- 260
- 150 357
InfoSec_Bret
United States
เข้าร่วมเมื่อ 3 ม.ค. 2014
InfoSec Professional that enjoys exercises from the Lets Defend and Cyber Defenders platforms, when not busy with work and family, of course!
Challenge - Malicious AutoIT
Tackling another Lets Defend Challenge, that being the BEGINNER DIFFICULTY "Malicious AutoIT" challenge. We are given a compressed file containing a AutoIT Script to EXE on a Windows VM system to analyze and answer 8 questions.
"Our organization's Security Operations Center (SOC) has detected suspicious activity related to an AutoIt script. Can you analyze this exe and help us answer the following questions?"
NOTES:
www.virustotal.com/gui/file/8e361e1c2f06cf9ec21a4f65f99641fed82f51be05b9d87efd97389c1dd6376d/detection
www.autoitscript.com/site/autoit/
github.com/nazywam/AutoIt-Ripper
github.com/horsicq/Detect-It-Easy
"Our organization's Security Operations Center (SOC) has detected suspicious activity related to an AutoIt script. Can you analyze this exe and help us answer the following questions?"
NOTES:
www.virustotal.com/gui/file/8e361e1c2f06cf9ec21a4f65f99641fed82f51be05b9d87efd97389c1dd6376d/detection
www.autoitscript.com/site/autoit/
github.com/nazywam/AutoIt-Ripper
github.com/horsicq/Detect-It-Easy
มุมมอง: 15
วีดีโอ
Challenge - Compromised Chat Server
มุมมอง 25716 ชั่วโมงที่ผ่านมา
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Compromised Chat Server" challenge. We are given a compressed file containing a PCAP on a Linux VM system to analyze and answer 10 questions. "In the company, one of our teams uses Openfire, an XMPP-based chat server for their communications. Recently, the L1 analyst detected suspicious activity on the server, including a...
Challenge - Compromised Network Printer
มุมมอง 13014 วันที่ผ่านมา
Tackling another Lets Defend Challenge, that being the EASY DIFFICULTY "Compromised Network Printer" challenge. We are given a compressed file containing a PCAP on a Linux VM system to analyze and answer 9 questions. "You are a DFIR Analyst for a corporation. A network printer running in the internal network has been compromised as it was alerted by our IDS. You have been provided a packet capt...
Challenge - Revenge RAT
มุมมอง 10521 วันที่ผ่านมา
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Revenge RAT" challenge. We are given a password protected compressed file containing a PCAP on a Linux VM system to analyze and answer 9 questions. "During a cybersecurity investigation, analysts have noticed unusual traffic patterns that may indicate a problem. We need your help finding out what's happening, so give us a...
Challenge - Malicious Web Traffic Analysis
มุมมอง 7728 วันที่ผ่านมา
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Malicious Web Traffic Analysis" challenge. We are given a password protected compressed file containing a PCAP on a Linux VM system to analyze and answer 9 questions. "During a cybersecurity investigation, analysts have noticed unusual traffic patterns that may indicate a problem. We need your help finding out what's happ...
Summer thunderstorm in the western suburbs of Chicago (08/27/2024)
มุมมอง 137หลายเดือนก่อน
Thunderstorm rolling in after several 90 F days. 20-30 minutes of decent rain and it got dark fast! Temperature dropped from ~95 to ~80 real quick leading to a nice light show!
Challenge - Downloader
มุมมอง 69หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Downloader" challenge. We are given a password protected compressed file containing a sample file on a Windows VM system to analyze and answer 8 questions. "Our organization's Security Operations Center (SOC) has detected suspicious activity related to downloader malware. The malware is designed to retrieve and execute ad...
Challenge - Batch Downloader
มุมมอง 188หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the EASY DIFFICULTY "Batch Downloader" challenge. We are given a password protected compressed file containing a .bat file on a Windows VM system to analyze and answer 8 questions. "A malicious batch file has been discovered that downloads and executes files associated with the Laplas Clipper malware. Analyze this batch file to understand its b...
Challenge - Linux Disk Forensics
มุมมอง 2382 หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the HARD DIFFICULTY "Linux Disk Forensics" challenge. We are given a password protected compressed file containing a triage image on a Linux VM system to analyze and answer 5 questions. "Dean downloaded a cracked software application from an unofficial source and subsequently discovered that his personal data has been leaked. An investigation i...
Challenge - Confluence CVE-2023-22527 - Part 2
มุมมอง 1152 หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Confluence CVE-2023-22527" VIP challenge. We are given a password protected compressed file containing a triage image on a Linux VM system to analyze and answer 14 questions. "Confluence is used by many organizations. Our organization was recently targeted and we need your expertise to help us recover from this incident. ...
Challenge - Confluence CVE-2023-22527 - Part 1
มุมมอง 922 หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the MEDIUM DIFFICULTY "Confluence CVE-2023-22527" VIP challenge. We are given a password protected compressed file containing a triage image on a Linux VM system to analyze and answer 14 questions. "Confluence is used by many organizations. Our organization was recently targeted and we need your expertise to help us recover from this incident. ...
Challenge - PHP-CGI (CVE-2024-4577)
มุมมอง 1.2K2 หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the EASY DIFFICULTY "PHP-CGI (CVE-2024-4577)" challenge. We are given a password protected compressed file containing a config, log, and prefetch files on a Windows VM system to analyze and answer 8 questions. "You will confront an attempted exploitation of a newly discovered and unpatched vulnerability (CVE-2024-XXXX) in a critical software co...
Challenge - Compromised ICS Device
มุมมอง 1292 หลายเดือนก่อน
Tackling another Lets Defend Challenge, that being the HARD DIFFICULTY "Compromised ICS Device" challenge. We are given a password protected compressed file containing a PCAP and Log file on a Linux VM system to analyze both and answer 10 questions. "A critical water treatment plant has recently experienced unusual behavior in its control systems. The plant’s PLC, responsible for managing the w...
LetsDefend Platform - How To - Upload/Download to/from sandbox VM
มุมมอง 3623 หลายเดือนก่อน
Giving a demo of how to upload and download files from the LetsDefend Windows and Linux VMs. Windows Host - Windows VM: RDP (built in client) Windows Host - Linux VM: WinSCP Linux Host - Windows VM: RDP (Remmina) Linux Host - Linux VM: File Manager (Nautilus) NOTES:
LetsDefend Platform - How To - Upload/Download to/from sandbox VM 2
มุมมอง 1803 หลายเดือนก่อน
Figured out Remmina, so to finish the demo of how to upload and download files from the LetsDefend Windows and Linux VMs. Windows Host - Windows VM: RDP (built in client) Windows Host - Linux VM: WinSCP Linux Host - Windows VM: RDP (Remmina) Linux Host - Linux VM: File Manager (Nautilus) NOTES:
Challenge - Malicious WordPress Plugin
มุมมอง 1683 หลายเดือนก่อน
Challenge - Malicious WordPress Plugin
Challenge - Phishing Email / Audio Test
มุมมอง 1205 หลายเดือนก่อน
Challenge - Phishing Email / Audio Test
Challenge - Malicious Chrome Extension
มุมมอง 2106 หลายเดือนก่อน
Challenge - Malicious Chrome Extension
Your a super life saver. I work on these while watching you
I appreciate your contribution to infosec, i will give you some friendly advice that please increase your audio volume in your videos and you can make it bit shorter it would also boost your views you know that infosec peps love watching precise stuffs. Thanks for your knowledge sharing!
Tried responding to this alert today. Went to the endpoint and could not find logs from July 2021. The oldest logs were from September.
Do you think it encrypted some data?
Jones Michelle Johnson Paul Thompson Sharon
I’ve been studying IT and Cybersecurity all day for the past couple of days. It’s nice to relax and take in such a beautiful natural phenomenon
Hi, i was doing this alert and the part i got wrong was that i thought user did not access this file. Since log shown are all empty and just curious does it mean that the attacker remove all traces in the log that's why it is empty ??? Thank you
As an analyst, you might not always have your normal set of logs, agents are not flawless and internet connections are not always stable. So you will find you have to work with what you have!
Hi Bert, I made this official challenge write-up. I would like to hear your thoughts on my write-up and if you have any tips for improvement. I was inspired by you, and LetsDefend published two of my write-ups (GoLang challenge too). Keep up the good work, I love your channel.
A very good write-up! You found the IP and the payload name in IDA first, rather then mine VT, awesome job @DanielArm94
thanks, you help me with the first question
you didn't show hot to fire up the Remote Desktop client which Is what im stuck on haha. thanks for the video non the less!
RDP for Windows?
no cursor is so annoying :/
This is mostly corrected in current videos... I think...
Could you plz share the pdf file? Thanks in advance
how did you manage to exact the doc from the letsdefend virtual lab. l am having a hard time with it. If possible kindly include the exact from the vm into your videos next time
I did a two part series as a how to for pulling FROM Windows/Linux to Windows/Linux. th-cam.com/video/vHlulHqHzyY/w-d-xo.html th-cam.com/video/XSU9QjHxcM8/w-d-xo.html
please how did you download the log file from the letsdefend virtual platform to your pc. l am having difficulty with that
i am also difficult with that plz
I did a two part series as a how to for pulling FROM Windows/Linux to Windows/Linux. th-cam.com/video/vHlulHqHzyY/w-d-xo.html th-cam.com/video/XSU9QjHxcM8/w-d-xo.html
@@BretWitt Thanks
Thanks for the walkthrough, but I have a question for you. During my investigation I noticed that there was an email sent to RichardPRD on the same day as the JuicyPotato.exe alert. The email contained a malicious .xlsx file that was opened and there are various IOCs on his endpoint that show this, including contact with a C2. One of the questions asks if someone had requested the C2 and I put "yes", which was the wrong answer. I guess my question is, was I mistaken thinking that the JuicyPotato.exe and the .xlsx file from the email were somehow linked? In a real life scenario, would you only focus on the JuicyPotato alert even though you came across something else while searching, such as an email attachment?
I would pay money to see what that webpage looked like before it got the 404.
Doing the lords work mate. Thank you.
Hi Bret nice video, I love your channel you are awesome! I have a question regarding the challenge, how did you download the file? I didn't find the option to download this sample and the Let's Defend machine is not equipped with the tools I need like IDA or ghidra so I wanted to get the sample to my flare VM. how can I get this sample? I don't have VT pro account or Joe sandbox account for downloading the file. Thanks and keep it up love your channel 😁
NVM I found my answer through RDP copy-paste. stay awsome :)
Thanks, as for downloading the files, RDP has copy an paste for Windows and for Linux, I move/copy the files to the analyst folder and then connect the VM via WinSCP (as my system is WINDOWS). You have to hit the yellow button above the VM once it starts to get the VMs IP, username, and password.
hello laughing man
This is not bad at all, however, hopefully you can make a slightly more advanced version to this that talks more about the response. For example extract out logs, and review them. Even if with a test tenant/instance.
if possible please do with frida stalker for themida protected malware
Frida stalker?
its easy to do with virus total, but reverse engineering with Python its a lot. I only have Sec+ and Google CC, Letsdefend SOC is my 1st course. Malware analysis as hard as i thought, log analysis is easier.
how do you output multiple the content of speicifc files with strings in linux as demonstrated @14:32
how do u determine what profile to use in volatility this is something i dont quite understand yet.
In VOL 3, it's auto magically done, as for VOL 2, you use imageinfo and kdbgscan to find what fits best. book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet Look at the OS Profiles section
Nice job. Thanks for the interesting video.
This is great.🔥🔥
Jesus this lab is extremely intense ahaha not able to complete it
after follow udp stream, where did you go to find p13 frame message?
Thank you for these Videos, Bret. They really help to learn safely with hands-on experience that transfers well to on-the-job experience!
this is beginner? I'm screwed
Beginner challenge... don't count yourself out!
Hey Bret! This is the other Bret(CyberGladius). lol. I enjoyed watching someone work through my challenge. Thank you for the video! The event logs are from an actual breach I worked on. Fun fact: the hard part was altering the event logs to remove sensitive information and re-signing the headers.
It was very helpful. thank you.
InfoSec_Bret, I loved this video so much, I had to hit the like button!
Bret you are doing great job I would like to request if you include log source type and relative Scanerios which works in real life soc I know the letsdefend don't provide this but will be greatful to you if you can
Hey Brett, could you maybe help me understand why when I connect to the labs they're so laggy?
Thanks Bro for that :)
Can barely hear you.
Hopefully this is fixed, went from -6db on the mic to -1db
yo man, can you please be more informative like a step by step guideline on phishing email challenge? Im stuck on where it says download, like do I download like normal or download it through a sandbox if so, what do I use in a sandbox like letsdefend provides and solve the problem thank you
You can work it anyway you can... so you could spin up the letsdefend sandbox and pull the file down in there and then work the challenge. You could setup a VM on your local computer and pull down the file and work the challenge. You could pull the file down and work on the bare metal of your computer (only recommended if you know what you are doing).
How do you open the download link on letsdefend lab
You click it? I know there have been some issues with downloads being blocked for malware, so you have to try a different browser...
Thank You For making this video. I wish you make a lot of videos about letsdefend
InfoSec_Bret, I really liked this video! I subscribed too!
dude, you do suck. learn some basic PowerShell to suck just a tiny bit less [System.BitConverter]::ToInt64(); [datetime]::FromFileTime() you had it at th-cam.com/video/PUTGNPeCgvs/w-d-xo.html
dude, you do suck. learn some basic PowerShell to suck just a tiny bit less [System.BitConverter]::ToInt64(); [datetime]::FromFileTime() you had it at th-cam.com/video/PUTGNPeCgvs/w-d-xo.html
dude, you do suck. learn some basic PowerShell to suck just a tiny bit less [System.BitConverter]::ToInt64(); [datetime]::FromFileTime() you had it at th-cam.com/video/PUTGNPeCgvs/w-d-xo.html and do forget those tarded "tools"
Oh man, why are you talking too slowly in every video? Are u high every day, man?
In their youtube channel, LetsDefend, actually recommend using VMonkey so you weren't lazy at all.
I think your videos would be perfect if you'd gotten a new mic. It's sometime very hard to hear or understand you. Otherwise, great content!
I suppose it is time to seriously consider a dedicated microphone as opposed to a wireless headset originally made for the PS3, lol.
I did the same, the only difference was I didn't even bother looking up the python program by name, because the name doesn't identify the program, so whatever I find it's just speculation. The way they run python and the wmi activity mentioned in the alert was suspicious enough, but unless we get the wmiexec.py or its hash we can't investigate further. The same reason we can't identify the C2 address - if there is any. But there isn't any network activity in the log at the time of the alert, so I don't understand eighter - I made the same "mistake".
I stuck on question 13, i take the same thing but it says it is incorrect