TRICK OR THREAT 2024 Walkthrough: Haunted | Threat Intelligence

Описание: Welcome to Halloween BTLO Replay, a spine-chilling video series guiding you through retired BTLO labs from our Trick or Threat event. Join us… if you dare!

This week’s investigation is Haunted, a easy threat intelligence lab.

Difficulty: Easy

The haunted scenario:

Haunted Company Inc., a long-established Credit Reporting Agency, has been successfully operating in major financial hubs such as New York, London, and Tokyo. As a privately owned entity without external investors, the company has maintained consistent client satisfaction and steady earnings reports. With plans for expansion, the management has decided to take the company public, and the Initial Public Offering (IPO) is scheduled to occur within the next few days.

However, a crisis emerged just as the IPO date approaches. One of the company's websites has been defaced, raising alarms. Shortly after, it is discovered that the company's Tokyo server has come under attack. Concerned about the timing and the potential damage to the company's reputation, the management is determined to identify the threat actor behind this attack and understand the breach mechanism to create detection before the IPO.

As a Threat Intelligence Analyst, you are tasked with collaborating with other analysts to uncover the identity of the adversary and assess the situation.

Available External and Internal Threat Intelligence:

New York (External: Business Commonality): Report on the 2017 GenX Breach, a major cyber attack on a leading Credit Reporting Agency. London (Internal Intelligence: Adversary Analysis): Analysis report for Haunted Company Inc., including Asset-Threat Mapping and adversary analysis featuring FIN7, APT27, Twisted Spider, and TG-3390, all of which are known to target the finance sector. Tokyo (Cyber Activity Attribution): Malware analysis from the compromised server, providing critical insights into the tools used during the attack.

0:00 – Introduction
2:46 – Question 1
9:40 – Question 2
11:01 – Question 3
11:54 – Question 4
13:49 – Question 5
15:26 – Question 6
16:45 – Question 7
17:55 – Question 8
20:20 – Question 9
25:33 – Question 10
27:54 – Question 11
32:57 – Question 12
35:39 – Question 13
38:32 – Question 13
40:37 – Summary

The bats are somewhat cursed and “Haunted” that will give you hard time downloading the necessary files. Another work around this is to “Think like a developer” what this means is you can inspect the decoded script which contains a certain code and look for the downloadable files, then use the link “http://haunted.io:8080/file_to_download” this will automatically downloads the file without using the cursed bats

--
Powered by global blue team training provider, Security Blue Team, BTLO is a gamified platform for defenders to sharpen their skills during engaging security investigation and challenge scenarios.

The BTLO Replay series takes viewers through walkthroughs of retired labs. Visit the BTLO website to take on these challenges for yourself and discover new labs launching regularly.

SUBSCRIBE:    / @secblueteam  
WEBSITE: https://blueteamlabs.online
DISCORD:   / discord  
TWITTER:   / bluelabsonline  
LINKEDIN:   / blue-team-labs-online