Skip to content

Latest commit

 

History

History
70 lines (59 loc) · 3.63 KB

README.md

File metadata and controls

70 lines (59 loc) · 3.63 KB

CTI Research Quiz

4 sections of CTI Research Questions

  • These will cover core competencies of CTI work:

    • File Triage
    • Network Triage
    • Mitre ATT&CK TTPs
    • OSINT Research
  • The first question is done for you as an example of how the answers should look 🙂

  • There is a PDF (see below) containing the answers. Decrypt it with the password after you've had a go at the quiz 📝

File Triage

File Hash File Contents Function Verdict Comment
ec9f9bdd04f17a36a860c946a9468ad931efb5ab3ba1dcb7292f965043c445aa Agent Tesla Infostealer Malicious Commodity crimeware tool
6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
cebaf2bfcf1f2297d18e4d35efb2597adc334513
4b80c7e7499d3cdddb4a6eba8d200c9dfa1a191d29b1c4335932c676157767d1
943cb4b5ffb69926803d7f9c3dd1bc7c
66e636ad5d074466ae6cb5a393050587
b2146ce57cfa6785eb1c9a405abc48e844c15a5431b85c653f2bda57e03f7449
329b92fd43004ccac98fba9cea61cfdffefbac04982af76958a13b85780c3301
963b55acc8c566876364716d5aafa353995812a8
534a7ea9c67bab3e8f2d41977bf43d41dfe951cf

Network Triage

IOC ISP Malware Function Verdict Comment
88.150.240.129 IOMART Trickbot C&C Malicious Botnet, linked to WizardSpider and Conti
134.209.182.12
files.slack.com
cdn.discordapp.com
beklear.net
kevinjohan.com
decoder.re
avaddongun7rngel.onion
23.220.206.73
151.101.228.144

Mitre ATT&CK TTPs

Procedure Technique Tactic
Group I - has used exploits to increase their levels of rights and privileges Exploitation for Privilege Escalation Privilege Escalation
Group II - has used a modified TeamViewer client to remotely control compromised devices
Group III - distributed NotPetya ransomware by compromising the legitimate Ukrainian accounting software M.E.Doc
Group IV - installs VNC server software that executes through rundll32
Group V - can perform brute force attacks to obtain credentials
Group VI has encrypted and encoded data in its malware, including by using base64
Group VII - attempts to destroy data by overwriting operating system files and disk structures with image files
Group VIII - can encrypt files on victim systems and demands a ransom to decrypt the files
Group IX - has used lures to get users to click links in emails and attachments
Group X - created a backdoor that used TOR to forward traffic from to local Ports 3389 (RDP), 139 (Netbios), and 445 (SMB)

OSINT Research

URL Use OSINT and describe the scenario
app[.]any[.]run/tasks/70259ce5-e073-4c00-a10d-08b26bed770d/ Dridex XLS macro doc uses mshta.exe to download a payload
app[.]any[.]run/tasks/78393e80-d0e4-4dd2-82ba-9296f12b544a/
urlscan[.]io/result/163c61e0-e31e-4825-a975-4486c535359d/
urlscan[.]io/result/48a52073-14e2-41a5-aa6c-1fa79d6351e6/
virustotal[.]com/gui/file/0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589/details
virustotal[.]com/gui/file/b5bc1aedcc94da1f11fb7bd541d50b6a4aa37147d86f02998b205f2b60240013/detection
koodous[.]com/apks/d52f76a311d7bd7a588bb287fb851bada34e7063ac5c83b9bc348251f02878a5

Answers are available here [download the PDF] and the password for the PDF is here