ProxyLogon: Analyzing Microsoft Exchange Exploit with GrayLog

Описание

Scenario: In late February 2021, a threat actor, HAFNIUM, exploited a new vulnerability in Microsoft Exchange known as ProxyLogon CVE-2021-26855. As a SOC analyst in an enterprise utilizing GrayLog as the SIEM solution, your responsibility is to conduct a thorough investigation within the company's network to ensure the absence of any malicious activities. Your objective is to proactively hunt for potential threats and mitigate any risks that may compromise the network's security.

Tools:
- GrayLog

CyberDefenders Lab: https://cyberdefenders.org/blueteam-ctf-challenges/109
WEBSITE: https://cyberdefenders.org/
DISCORD: https://cyberdefenders.org/discord

Timestamps:
00:00 - Introduction
00:54 - Q1: What is the tool used by the attacker to identify services running on the victim's machine?
01:55 - Q2: What browser does the user spoofed to exploit the vulnerability?
02:59 - Q3: What is the local file path of the shell dropped by the exploit?
04:56 - Q4: What post-request parameter is used to execute commands on the server?
05:19 - Q5: What web shell is used by the attacker as a backdoor?
07:01 - Q6: What is the "MITRE" ID of the technique used by the attacker to gain persistence?
07:45 - Q7: The attacker tried to evade defenses by renaming the web shell. What is the name of the web shell file after rename?
08:13 - Q8: What is the name of the service the attacker tried to enable on the victim's machine?
08:42 - Q9: The attacker injected a shellcode in the memory to gain a reverse shell. What is the md5hash of the shellcode?
11:38 - Q10: What is the filename of the tool used by the attacker to move through the network?
12:14 - Q11: The attacker used two methods to access credentials on the victim's machine. What is the MITRE ID of the second method used by the attacker?