questions & feedback
73 TopicsIncident Response: Application Shimming
I'm working through the Incident Response: Application Shimming lab and I'm stuck on the final question (but have correctly answered all previous questions). Without giving away any answers to those reading this, I'm hoping someone can tell me whether I'm following the correct investigation path or if I'm overlooking an artifact. So far I've: - Followed the registry keys mentioned in the briefing. - Identified the affected application and the installed shim database. - Examined the SDB file with the provided analysis tool. - Followed the breadcrumb trail from the previous questions. - Examined the DLL identified in the previous question for URLs, HTTP-related strings, and other obvious indicators. - Searched the SDB and related files for URLs and network indicators. - Checked the application's installation directory for additional relevant artifacts. At this point I can't find anything that appears to answer the final question, and I'm wondering if I'm expected to analyze a different file or use a different tool than the ones provided in the VM. Could someone give me a nudge in the right direction? Specifically, I'd like to know: Am I investigating the correct artifact? Is there another file or artifact that should be analyzed? Or is there another technique/tool that the lab expects me to use? Thanks!33Views0likes0CommentsError in lab in SVMs Behavior Detection
Ref: /v2/labs/fundamental-ai-algorithms-ep-7-svms-behavior-detection/category/ai/series/fundamental-ai-algorithms In Cell-2 of the lab, I used the code below: # connect to elasticsearch using the username python and password pythonisawesome #es = Elasticsearch( 'ELASTICSEARCH_URI', basic_auth=( 'USERNAME', 'PASSWORD' ) ) #es = Elasticsearch( 'http://elasticsearch:9200', basic_auth=( 'python', 'pythonisawesome' ) ) #es = Elasticsearch( 'http://127.0.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ) ) es = Elasticsearch( 'http://172.17.0.1:9200', basic_auth=( 'python', 'pythonisawesome' ), verify_certs=False, ssl_show_warn=False ) # get the process tree for a process #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) While running, I got the following error: --------------------------------------------------------------------------- ConnectionError Traceback (most recent call last) <ipython-input-18-724dfb6e6522> in <module> 107 # get the process tree for a process 108 #ptree = getPtree( es, 'PROCESS_COMMANDLINE_FOR_INITIAL_PROCESS' ) --> 109 ptree = getPtree( es, '"C:\\Users\\Administrator\\Downloads\\python-3.10.4-amd64.exe"' ) 110 111 # graph the structure of the process tree <ipython-input-9-ceca3d8599dc> in getPtree(elasticsearch, initial_process) 101 102 # get the initial process id from its commandline --> 103 initial_pid = getProcessFromCmdline( elasticsearch, initial_process ) 104 if initial_pid == None: 105 return <ipython-input-9-ceca3d8599dc> in getProcessFromCmdline(elasticsearch, process) 31 # set it return the process entity id as the unique ID and the commandline and run the query 32 fields = [ 'process.entity_id', 'process.command_line' ] ---> 33 results = esSearch( elasticsearch, query, fields ) 34 35 # check it only returned one value <ipython-input-9-ceca3d8599dc> in esSearch(elasticsearch, fields_values, fields) 18 19 # query elasticsearch specifying what fields you want it to return ---> 20 response = elasticsearch.search( index = 'winlogbeat-*', size='10000', query=query, fields=fields ) 21 22 # return the query hits /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/utils.py in wrapped(*args, **kwargs) 412 pass 413 --> 414 return api(*args, **kwargs) 415 416 return wrapped # type: ignore[return-value] /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/__init__.py in search(self, index, aggregations, aggs, allow_no_indices, allow_partial_search_results, analyze_wildcard, analyzer, batched_reduce_size, ccs_minimize_roundtrips, collapse, default_operator, df, docvalue_fields, error_trace, expand_wildcards, explain, fields, filter_path, from_, highlight, human, ignore_throttled, ignore_unavailable, indices_boost, lenient, max_concurrent_shard_requests, min_compatible_shard_node, min_score, pit, post_filter, pre_filter_shard_size, preference, pretty, profile, q, query, request_cache, rescore, rest_total_hits_as_int, routing, runtime_mappings, script_fields, scroll, search_after, search_type, seq_no_primary_term, size, slice, sort, source, source_excludes, source_includes, stats, stored_fields, suggest, suggest_field, suggest_mode, suggest_size, suggest_text, terminate_after, timeout, track_scores, track_total_hits, typed_keys, version) 3745 if __body is not None: 3746 __headers["content-type"] = "application/json" -> 3747 return self.perform_request( # type: ignore[return-value] 3748 "POST", __path, params=__query, headers=__headers, body=__body 3749 ) /usr/local/lib/python3.8/dist-packages/elasticsearch/_sync/client/_base.py in perform_request(self, method, path, params, headers, body) 284 target = path 285 --> 286 meta, resp_body = self.transport.perform_request( 287 method, 288 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_transport.py in perform_request(self, method, target, body, headers, max_retries, retry_on_status, retry_on_timeout, request_timeout, client_meta) 327 start_time = time.time() 328 try: --> 329 meta, raw_data = node.perform_request( 330 method, 331 target, /usr/local/lib/python3.8/dist-packages/elastic_transport/_node/_http_urllib3.py in perform_request(self, method, target, body, headers, request_timeout) 197 exception=err, 198 ) --> 199 raise err from None 200 201 meta = ApiResponseMeta( ConnectionError: Connection error caused by: ConnectionError(Connection error caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f4e74162700>: Failed to establish a new connection: [Errno 111] Connection refused))46Views0likes2CommentsPowershell Deobsfuscation Ep.7
I first collected the .ps1 script and noticed that it is from hex after decoding from hex I noticed that it converts from decimals This led me to use the from the from decimal recipe from Cyberchef However, this led me towards only the decoded eding of the script itself. with the main obfuscated payload being empty. I am wondering about where I am going wrong in my thought process.Solved25Views0likes1CommentMalicious Document Analysis: Dropper Analysis
I need help with this lab. going through the Malicious document analysis section of the Incident response badge. it goes from "use olevba" to analyse documents to wanting you to edit python script to manually de-obfuscate files. there’s no guidance on doing this within the lab and the lab doesn’t refer you to anywhere else you can learn/ get information that will help with this lab. i don’t want the answers or my hand holding, but a pointer in the right direction within the lab would be nice. is there any other labs people recommend that may help prepare me for this one?33Views0likes1CommentEthereum: The Blockchain, Transactions, and Explorers
Hi All, I am super stuck on question 9' After completing the previous question, a certain number of ETH was sent to your wallet. Using the blockchain explorer, what is the address that sent you this ETH?' I have input the labs wallet ID into the block explorer but I cant see any transactions to trace where the ETH has come from. Am I being stupid or is something not working?31Views0likes1CommentRansomware: Darkside - Question 9
In terms of determining the name of the service that is installed after the ransomware was executed, there doesn't seem to be any service installation activities observed from the endpoint. Wondering if I should be focusing on a different code, slightly irrelevant towards service creation activities. when searching for file creation for possible service names "api-ms-win-service-management-l1-1-0.dll" is also showcased to not work. Wondering about what different area should I be looking into insteadSolved52Views0likes2CommentsMobile Malware: Anubis Malware (Offensive) - Question 8,9
despite obtaining the encrypted value, seems like RC4 decryption doesn't work with zanubis as the password. I am wondering where should I pivot into? For question 9: where should I look into in order to get started?Solved35Views0likes1CommentAI: Plugin Injection – Demonstrate Your Skills
Hi I have a issue/problem here. I found the flaw in DirectoryListingPluginOld that you can craft a argument that executes a 2nd command. But everything I try, is rejected. With "&&" or ";" and then "less", "cat", "head". I even try to escape with "\\000" or "\\x00" the whole argument. I saw working solutions on reddit, but they don't work for me. Even after multiple tries. Is it possible, that the LLM is more secure regarding malicious prompts now? Thanks for a hint. BR217Views0likes2Comments