My SIEM skills are Splunk biased but I should really learn more about ELK in future! Given the amount of content in the CTF I'd rather crack on and revisit ELK stack after. I decided to attack these logs via the commandline and not use the Elastic Search / Security Onion provided VM. Plus I knew I had to do it at some stage as part of this 3 level CTF and it could possibly help. Not all were used but most should help.Īnother little tip is to use the free SANS resources especially the postersĪlthough we're looking at something that might have ran on Angela's PC I wanted to understand the network a bit more first. Sandpit VM tools - I'm sure there are better lists but these are mine. Draw.io / OneNote for note taking and diagramming.Volatility Framework - standalone Mac and SIFT (comes with various +plugins).SANS SIFT / Remnux / Kali / Windows sandpit VM (I used my own but these 90 eval VMs are perfect - just load your tools).We have to investigate and submit indicators to score points. Ĭomputer ecorpwin7 is owned by Angela Moss and has recently been infected with what looks like ransomware. The ECORPSO provided image contains network logs + memory images for your ease.Įverything you need it over at and Level 1 can be started here. Robot TV series so some names might be familiar.ĭownload the network logs (NSM), memory images and disk images before proceeding. It's also based on the characters from the Mr. This year's CTF is a realistic digital forensics and incident response challenge where you submit indicators of compromise as you go. Hopefully this can help others get started. SPLOILER ALERT Some answers will be available - I'm currently still playing the later rounds, so some of this might seem unfinished.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |