Back
Day 1: Maybe SOC-mas music, he thought, doesn't come from a store?
Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?
Answer
Tyler Ramsbey
The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?
Answer
http://papash3ll.thm/data
Who is M.M? Maybe his Github profile page would provide clues?
Answer
Mayor Malware
What is the number of commits on the GitHub repo where the issue was raised?
Answer
1
Day 2: One man's false positive is another man's potpourri.
What is the name of the account causing all the failed login attempts?
Answer
How many failed logon attempts were observed?
Answer
What is the IP address of Glitch?
Answer
When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Answer
What is the decoded command executed by Glitch to fix the systems of Wareville?
Answer
If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.
Answer
Day 3: Even if I wanted to go, their vulnerabilities wouldn't allow it.
BLUE: Where was the web shell uploaded to?
Answer
/media/images/rooms/shell.php
BLUE: What is the IP address that accessed the web shell?
Answer
10.11.83.34
RED: What is the contents of the flag.txt?
Answer
THM{Gl1tch_Was_H3r3}
Day 4: I’m all atomic inside!
What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Answer
THM{GlitchTestingForSpearphishing}
What ATT&CK technique ID would be our point of interest?
Answer
THM{GlitchTestingForSpearphishing}
What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Answer
T1059.003
What is the name of the Atomic Test to be simulated?
Answer
Simulate BlackByte Ransomware Print Bombing
What is the name of the file used in the test?
Answer
Wareville_Ransomware.txt
What is the flag found from this Atomic Test?
Answer
THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
Back to Top
Easy
1440 min