CyberDefenders

Reconstruct a HawkEye Keylogger data exfiltration incident by analyzing network traffic with Wireshark and CyberChef, identifying IoCs and stolen credentials. Introduction Today I’ll be going through the HawkEye lab on CyberDefenders. This is tagged as being a Medium difficulty challenge, so I’m excited to get into this! Going off of the tags for the room it looks like we’ll be needing to use Wireshark, and possibly do some threat intel with VirusTotal. Before we get started we’ll need to download the lab files. Unzip this and open up stealer.pcap with Wireshark. ...

Examine network traffic with Wireshark to investigate web server compromise, identify SQL injection, extract attacker credentials, and detect uploaded malware. Introduction I want to focus on my Wireshark skills a lot more in the coming months. I have a lot of experience with Microsoft’s KQL and using that to dig through network traffic, but that only happens after it comes through a SIEM or EDR tool before. I like to know how to analyze network traffic from the ground up, so you’ll be seeing a lot more Wireshark in the future! ...

Analyze network traffic using Wireshark to identify DanaBot initial access, deobfuscate malicious JavaScript, and extract IOCs like IPs, file hashes, and execution processes.. Introduction Back to CyberDefenders yet again! A lot of my recent posts have been focused more on Threat Intel. Threat Intel is great to have in the back of your mind as being something you may need to do. Attribution is important if you’re a Threat Hunter/Researcher, but if you’re a SOC Analyst then it’s not very likely that you’ll be collating every indicator from an alert - It’s much more likely that you’ll pick up an alert and investigate it, close it, and move on with the next five alerts that have come into your SIEM in the time it took. ...

Investigate IcedID malware using VirusTotal and threat intelligence platforms to identify IOCs, associated threat actors, and execution mechanisms. Introduction CyberDefenders IcedID challenge is another Easy challenge. This challenge room is another threat intel focused room so we’ll likely be using any.run, RecordedFuture’s Tria.ge platform, and probably VirusTotal as well. Here’s the introduction to the challenge: A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group. ...

Analyze a suspicious executable using VirusTotal and MalwareBazaar to extract IOCs, identify C2 infrastructure, MITRE ATT&CK techniques, and privilege escalation mechanisms. Introduction Another Threat Intel focused lab for today. The red stealer lab available through Cyber Defenders. You are part of the Threat Intelligence team in the SOC (Security Operations Center). An executable file has been discovered on a colleague’s computer, and it’s suspected to be linked to a Command and Control (C2) server, indicating a potential malware infection. Your task is to investigate this executable by analyzing its hash. The goal is to gather and analyze data beneficial to other SOC members, including the Incident Response team, to respond to this suspicious behavior efficiently. ...