Overview:
Focus areas include spear-phishing campaigns, encrypted traffic, unusual files, metadata analysis, and persistence mechanisms. The task involves solving questions about analyzing malicious activities using Splunk.
COMPTIA Cyber Security Analyst (CySA+) Study Notes
Investigation Methodology
Analyzes command-line operations and registry keys to uncover web pages contacted by malware.
Investigating Spear-Phishing:
Examines email traffic and identifies malicious zip file attachments.
Password-protected files require searching email content for passwords provided by the sender.
SSL Encryption Analysis:
Looks for SSL issuer information in traffic logs.
Emphasizes the importance of identifying the attackers’ SSL certificates using TCP traffic logs.
Identifying Unusual Files:
Finds files downloaded using FTP, highlighting file names in foreign languages, which are uncommon for American companies.
Constructs queries to pinpoint such files.
Metadata Implications:
Analyzes malware metadata to identify personal names implicated.
Uses platforms like VirusTotal for detailed analysis.
File Content Insights:
Examines documents for hidden messages or “Easter eggs” to gather more context about the attack.
Scheduled Tasks and Persistence:
Investigates scheduled tasks used by attackers to maintain persistence.
Techniques Demonstrated Using Splunk
- Query Construction: Detailed explanation of creating queries in Splunk for efficient data filtering.
- Use of Interesting Fields: Narrowing down large datasets using relevant fields like “SSL issuer” or “Method Parameter.”
- Step-by-Step Investigation: A logical approach to move from a broad dataset to specific evidence.
- External Tools: Integration with VirusTotal and document examination for comprehensive analysis.
Room Questions and Answers | TryHackMe Boss of the SOC v2
A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
What is the password to open the zip file?
The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith
Within the document, what kind of points is mentioned if you found the text?
To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html