immersive labs
155 TopicsRansomware: TeslaCrypt - Stuck at Last Question
Has anyone figured out the final question of the Ransomware: TeslaCrypt lab? "What is the domain of the first DNS request made after executing the malware?" No correct answers via Ghidra No answers via ProcMon (suggested in the briefing) I checked the activity in x32dbg - nothing Any ideas? Is the lab broken? As always I might be looking too far...10Views0likes1CommentPowershell Deobsfuscation Ep.7
I first collected the .ps1 script and noticed that it is from hex after decoding from hex I noticed that it converts from decimals This led me to use the from the from decimal recipe from Cyberchef However, this led me towards only the decoded eding of the script itself. with the main obfuscated payload being empty. I am wondering about where I am going wrong in my thought process.Solved19Views0likes1CommentError in lab in SVMs Behavior Detection
Ref: /v2/labs/fundamental-ai-algorithms-ep-7-svms-behavior-detection/category/ai/series/fundamental-ai-algorithms In Cell-2 of the lab, I used the code below: # connect to elasticsearch using the username python and password pythonisawesome #es = Elasticsearch( 'ELASTICSEARCH_URI', basic_auth=( 'USERNAME', 'PASSWORD' ) ) #es = Elasticsearch( 'http://elasticsearch:9200', basic_auth=( 'python', 'pythonisawesome' ) ) #es = Elasticsearch( 'http://127.0.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ) ) es = Elasticsearch( 'http://172.17.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ), verify_certs=False, ssl_show_warn=False ) # get the process tree for a process #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) While running, I got the following error: --------------------------------------------------------------------------- ConnectionError Traceback (most recent call last) <ipython-input-18-724dfb6e6522> in <module> 107 # get the process tree for a process 108 #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) --> 109 ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) 110 111 # graph the structure of the process tree <ipython-input-9-ceca3d8599dc> in getPtree(elasticsearch, initial_process) 101 102 # get the initial process id from its commandline --> 103 initial_pid = getProcessFromCmdline( elasticsearch, initial_process ) 104 if initial_pid == None: 105 return <ipython-input-9-ceca3d8599dc> in getProcessFromCmdline(elasticsearch, process) 31 # set it return the process entity id as the unique ID and the commandline and run the query 32 fields = [ 'process.entity_id', 'process.command_line' ] ---> 33 results = esSearch( elasticsearch, query, fields ) 34 35 # check it only returned one value <ipython-input-9-ceca3d8599dc> in esSearch(elasticsearch, fields_values, fields) 18 19 # query elasticsearch specifying what fields you want it to return ---> 20 response = elasticsearch.search( index = 'winlogbeat-*', size='10000', query=query, fields=fields ) 21 22 # return the query hits /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/utils.py in wrapped(*args, **kwargs) 412 pass 413 --> 414 return api(*args, **kwargs) 415 416 return wrapped # type: ignore[return-value] /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/__init__.py in search(self, index, aggregations, aggs, allow_no_indices, allow_partial_search_results, analyze_wildcard, analyzer, batched_reduce_size, ccs_minimize_roundtrips, collapse, default_operator, df, docvalue_fields, error_trace, expand_wildcards, explain, fields, filter_path, from_, highlight, human, ignore_throttled, ignore_unavailable, indices_boost, lenient, max_concurrent_shard_requests, min_compatible_shard_node, min_score, pit, post_filter, pre_filter_shard_size, preference, pretty, profile, q, query, request_cache, rescore, rest_total_hits_as_int, routing, runtime_mappings, script_fields, scroll, search_after, search_type, seq_no_primary_term, size, slice, sort, source, source_excludes, source_includes, stats, stored_fields, suggest, suggest_field, suggest_mode, suggest_size, suggest_text, terminate_after, timeout, track_scores, track_total_hits, typed_keys, version) 3745 if __body is not None: 3746 __headers["content-type"] = "application/json" -> 3747 return self.perform_request( # type: ignore[return-value] 3748 "POST", __path, params=__query, headers=__headers, body=__body 3749 ) /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/_base.py in perform_request(self, method, path, params, headers, body) 284 target = path 285 --> 286 meta, resp_body = self.transport.perform_request( 287 method, 288 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_transport.py in perform_request(self, method, target, body, headers, max_retries, retry_on_status, retry_on_timeout, request_timeout, client_meta) 327 start_time = time.time() 328 try: --> 329 meta, raw_data = node.perform_request( 330 method, 331 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_node/_http_urllib3.py in perform_request(self, method, target, body, headers, request_timeout) 197 exception=err, 198 ) --> 199 raise err from None 200 201 meta = ApiResponseMeta( ConnectionError: Connection error caused by: ConnectionError(Connection error caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f4e74162700>: Failed to establish a new connection: [Errno 111] Connection refused))38Views0likes2CommentsMalicious Document Analysis: Dropper Analysis
I need help with this lab. going through the Malicious document analysis section of the Incident response badge. it goes from "use olevba" to analyse documents to wanting you to edit python script to manually de-obfuscate files. there’s no guidance on doing this within the lab and the lab doesn’t refer you to anywhere else you can learn/ get information that will help with this lab. i don’t want the answers or my hand holding, but a pointer in the right direction within the lab would be nice. is there any other labs people recommend that may help prepare me for this one?31Views0likes1CommentHealthcare Compliance
I keep getting an in correct response when answering a question on the Healthcare Compliance Lab. The HIPAA Framework. Question is Your hospital hires an IT consultant to audit your network security. Before giving them access to patient data, what must you do? My response is Have them sign a business associate agreement but its wrong any ideas what the correct response is to this question?Solved45Views1like3Comments