One of our developers accidentally committed some sensitive code to our GitHub repository. Well, at least, that is what they told us… Introduction The challenge room for today is TryHackMe’s Commited room. Forensics is something that I need to work on, although this is less of a forensics room and more of a git knowledge room. More on that soon. Oh no, not again! One of our developers accidentally committed some sensitive code to our GitHub repository. Well, at least, that is what they told us… the problem is, we don’t remember what or where! Can you track down what we accidentally committed? ...
Reconstruct a HawkEye Keylogger data exfiltration incident by analyzing network traffic with Wireshark and CyberChef, identifying IoCs and stolen credentials. Introduction Today I’ll be going through the HawkEye lab on CyberDefenders. This is tagged as being a Medium difficulty challenge, so I’m excited to get into this! Going off of the tags for the room it looks like we’ll be needing to use Wireshark, and possibly do some threat intel with VirusTotal. Before we get started we’ll need to download the lab files. Unzip this and open up stealer.pcap with Wireshark. ...
Examine network traffic with Wireshark to investigate web server compromise, identify SQL injection, extract attacker credentials, and detect uploaded malware. Introduction I want to focus on my Wireshark skills a lot more in the coming months. I have a lot of experience with Microsoft’s KQL and using that to dig through network traffic, but that only happens after it comes through a SIEM or EDR tool before. I like to know how to analyze network traffic from the ground up, so you’ll be seeing a lot more Wireshark in the future! ...
Analyze network traffic using Wireshark to identify DanaBot initial access, deobfuscate malicious JavaScript, and extract IOCs like IPs, file hashes, and execution processes.. Introduction Back to CyberDefenders yet again! A lot of my recent posts have been focused more on Threat Intel. Threat Intel is great to have in the back of your mind as being something you may need to do. Attribution is important if you’re a Threat Hunter/Researcher, but if you’re a SOC Analyst then it’s not very likely that you’ll be collating every indicator from an alert - It’s much more likely that you’ll pick up an alert and investigate it, close it, and move on with the next five alerts that have come into your SIEM in the time it took. ...
Investigate IcedID malware using VirusTotal and threat intelligence platforms to identify IOCs, associated threat actors, and execution mechanisms. Introduction CyberDefenders IcedID challenge is another Easy challenge. This challenge room is another threat intel focused room so we’ll likely be using any.run, RecordedFuture’s Tria.ge platform, and probably VirusTotal as well. Here’s the introduction to the challenge: A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group. ...