The Report BTLO

Assalamu Alaikum Wa Rahmatullah. How are you hackers??

Today I am writing this blog/article after solving The Report. I wrote this based on How I Solve this lab.

Lab

Before Read this, Try to solve lab. If you stuck then come here for help.

Ok Now lets move on to the lab.

First Read the Scenario.

You are working in a newly established SOC where still there is lot of work to do to make it a fully functional one. As part of gathering intel you were assigned a task to study a threat report released in 2022 and suggest some useful outcomes for your SOC.

First Download the zip file and extract it. The password is : BTLO.

Download Folders

Inside the folder you will see a pdf. Open it in a browser. Why Browser?? You Will get the answer soon.

Lastly, most of the question’s answer hidden in the question. Now lets Solve the Lab.

Lab Solving

Question 1) Name the supply chain attack related to Java logging library in the end of 2021 (Format: AttackNickname)

Answer :

Log4j

Explanation: Previously I told that answer are hide in the question. Looking for “Java” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 01

Question 2) Mention the MITRE Technique ID which effected more than 50% of the customers (Format: TXXXX)

Answer :

T 1059

Explanation: Previously I told that answer are hide in the question. Looking for “Technique” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 02

Question 3) Submit the names of 2 vulnerabilities belonging to Exchange Servers (Format: VulnNickname, VulnNickname)

Answer :

ProxyLogon, ProxyShell

Explanation: Previously I told that answer are hide in the question. Looking for “Exchange Servers” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 03

Question 4) Submit the CVE of the zero day vulnerability of a driver which led to RCE and gain SYSTEM privileges (Format: CVE-XXXX-XXXXX)

Answer :

CVE-2021-34527

Explanation: Previously I told that answer are hide in the question. Looking for “zero day” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 04

Question 5) Mention the 2 adversary groups that leverage SEO to gain initial access (Format: Group1, Group2)

Answer :

Gootkit, Yellow Cockatoo

Explanation: Previously I told that answer are hide in the question. Looking for “SEO” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 05

Question 6) In the detection rule, what should be mentioned as parent process if we are looking for execution of malicious js files [Hint: Not CMD] (Format: ParentProcessName.exe)

Answer :

wscript.exe

Explanation: Previously I told that answer are hide in the question. Looking for “JavaScript” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 06

Question 7) Ransomware gangs started using affiliate model to gain initial access. Name the precursors used by affiliates of Conti ransomware group (Format: Affiliate1, Affiliate2, Afilliate3)

Answer :

Qbot, Bazar, IcedID

Explanation: Previously I told that answer are hide in the question. Looking for “RANSOMWARE GROUP” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 07

Question 8) The main target of coin miners was outdated software. Mention the 2 outdated software mentioned in the report (Format: Software1, Software2)

Answer :

JBoss, WebLogic

Explanation: Previously I told that answer are hide in the question. Looking for “outdated” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 08

Question 9) Name the ransomware group which threatened to conduct DDoS if they didn’t pay ransom (Format: GroupName)

Answer :

Fancy Lazarus

Explanation: Previously I told that answer are hide in the question. Looking for “DDoS” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 09

Question 10) What is the security measure we need to enable for RDP connections in order to safeguard from ransomware attacks? (Format: XXX)

Answer :

MFA

Explanation: Previously I told that answer are hide in the question. Looking for “RDP” this keyword. Use (ctrl + F) and past the copied text. In every highlited word find the answer you will find a figure with the answer.

Answer : 10

Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.

Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.

Here is my social Link :

Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/

GitHub : https://github.com/r3dw4n48m3d

Website : https://r3dw4n48m3d.github.io/Portfolio/

YouTube : https://www.youtube.com/@R3DW4NA8M3D