Sherlock Santa KrampusOpTinselTrace24-1: Sneaky Cookies


 

 

                     I-  Scenario 


 

 QUESTION 1:

Krampus, a notorious threat actor, possibly social-engineered bingle as email security filters were offline for maintenance. Find any suspicious files under Bingle Jollybeard User directory and get back to us with the full file name

explanation: After succesfully unzip the downloaded file , make a tree on it and look for any suspicious coming from Bingle \Jollybeard   user 



        Answer :


QUESTION 2:

Using the malicious file sent as part of phishing, the attacker abused a legitimate binary to download and execute a C&C stager. What is the full command used to download and execute the C&C Binary?

 

explanation : Ok , Inside of the directory where the shorcut file is located , use " lnkinfo"  like this  ([if you haven't it install | sudo apt-get install liblnk-utils)

 


Yes, the answer is well in front of you  
QUESTION 3 :  

When was this file ran on the system by the victim?

QUESTION 4:

What is the Mitre Sub technique ID for the technique used in Q1 and Q2 ?

 
Reviewing Q1 , it was talking about social-engineering , referer to mitre ; i was able to retrieve the concerned indent under user-execution in enterprise section ; use this url for better understanding https://attack.mitre.org/techniques/T1204/001/
QUESTION 5:

What was the name of threat actor's machine used to develop/create the malicious file sent as part of phishing?


So , referring to the exiftool command , it might possible



Answer :

Question 6:When did attacker enumerated the running processes on the system?


 Question 7:After establishing a C&C Channel, attacker proceeded to abuse another Legitimate binary to download an exe file. What is the full URI for this download?
 Answer:
Question 8:What is the Mitre ID for the technique used in Q7?                                                                                                                                                                                                                                                    
 
 
 
 
 
 
 
 
 
 
 
 Follow for next party !  ! !  
 
 
Thanks for reading , artemis37

                                                 

 



 
 


Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Image
     It been a while i did'nt talk about Digital Forensic And Incident Response . As a core part of cybersecurity ; we must know some concepts related to memory dump analysis ! Here is the picture ; i'm gonna show you how we triggers information from your dump files / RAM /USB KEY ............          Let's Dive in with this machine : FORENSICS coming from tryhackme.com   1 - Introduction to Memory Dump Analysis Memory dump analysis is a very important step of the Incident Response process . The RAM (memory) dump of a running compromised machine usually very helpful in reconstructing the events/activities that the attacker performed on the machine.     So that rude ; to be simple , using a tool called Volatiltity is pretty helpull when doing stuff with memory dump  If you haven't installed yet , check out this link   https://github.com/volatilityfoundation/volatility3/releases/tag/v2.8.0     Let's go ! !...
Read more »
Image
  Day 18 - ADVENT OF CYBER 2024 TRYHACKME : I could use a little AI interaction! Storyline Hyped with their latest release, a "health checker" service that tracks the health and uptime of the Wareville systems, the Wareville developers envisage the day in which the inhabitants of Wareville have a one-stop shop for seeking the answers to life's mysteries and aiding them in their day-to-day jobs. As an initial first stage, the Wareville developers create an alpha version of WareWise - Wareville's intelligent assistant. Aware of the potential dangers of intelligent AI being interacted with, the developers decided to slowly roll out the chatbot and its features. The IT department is the first to get hands-on with WareWise. For the IT department, WareWise has been integrated with the "health checker" service, making it much easier for the IT department to query the status of their servers and workstations. Learning Objectives In today's task, ...
Read more »