[Workshop] Investigating Data Exfiltration
This is a hands-on workshop designed to improve the skills of any cyber incident response professional.
Introduction
Download Cyber Triage
Download Case Files
Installing Cyber Triage & Loading the Case File
Issues / Problems
What file is used to download and run malware on RAGINGBULL?
What is the IP that the dropper was downloaded from?
What file contained the dropper?
Which user downloaded the file?
What program was used to access the SAM on RAGINGBULL?
What programs were used to map the network?
How was Windows Defender disabled?
What was the zip file on RAGINGBULL the TA had their tools in?
What account was used to connect to TATSU?
What accounts were compromised\used by the threat actor?
What account was used for an interactive remote logon on the domain controller?
What host was the Richmond account used from to access the domain controller?
What hosts was psexec used against?
What is the name of the C2 implant?
What user installed it?
What persistance method is used?
What was the folder used for aggregation on RAGINGBULL?
When was supersecret-productplans.docx copied to the threat actors aggregation folder?
What tool was used for exfiltration on REYNHOLM-DC01?
What is the name of the file that was copied off REYNHOLM-DC01 by the threat actor?
What folders are most likely to have been inside the file exfiltrated from REYNHOLM-DC01?
What accounts were unsuccessfully used to try and access the fileserver, during the incident??
What account was the threat actor able to use to download files from the fileserver to REYNHOLM-DC01?
What system would you want to look at next?