commodity crimeware tool |
| 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502 | ||||
| cebaf2bfcf1f2297d18e4d35efb2597adc334513 | ||||
| 4b80c7e7499d3cdddb4a6eba8d200c9dfa1a191d29b1c4335932c676157767d1 | ||||
| 943cb4b5ffb69926803d7f9c3dd1bc7c | ||||
| 66e636ad5d074466ae6cb5a393050587 | ||||
| b2146ce57cfa6785eb1c9a405abc48e844c15a5431b85c653f2bda57e03f7449 | ||||
| 329b92fd43004ccac98fba9cea61cfdffefbac04982af76958a13b85780c3301 | ||||
| 963b55acc8c566876364716d5aafa353995812a8 | ||||
| 534a7ea9c67bab3e8f2d41977bf43d41dfe951cf |
| IOC | ISP | Malware | Function | Verdict | Comment |
|---|---|---|---|---|---|
| 88.150.240.129 | IOMART | Trickbot | C&C | Malicious | Botnet, linked to WizardSpider and Conti |
| 134.209.182.12 | |||||
| files.slack.com | |||||
| cdn.discordapp.com | |||||
| beklear.net | |||||
| kevinjohan.com | |||||
| decoder.re | |||||
| avaddongun7rngel.onion | |||||
| 23.220.206.73 | |||||
| 151.101.228.144 |
| Procedure | Technique | Tactic |
|---|---|---|
| Group I - has used exploits to increase their levels of rights and privileges | Exploitation for Privilege Escalation | Privilege Escalation |
| Group II - has used a modified TeamViewer client to remotely control compromised devices | ||
| Group III - distributed NotPetya ransomware by compromising the legitimate Ukrainian accounting software M.E.Doc | ||
| Group IV - installs VNC server software that executes through rundll32 | ||
| Group V - can perform brute force attacks to obtain credentials | ||
| Group VI has encrypted and encoded data in its malware, including by using base64 | ||
| Group VII - attempts to destroy data by overwriting operating system files and disk structures with image files | ||
| Group VIII - can encrypt files on victim systems and demands a ransom to decrypt the files | ||
| Group IX - has used lures to get users to click links in emails and attachments | ||
| Group X - created a backdoor that used TOR to forward traffic from to local Ports 3389 (RDP), 139 (Netbios), and 445 (SMB) |
| URL | Use OSINT and describe the scenario |
|---|---|
| app[.]any[.]run/tasks/70259ce5-e073-4c00-a10d-08b26bed770d/ | Dridex XLS macro doc uses mshta.exe to download a payload |
| app[.]any[.]run/tasks/78393e80-d0e4-4dd2-82ba-9296f12b544a/ | |
| urlscan[.]io/result/163c61e0-e31e-4825-a975-4486c535359d/ | |
| urlscan[.]io/result/48a52073-14e2-41a5-aa6c-1fa79d6351e6/ | |
| virustotal[.]com/gui/file/0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589/details | |
| virustotal[.]com/gui/file/b5bc1aedcc94da1f11fb7bd541d50b6a4aa37147d86f02998b205f2b60240013/detection | |
| koodous[.]com/apks/d52f76a311d7bd7a588bb287fb851bada34e7063ac5c83b9bc348251f02878a5 |
Answers are available here [download the PDF] and the password for the PDF is here