Capella University ASSURANCE ASSURANCE IAS 5900 S WAY ] SANS Thre TuRe SANS CW SANS circadence com # OPERATION .LEVEL HRUTIL LOBRA STOP MALICIOUS PROCESSES SESSION 25018 : EASY 15 + ECON UBUNTU IDA...

Question Answered step-by-step This is in Project Ares application using Linux. Mission Overview:... This is in Project Ares application using Linux. Mission Overview: Mission 4 - Operation Arctic Cobra (Stop Malicious Processes) Difficulty Level: Medium. Analyze network traffic and stop a malicious exfiltration process. Variability in play within the mission includes the use of HTTP or TCP for tunnel, malicious DNS and IP addresses, process names, and pass-the-hash lateral movement. Required Knowledge (Mission Core Competencies—Note: These are Project Ares's competencies. Be sure not to confuse them with this course's Course Competencies, which are listed in each assignment.): Basic understanding of application layer networking. Linux command line interface (CLI). Packet capture and analysis. Process analysis. Containment and eradication of malware. Mission Objectives/Tasks: Capture traffic from the firewall. Find and stop data exfil of credit card and encrypted data. Remove all artifacts of the infection. Prevent reinfection of malicious processes. 083EDA5F-E1FB-4389-B442-12E4F4B6BEC Image transcription text S WAY ] SANS Thre TuRe SANS CW SANS circadence com # OPERATION .LEVEL HRUTIL LOBRA STOP MALICIOUS PROCESSES SESSION 25018 : EASY 15 + ECON UBUNTU IDA CLIENTI 102 SECON ON . UBUNTU TOO CENTOS7 192 168.8 11 H2 168 0.14 Network it UBUNTU 14.04 UBUNTU 14 04 02,104.10.15 INTERNET FIREWALL ROUTER CENTOST CENTOS? CENTOS? .21 1012.10 0.10 22 E12 UBUNTU M.O CENTOS? .20..24 VNC ACCESS SSH ACCL SUBMIT MISSION CONTROL ROJECT ARES EXT GENERATION CYBER SECURITY TRAINING REPORTS (2) INVI hp 27D058DD-EFBF0D074DC Image transcription text 1 0 SANS TUNG SANS SANS SANS E ence. com OPERATION LEVEL ARCTIC COBRA STOP MALICIOUS PROCESSES SESSION 2501 . EASY ON ORDERS SITUATION END STATE MISSION Bank data is preserved and malicious code is eradicated. EXECUTION OPERATIONS: STAINMENT. You have been provided access to a host with the following credentials: user4 (login] PassedU4 (password). These credentials also allow access to Sguil and ELSA if applicable to your specific mission. CGC Additional team members will have credentials that follow the same format (e.g. userN, PassedUN]. ROE These accounts have sudo privileges for all commands. FERENCES You will need to login to the infected machine with the same user name and password provided. When you begin your mission, you can access the cyber range using the button in your task bar along the bottom of your screen "VNC ACCESS". This launches a VNC terminal. If you prefer to use an SSH terminal, it is available from the button to the right of that and is labeled "SSH ACCESS". Either terminal provides access to the cyber range from your mission. Your cyber toolkit contains the following tools: wireshark, tcpdump, snort and bro, If needed for your PREVIOUS NEXT MISSION CONTROL CT ARES REPORTS (@) _ INVITATION RATION CYBER SECURITY TRAINING 9 M hp . .. . . . . . . . . . . . . . 766D4862-FE9D-4176-BE27-507DB3A495E Image transcription text O SANS THSANS TUR SANS 3CW SANS fence. com ERATION ARCTIC LOBRA STOP MALICIOUS PROCESSES SESSION 26810 . EASY ON ORDERS SITUATION EXECUTION MISSION PURPOSE: EXECUTION Identify. Contain, Eradicate and Recover from Trojan malware exfiltrationg financial data. STAINMENT. KEY TASKS CGC ROE Capture traffic from the firewall or, if provided and configured. verify network monitoring tools functioning FERENCES 2 Find and stop data exfil of credit card and encrypted data Remove all artifacts of infection 4 Prevent reinfection of malicious processes PREVIOUS NEXT MISSION CONTROL CT ARES ATION CYBER SECURITY TRAINING . REPORTS (2) _ INVITATION 9 M hp 38E46116-95E2-4F28-9260-BAFDAF69ED8A.jpeg Image transcription text O SAIS TUR SANS ares2. circadence. com OPERATION MAC LEVEL ARCTIC COBRA STOP MALICIOUS PROCESSES SESSION 25018 EASY MISSION ORDERS SITUATION MISSION MISSION Analyze network traffic to find and stop all malicious processes attacking this financial institution. EXECUTION Stop exfiltration and analyze the extent of the data loss. Ensure that no further infections can occur by eradicating all aspects of the Trojan. SUSTAINMENT The following are core competencies that your team must possess to be successful: CG.C 1. Basic understanding of application layer networking ROE 2. Linux Command Line Interface (CLD) REFERENCES 3. Packet capture and analysis 4. Process analysis 5, Containment and Eradication of malware PREVIOUS NEXT MISSION CONTROL PROJECT ARES NEXT GENERATION CYBER SECURITY TRAINING REPORTS (@) INVITATION 9 M 6D88EB6D-6D08-4FC9-BE52-D496F Image transcription text SANS Ture SANS Ture SANS e. com ERATION LEVEL ARCTIC COBRA STOP MALICIOUS PROCESSES SESSION 25018 . EASY ORDERS TUATION SITUATION MISSION A new Trojan causing a surge of identity thefts has attacked institutions on a global ECUTION scale. Due to the potentially. destabilizing economic impact, the International Cyber Defense Organization has been called upon for assistance. You are being deployed INMENT. to find and remove any trace of this infection that has exfiltrated identity information from the headquarters of Rahatalo Regional Bank in southern Finland. CGC One infected workstation has been isolated and the bank has granted us access to ROE all of their workstations: Use network and host analysis to identify and disable the exfiltration and disable all exfiltration processes. Then remove all artifacts of the CES exfiltration processes to prevent reinfection. Intelligence believes that this attack is caused by the family of Trojans used in financial attacks such as Zeus, Dyre, Dridex and possibly SpyEye although no determination has been made at this time. EXAMPLES OF POSSIBLE ATTACK TECHNIQUES INCLUDE: URL Zeus Banking Trojan Report PREVIOUS NEXT MISSION CONTROL ARES ON CYBER SECURITY TRAINING. REPORTS (@) INVITATION 9 M C hp