Scenario: A spear-phishing attack has hit your organization's mail server. An unusual traffic alert from an endpoint helped to detect this breach. We have acquired a memory dump from the endpoint, and your task is to investigate it. Your objective is to analyze the dump, identify any indications of the attack, and track down its source.
Tools:
- PE-bear
- MemProcFS
- Strings
- olevba
CyberDefenders Lab: [ Ссылка ]
Website: [ Ссылка ]
Discord: [ Ссылка ]
Timestamps:
00:00 - Introduction
01:54 - Q1: It is crucial to identify the primary process responsible for managing email servers to understand the entry point of a breach. What is the Process ID (PID) of the main process that handles email server operations?
04:10 - Q2: To trace the origin of a spear-phishing attack, we need to know who the attacker is impersonating. What is the email address that the attacker used to spoof when they sent out phishing emails?
08:06 - Q3: Understanding the attack's impact on individual users can help in mitigating risks, What is the email address of the user who was deceived into opening the malicious phishing email?
10:28 - Q4: Accessing the compromised credentials can provide insights into the attacker's movements within the network. What password is associated with the user's email address identified in the previous question?
11:42 - Q5: Uncovering the attacker's IP address is pivotal in tracing the attack's origin. What is the IP address from which the phishing emails were sent?
12:42 - Q6: Identifying unauthorized software installations can reveal the attacker's tools and methods. What is the program name that the attacker installed on the system?
14:54 - Q7: Analyzing transferred files can shed light on the attacker's intent and the scope of the breach. What is the name of the rar file that the attacker moved onto the compromised machine?
16:33 - Q8: Decoding obfuscated VBA code is key to identifying IOCs and developing custom detection rules. What is the value of the "DsCbSH1Ln" variable in the extracted macro?
19:35 - Q9: File manipulation is a common tactic used by attackers to evade detection. After the macro in the doc file dropped a malicious file, what was the new name given to the file after renaming?
21:01 - Q10: Establishing persistence is a key objective for attackers to maintain access. What is the name of the scheduled task created by the macro for achieving persistence?
22:18 - Q11: Identifying process injection is critical in understanding how the attacker evades detection. In the case of the background.dll, what is the memory address of the injected DLL?
23:25 - Q12: Understanding the communication channels the attacker uses is vital for preventing data exfiltration. What URL is utilized by the backdoor to exfiltrate data from the compromised system?
