Link: https://blueteamlabs.online/home/investigation/88
Another incident from Mountain Top Solutions, leading to full compromise of an Linux server.
Scenario Description
We got you the Sysmon events and network capture. Investigate the malicious activity.
Conclusion
This one was a bit of a challenge at first! We aren’t really provided any tools to help enumerate the sysmon file quickly or format it. I originally thought to parse it with Python but had issues since it was malformed XML. However, once we were able to timeshift the Wireshark data, it really helped correleate the two datasets to be able to fully gain an understanding of what was going on. Great lab!
Comments
No comments available.