Section 1: Maybe It's just a tadpole?
What is the MITRE ATT&CK ID for defacement?
Ans: T1491
Who is the Web Administrator? (Paste the full name.)
Ans: Anita Bath
What is the hostname of the Web Administrator machine?
Ans: ✅ MYZB-LAPTOP
When did the defacement happen exactly? (Paste the full timestamp.
Ans: ✅ 2024-07-10T11:45:50Z
When was the first image uploaded? (Paste the full timestamp.
Ans: ✅ 2024-07-10T10:53:37Z
What is the Sha256 hash of the first meme that was uploaded to the webserver?
Ans: ✅ 9880c2d74afb2e57c7de7b9d6d0976112887502bb80344d35df34e774628dba0
What domain were the images downloaded from?
Ans: ✅ ronniesdankmemes.com
Let's find out Anita Ip
Which command did the attacker use to look for files containing passwords?
Ans: ✅ Get-ChildItem -Path C:\Users\anbath\Documents* -Include password -Recurse
What is the name of the file containing passwords?
Ans: ✅ mypasswordsnstuff.txt
Let's modify the previous query, include contains
What is the name of that domain?
Ans: ✅ newdevelopmentupdates.org
What is the last IP address that the domain you found in Q11 resolve to?
Ans: ✅ 239.72.6.37
Do the IPs found in Q11 resolve to other domains? If they do, answer with the domain. If not, type no
Ans: ✅ greenprojectnews.net
What version of Firefox is the threat actor using?
Ans: ✅ 3.6.11
Let's find out the username of anita
What is Anita’s email address?
Ans: ✅ [email protected]
Employees | where name == 'Anita Bath' | distinct email_addr
What is the subject of the email she received?
Ans: ✅ Web Server Credentials Update
What is the link attached to that email?
Ans: ✅ https://greenprojectnews.net/share/modules/files/share/enter
When did Anita click on the link? (Paste the full timestamp.
Ans: ✅ 2024-06-26T15:24:20Z
What is the full url showing her doing just that?
Ans: ✅ https://greenprojectnews.net/share/modules/files/share/enter?username=anbath&password=**********
Who sent Anita the mail?
Ans: ✅ [email protected] (refer q16 )
Last updated