BTLO Replay: PRETIUM | Incident Response Lab Walkthrough

Описание: Welcome to BTLO Replay, a video series that will take you through retired BTLO labs. Videos posted every Friday at 6pm BST.

This week’s lab is PRETIUM, an incident response scenario that involves the use of NetWitness and Wireshark.

Difficulty: Medium

The PRETIUM scenario:

The Security Operations Center at Defense Superior are monitoring a customer’s email gateway and network traffic (Crimeson LLC). One of the SOC team identified some anomalous traffic from Josh Morrison’s workstation, who works as a Junior Financial Controller. When contacted, Josh mentioned he received an email from an internal colleague asking him to download an invoice via a hyperlink and review it. The email read:

There was a rate adjustment for one or more invoices you previously sent to one of customers. The adjusted invoices can be downloaded via this [link] for your review and payment processing. If you have any questions about the adjustments, please contact me.

Thank you.

Jacob Tomlinson, Senior Financial Controller, Crimeson LLC.

The SOC team immediately pulled the email and confirmed it included a link to a malicious executable file. The Security Incident Response Team (SIRT) was activated, and you have been assigned to lead the way and help the SOC uncover what happened.

You have NetWitness and Wireshark in your toolkit to help find out what happened during this incident.

0:00 – Scenario and introduction
1:12 – Toolkit
2:12 – Question 1
5:56 – Question 2
7:24 – Question 3
7:45 – Question 4
8:25 – Question 5
9:17 – Question 6
9:57 – Question 7
10:40 – Question 8
11:17 – Question 9
11:58 – Question 10
18:20 – Question 11
18:54 – Summary

--

Powered by global blue team training provider, Security Blue Team, BTLO is a gamified platform for defenders to sharpen their skills during engaging security investigation and challenge scenarios.

The BTLO Replay series takes viewers through walkthroughs of retired labs. Visit the BTLO website to take on these challenges for yourself and discover new labs launching regularly.

SUBSCRIBE:    / @blueteamlabsonline  
WEBSITE: https://blueteamlabs.online/
DISCORD:   / discord  
TWITTER:   / bluelabsonline  
LINKEDIN:   / blue-team-labs-online