Lab Instructions

Download the ZIP package. The password is "FinalAscent!)@(#*$&%^".

To restore power and reactivate the wind turbine systems, you must uncover the source of the disruption and reverse its effects before the Codex Circuit loses its final layer of protection.

MegaCorp One has granted you access to the following:

• User Directory from CLIENT8

• Sysmon Logs of CLIENT8 and RESOURCES

• Files contained within System32 of CLIENT8 and RESOURCES

• PCAPs of Network Traffic

1. Identify how the Powergrid was shut down. For your answer, state the technical status of the turbines after the attack, such as any relevant flags, control bits, or output states that indicate their condition. In addition, enter the IP address of the system from which the attack was performed.

state, run=0, speed register=0, lockout bit=1 Attacker IP: 192.168.1.253

2. From where did the attacker gain the knowledge necessary to perform this attack? If the source of the information came from a file, include the complete filename and its SHA-256 hash. If the information was gathered from a website, provide the full URL beginning with "https://".

File: WT-PLC_Turbine_Control_Manual.pdf

SHA-256: 635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101

3. How was the attacker able to compromise the RESOURCES machine? For your answer, enter the name of the exploited program and the SHA-256 hash of the malicious file that was used to perform the compromise.

MonitorTool.exe Malicious File SHA-256: E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333

4. What two pieces of information did the attacker obtain on the RESOURCES system that enabled them to pivot to the next system in the attack path?

SSH Username: vyos SSH Private Key: router2.privkey (for host 192.168.1.253)

5. Enter the username and password of the user that performed the attack in question 3. In addition, enter the SHA-256 hash of the program responsible for capturing or collecting these login credentials.

Username: carmen.santos (or MEGACORPONE\carmen.santos) Password: Qwerty09!

Program: ssp.dll (Security Support Provider) SHA-256: 566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46

6. Identify and analyze the initial access vector. For your answer, enter the domain (without any suffixes or prefixes) where the payload for initial access was loaded from and the program (including its version) that was exploited or targeted.

Domain: microsoft-login (full domain: microsoft-login.com) Exploited Program: Chrome version 137.0.7151.56

7. How did the attacker elevate their privileges on CLIENT8? Enter the name and SHA-256 hash of the program responsible for the elevation of privileges. What is the CVE related to the vulnerability that was used to escalate their privileges?

Program: BitLockerDeviceEncrypton.exe (note the typo - masquerading technique!) SHA-256: 20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA CVE: CVE-2024-35250