Let's take another step up to the yellow zone.
On this level, the attacker will feel a little more annoyed and frustrated if you can detect the attack. The attacker would need to circle back at this detection level and change his attack tools and methodologies. This is very time-consuming for the attacker, and probably, he will need to spend more resources on his adversary tools.
Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.
Suspicious process execution from Word:
Suspicious events followed by opening a malicious application:
The files modified/dropped by the malicious actor:
Answer the questions below
1. What is the suspicious IP the victim machine tried to connect to in the screenshot above? 35.214.215.33. Looking at the event logs in the image above, you'll notice the victim machine (192.68.75.222) is attempting to connect to the suspicious IP Address of 35.214.215.33.
3. Using your OSINT skills, what is the name of the malicious document associated with the dropped binary? G_jugk.exe. Looking at Any.Run, you'll notice the name of the malicious document is 'G_jugk.exe.
3. Use your OSINT skills and provide the name of the malicious document associated with the dropped binary. CMO-100120 CDW-102220.doc.
Comments
Post a Comment