BTLO – Investigation: Peak 2

Link: https://blueteamlabs.online/home/investigation/88

Another incident from Mountain Top Solutions, leading to full compromise of an Linux server.
We got you the Sysmon events and network capture. Investigate the malicious activity.

Scenario Description
Restricted Content
This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

Conclusion

This one was a bit of a challenge at first! We aren’t really provided any tools to help enumerate the sysmon file quickly or format it. I originally thought to parse it with Python but had issues since it was malformed XML. However, once we were able to timeshift the Wireshark data, it really helped correleate the two datasets to be able to fully gain an understanding of what was going on. Great lab!

Comments

No comments available.

Leave a Reply

Your email address will not be published.