## CTI Research Quiz ### 4 sections of CTI Research Questions - These will cover core competencies of CTI work: - File Triage - Network Triage - Mitre ATT&CK TTPs - OSINT Research - The first question is done for you as an example of how the answers should look ðŸ™‚ - There is a PDF (see below) containing the answers. Decrypt it with the password **after** you've had a go at the quiz ðŸ“ ### `File Triage` | File Hash | File Contents | Function | Verdict | Comment | | --- | --- | --- | --- | --- | | ec9f9bdd04f17a36a860c946a9468ad931efb5ab3ba1dcb7292f965043c445aa | Agent Tesla | Infostealer | Malicious | Commodity crimeware tool | | 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502 | | | | | | cebaf2bfcf1f2297d18e4d35efb2597adc334513 | | | | | | 4b80c7e7499d3cdddb4a6eba8d200c9dfa1a191d29b1c4335932c676157767d1 | | | | | | 943cb4b5ffb69926803d7f9c3dd1bc7c | | | | | | 66e636ad5d074466ae6cb5a393050587 | | | | | | b2146ce57cfa6785eb1c9a405abc48e844c15a5431b85c653f2bda57e03f7449 | | | | | | 329b92fd43004ccac98fba9cea61cfdffefbac04982af76958a13b85780c3301 | | | | | | 963b55acc8c566876364716d5aafa353995812a8 | | | | | | 534a7ea9c67bab3e8f2d41977bf43d41dfe951cf | | | | | ### `Network Triage` | IOC | ISP | Malware | Function | Verdict | Comment | | --- | --- | --- | --- | --- | --- | | 88.150.240.129 | IOMART | Trickbot | C&C | Malicious | Botnet, linked to WizardSpider and Conti | | 134.209.182.12 | | | | | | files.slack.com | | | | | | cdn.discordapp.com | | | | | | beklear.net | | | | | | kevinjohan.com | | | | | | decoder.re | | | | | | avaddongun7rngel.onion | | | | | | 23.220.206.73 | | | | | | 151.101.228.144 | | | | | ### `Mitre ATT&CK TTPs` | Procedure | Technique | Tactic | | --- | --- | --- | | Group I - has used exploits to increase their levels of rights and privileges | Exploitation for Privilege Escalation | Privilege Escalation | | Group II - has used a modified TeamViewer client to remotely control compromised devices | | | Group III - distributed NotPetya ransomware by compromising the legitimate Ukrainian accounting software M.E.Doc | | | Group IV - installs VNC server software that executes through rundll32 | | | Group V - can perform brute force attacks to obtain credentials | | | Group VI has encrypted and encoded data in its malware, including by using base64 | | | Group VII - attempts to destroy data by overwriting operating system files and disk structures with image files | | | Group VIII - can encrypt files on victim systems and demands a ransom to decrypt the files | | | Group IX - has used lures to get users to click links in emails and attachments | | | Group X - created a backdoor that used TOR to forward traffic from to local Ports 3389 (RDP), 139 (Netbios), and 445 (SMB) | | ### `OSINT Research` | URL| Use OSINT and describe the scenario | | --- | --- | | app[.]any[.]run/tasks/70259ce5-e073-4c00-a10d-08b26bed770d/ | Dridex XLS macro doc uses mshta.exe to download a payload | | app[.]any[.]run/tasks/78393e80-d0e4-4dd2-82ba-9296f12b544a/ | | | urlscan[.]io/result/163c61e0-e31e-4825-a975-4486c535359d/ | | | urlscan[.]io/result/48a52073-14e2-41a5-aa6c-1fa79d6351e6/ | | | virustotal[.]com/gui/file/0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589/details | | | virustotal[.]com/gui/file/b5bc1aedcc94da1f11fb7bd541d50b6a4aa37147d86f02998b205f2b60240013/detection | | | koodous[.]com/apks/d52f76a311d7bd7a588bb287fb851bada34e7063ac5c83b9bc348251f02878a5 | | Answers are available [here](https://github.com/BushidoUK/CTI-Quiz/blob/main/CTI_Quiz_Answers.pdf) [download the PDF] and the password for the PDF is [here](https://github.com/BushidoUK/CTI-Quiz/blob/main/pw.txt)