Noted
Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon's workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon's workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company's stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information. Warning : This sherlock requires an element of OSINT and players will need to interact with 3rd party services on internet.
西蒙,Forela 的一名开发人员,向 CERT 团队报告了他的桌面上出现的一条笔记。该笔记声称他的系统已被入侵,并且西蒙工作站中的敏感数据已被收集。犯罪分子在他的工作站上实施了数据勒索,现在威胁要将数据发布在暗网上,除非他们的要求得到满足。西蒙的工作站包含多个敏感文件,包括计划中的软件项目、内部开发计划和应用程序代码库。威胁情报团队认为威胁参与者犯了一些错误,但他们没有找到任何联系威胁参与者的方法。该公司的利益相关者坚持要求解决此事件并恢复所有敏感数据。他们要求在任何情况下都不应泄露数据。作为我们的初级安全分析师,您已在此案例中被分配了一项特定类型的 DFIR(数字取证和事件响应)调查。CERT 负责人对工作站进行分类后,仅向您提供了 Notepad++ 工件,怀疑攻击者创建了勒索信并通过键盘访问进行了其他活动。您的职责是确定攻击是如何发生的,并找到联系威胁参与者的方法,因为他们意外地锁定了自己的联系信息。警告:此 sherlock 需要 OSINT 的元素,玩家需要与互联网上的第三方服务进行交互。
题目数据
Task 1
西蒙用于 AWS 操作的脚本的完整路径是什么?
首先先将样本进行解 压,压缩包内的目录为
\Noted\C\Users\Simon.stark\AppData\Roaming\Notepad++
得到以下文件
D:.
│ config.xml
│ session.xml
│
└─backup
LootAndPurge.java@2023-07-24_145332
YOU HAVE BEEN HACKED.txt@2023-07-24_150548
在 config.xml
中得到以下记录
<?xml version="1.0" encoding="UTF-8" ?>
<NotepadPlus>
<FindHistory nbMaxFindHistoryPath="10" nbMaxFindHistoryFilter="10" nbMaxFindHistoryFind="10" nbMaxFindHistoryReplace="10" matchWord="no" matchCase="no" wrap="yes" directionDown="yes" fifRecuisive="yes" fifInHiddenFolder="no" fifProjectPanel1="no" fifProjectPanel2="no" fifProjectPanel3="no" fifFilterFollowsDoc="no" fifFolderFollowsDoc="no" searchMode="0" transparencyMode="1" transparency="150" dotMatchesNewline="no" isSearch2ButtonsMode="no" regexBackward4PowerUser="no" bookmarkLine="no" purge="no" />
<History nbMaxFile="10" inSubMenu="no" customLength="-1">
<File filename="C:\Program Files\Notepad++\change.log" />
<File filename="C:\Users\Simon.stark\Documents\Internal-DesktopApp\Prototype-Internal_Login.cs" />
<File filename="C:\Users\Simon.stark\Documents\Dev-WebServer-BetaProd\dev2prod_fileupload.php" />
<File filename="C:\Users\Simon.stark\Documents\Internal-DesktopApp\App_init_validation.yml" />
<File filename="C:\Users\Simon.stark\Documents\Dev_Ops\AWS_objects migration.pl" />
C:\Users\Simon.stark\Documents\Dev_Ops\AWS_objects migration.pl