Cyber Blue Team labs, CTF challenges, DFIR, and SOC tools
蓝队的题都比较偏向实战,这道题是一个比较简单的流量分析题目,主要是关于内网横向移动的流量,拿到这里和大家分享一下,网上wp比较少,所以写一个记录一下,留着自己看。如果有问题希望师傅们指正。
Q1
In order to effectively trace the attacker's activities within our network, can you determine the IP address of the machine where the attacker initially gained access
找到攻击者攻击的入口机器,根据流量能看出来,10.0.0.130是连接内网的入口机器,大部分文件都是由10.0.0.130发送给其他主机的
Q2
To fully comprehend the extent of the breach, can you determine the machine's hostname to which the attacker first pivoted?
根据第一题知道攻击者首先攻击的是133这个机器,所以看一下133的hostname
从这个session setup 找
Q3
After identifying the initial entry point, it's crucial to understand how far the attacker has moved laterally within our network. Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?
看一下攻击者用哪个账户进行横向移动的
Q4
After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target?
攻击者开启服务用的exe文件是什么,一眼丁真
Q5
We need to know how the attacker installed the service on the compromised machine to understand the attacker's lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?
看一下用的哪个共享网络文件夹,用的是ADMIN$上传的
Q6
We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?
用哪个共享网络用来交流的
后面发现用的IPC$来对131和133两台计算机进行交流的
Q7
Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the machine's hostname to which the attacker attempted to pivot within our network?
攻击者最终打入的是131主机,也就是说这是攻击者的目标靶机,所以看一下131主机的hostname
扫一扫
8185
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
