ย
ย
ย
์ฌ์ ์ค๋น
- ๋ฐ์ดํฐ ํ์ผ (๋น๋ฐ๋ฒํธ infected)
- Zui (๊ตฌ Brim)
ย
ํ์ด
Q1. Looking through the alerts in Brim, what is the vulnerability name and its corresponding CVE?
- suricata.rules ํ์ผ์์ ๋ด์ฉ ํ์ธ
์ ๋ต
PrintNightmare, CVE-2021-34527ย
Q2. What is Attacker's IP?
- Ports ํญ ๋ชฉ๋ก์์ IP ํ์ธ
์ ๋ต
10.10.10.4ย
Q3. What is Attacker's share path?
- challenge-v1.pcapng ํ์ผ์์ ๋ด์ฉ ํ์ธ
์ ๋ต
\\10.10.10.2\shareย
Q4. What is the name of the malicious DLL file hosted by the attacker?
- challenge-v1.pcapng ํ์ผ์์ ๋ด์ฉ ํ์ธ
์ ๋ต
notsostealthy.dllย
Q5. What is the sha256 hash of the DLL file?
- notsostealthy.dll ํ์ผ์ ๊ฒ์ํ ํ, MD5 ํด์ฌ๊ฐ ํ์ธ
- VirusTotal์์ sha256 ํ๋ณด
์ ๋ต
fa1ee835869ea97559359568043aea3a52508b360cfc5195a3d7fbb60cef55a5ย
Q6. What is the email address used for the self-signed SSL Certificate in the traffic?
- challenge-v1.pcapng ํ์ผ์์ ๋ด์ฉ ํ์ธ
์ ๋ต
override@shields.mertz.netย
Q7. What is the domain user used by the attacker to exploit the vulnerability?
- Users ํญ์์ ํ์ธ
์ ๋ต
BELLYBEAR\Jesse.Harmonย
Q8. What is the exploit server's hostname?
- Users ํญ์์ ํ์ธ
์ ๋ต
WIN-FLO4EU2VMSMย
Q9. What is the username created by the attacker for persistence?
- Users ํญ์์ ํ์ธ
์ ๋ต
hackerย
Q10. What is the event ID for user creation in Windows, and when was the user being created?
- ์ฌ์ฉ์ ์์ฑ Event ID๋ก ๊ฒ์
์ ๋ต
4720, 2021-08-16 19:31:46Zย
Q11. What process name is used to establish the shell connection between the attacker's machine and the Windows server? and what is the listening port on the attacker's machine?
- ๋คํธ์ํฌ ์ ์์ ํ๋ ํ๋ก์ธ์ค ๋ฐ๊ฒฌ
์ ๋ต
rundll32.exe, 443ย
Q12. The attacker used a famous post-exploitation framework to create the DLL file and establish the shell connection to the Windows server, what is the payload the attacker used?
- VirusTotal์์ ๊ณต๊ฒฉ ์ด๋ฆ ํ์ธ
- ํด๋น ๊ณต๊ฒฉ์ payload ๊ฒ์
์ ๋ต
windows/meterpreter/reverse_httpsย
Q13. The attacker left a text file for the user Administrator, can you find what the filename is?
- FileSystem์์ ํ์ผ ํ์ธ
์ ๋ต
This-Is-Really-A-Nightmare.txtย
ย
์ฐธ๊ณ
ย