PsExec Hunt Blue Team Lab

해당 문제는 CyberDefenders의 PsExec Hunt문제에 대한 풀이입니다.

---

1. Challenge description

Our Intrusion Detection System (IDS) has raised an alert, indicating suspicious lateral movement activity involving the use of PsExec. To effectively respond to this incident, your role as a SOC Analyst is to analyze the captured network traffic stored in a PCAP file.

---

Q1.
In order to effectively trace the attacker's activities within our network, can you determine the IP address of the machine where the attacker initially gained access?

wireshark - statistics - conversations - IPv4 으로 확인할 수 있다.

Q2.
To fully comprehend the extent of the breach, can you determine the machine's hostname to which the attacker first pivoted?

이 문제는 10.0.0.130의 IP를 검색 후 패킷 하나를 follow - tcp stream을 통해 열어 찾았다.

Q3.
After identifying the initial entry point, it's crucial to understand how far the attacker has moved laterally within our network. Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?

이 질문에 답을 찾기 위해 패킷을 하나하나 많이 까봤다. 그래도 답이 있어 다행이다.

Q4.
After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target?

이 질문에는 패킷을 훓어보다 알아냈다.

Q5.
We need to know how the attacker installed the service on the compromised machine to understand the attacker's lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?

이 질문 또한 Q3,Q4번 과 연계되어 훓어보다가 찾았다.

Q6.
We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

이 질문도 공유 네트워크가 ADMIN$ 말고 IPC$이 바로 위 패킷에 있어 알 수 있었다.

Q7.
Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the machine's hostname to which the attacker attempted to pivot within our network?

해당 질문은 dns.qry.name 을 검색해 알 수 있었다.