Scenario

Today, your organisation's threat intelligence (TI) team received classified briefings regarding an ongoing nation-state threat campaign - Operation Global Dagger. Global Dagger has targeted hundreds of global corporations using compromised software updates, remote code execution, credential theft, and cloud-based exfiltration on devices. The security team has also received alerts from Defender XDR of potential malicious activities to evade security measures. As a SOC Level 2 analyst, you have been urgently assigned to investigate these suspicious incidents that surfaced through Microsoft Defender XDR. You need to hunt, analyse, and report these malicious incidents before sensitive data is exfiltrated for containment.

Room Objectives

In the next task, you will be required to use different Microsoft Defender XDR products and features to detect and investigate various activities within your organisation, such as:

• Privileged users' activities

• Malicious executions on devices

• Evasion of security tools

• Lateral movement

What is the name of the alert generated due to persistent activities that was terminated by the system?

Suspicious service registration

How many suspicious evidence entities were found for the alert from question 1?

3

What Registry operation did the attacker perform in the alert from question 1?

RegistryModification

What is the object MD5 value of the initiation process from the alert in question 1?

cdb58d0bcabe76afc60428f364834463

Find the alert Attempt to turn off Microsoft Defender Antivirus protection which has the “true positive” classification set. What is the Disabled setting value?

DisableRealtimeMonitoring

What command was used by the attacker to initiate the process in the alert from question 5?

reg add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableRealtimeMonitoring” /t REG_DWORD /d “1” /f

Find the alert Suspicious behavior by cmd.exe was observed which has a classification set. What is the evidence entity name that has the process ID 2232?

WMIC.exe

What are the MITRE tactics related to the alert in question 7? (Answer in alphabetical order)

Discovery, Execution

What is the flag found in the alert from question 7?

THM{PZ874JC89DR5NZ1DAF6MS2KH}

What is the name of the threat found on the PowerSploit post-exploitation tool alert?

HackTool:PowerShell/PowerSploit.F

What is the remediation action result for the alert from question 1?

Success

What is the name of the threat you found in the alert An active ‘DumpLsass’ hacktool in a command line was prevented from executing?

HackTool:Win32/DumpLsass.R

What is the detection status for the alert from question 3?

Blocked

What was the initiating process for the alert from question 3?

powershell.exe

What is the name of the privilege escalation alert found by Defender XDR?

UAC bypass was detected

What is the location of the set value data for the alert from question 6?

c:\windows\System32\#{payload}

What is the file path of the image of the alert from question 6?

C:\Windows\System32\reg.exe

Which lateral movement alert is associated with a high severity?

Compromised account conducting hands-on-keyboard attack

What is the command-line query used to execute the attack for the alert from question 9?

“ie4uinit.exe” -UserConfig

XDR: Operation Global Dagger 2