Investigations
A DDoS attack reaches over 9 gb what are your next steps?
What logs would you use to identify if an attacker logged into a UPS account via a ups website?
EAM
What is a web shell used for?
To maintain access to a website/server using a web based backdoor?
Who was the SOCS first manager?
Carl Alexander
what would you search for in a debugger to find http callouts?
search all reference strings or search for specific HTTP function calls
a user opens a phishing email... explain your steps to investigate.
Proofpoint, if clicked... and successful reset passwords. Submit rephishing
What tactic in the MITRE framework does brute-forcing fall under?
Credential Access
What would you use to automate fuzzing a ftp server?
Scapy... Python... etc. ask justin for more tools
Who has the most goats in the SOC?
Da.....
What is Scylla used for?
to create a dump of the file and fix imports. (IAT)
How would you obfuscate javascript code in a webpage.
Ransomware just hit 10 workstations what do you do?
contain
what did wannacry leverage to spread throughout systems?
doublepulsar
who hired adam?
JC
How do you search for references to a function in IDA pro?
hit X on the address. It will give you a list of functions.
What would you look for if a email was spoofed to YOUR COMPANY successfully but the servers came from your companys server?
Lots of options here but check to see who connected to the server or if you had logs. Also if the ports are open to the public
What do we currently use for a WAF?
ak...
How would you social engineer passwords from someone in your company?
Justin decides if your correct :)
Where did Justin work before his current job?
Lexmark
What is loadlibraryA used for in dll hooking?
Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
What are the six primary phases of incident handling? You must get 5 right to get credit.
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
What are some prevention Strategies for C2 Traffic?
Deny all outbound traffic
what is the curveball vulnerability
Exploitation of this vulnerability allows malicious code to be delivered that appears to be from a trusted source.
Who was the original admin over QRadar?
JC
What is the MSDN function VirtualAllocEx used for?
Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero.