CCNA Cybersecurity Operations v1.

0
Skills Assessment
Introduction
Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL dashboard. Your
task is to analyze these events, learn more about them, and decide if they indicate malicious activity.
You will have access to Google to learn more about the events. Security Onion is the only VM with Internet
access in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluating Snort/SGUIL events.
o Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for further event inspection.
o Using Google search as a tool to obtain intelligence on a potential exploit.

Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.

Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for reference
purposes.

Device Interface Network/Address Description

eth0 192.168.0.1/24 Interface connected to the Internal Network

Security Onion VM Interface connected to the External
eth2 209.165.201.21/24 Networks/Internet

Part 1: Gathering Basic Information

a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo service nsm status command to verify that all the services and
sensors are ready.
c. When the nsm service is ready, log into SGUIL with the username analyst and password cyberops.
Click Select All to monitor all the networks. Click Start SQUIL to continue.
d. In the SGUIL window, identify the group of events that are associated with exploit(s). This group of events
are related to a single multi-part exploit.
How many events were generated by the entire exploit?
its about 11 unique event was generated by the entire exploit
___________________________________________________________________________________
____________________________________________________________________________________
e. According to SGUIL, when did the exploit begin? When did it end? Approximately how long did it take?
7 – September – 2017 15:31:34, it about 21 or 22 seconds
____________________________________________________________________________________

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5
Skills Assessment CCNA Cybersecurity Operations v1.0

f. What is the IP address of the internal computer involved in the events?

209.165.200.255

g. What is the MAC address of the internal computer involved in the events? How did you find it?
Mac Address : 08:1b:21:ca:fe:d7, using wireshark
h. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the Source IDs
from?
Multiple source ID’s and emerging threats website
3.722
3.723
3.724 source ID
3.728
i. Do the events look suspicious to you? Does it seem like the internal computer was infected or
compromised? Explain.
Yes, the events look suspicious and it seems like the internal computer was in fact, compromised. The
outdated flash plugin alert paired with the anglr EK alerts are strong evidence of possible compromise

j. What is the operating system running on the internal computer in question?

windows XP _______________________________________________________________

Part 1: Learn About the Exploit

k. According to Snort, what is the exploit kit (EK) in use?
Angker EK
l. What is an exploit kit?

Exploit kit is simply collection of exploits, which is simple one in all tool managing variety of exploitst
algorithm. The exploit kit gathers information on the victim machine. Finds vulnerabilities and
determines the appropriate exploit and delivers the exploit which typicaly silelently drive by downloads
and executes malware. and executes malware, and further running post-exploitation modules to maintain
further remote access to the compromised system. Exploit kits are sold in cybercriminal circles, often
with vulnerabilities already loaded onto them. Exploit kits tend to be deployed covertly on legitimate
Web sites that have been hacked, unknown to the site operators and visitors. Exploit kits that have been
named include the MPack, Phoenix, Blackhole, Crimepack, RIG, Angler, Nuclear, Neutrino, and
Magnitude exploit kits.

m. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit.
Summarize your findings and record them here.
Angler EK stage :
1) Attacker compromise a number of high traffic sites and inject malicious code
2) Users visit the compromised sites and their browsers run the malicious injected code.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 5
Skills Assessment CCNA Cybersecurity Operations v1.0

3) The malicious code allows for the scanning of the victim’s system, ultimately searching for the
possible vulnearabilities.
4) Information such as installed plugins and their versions, OS,web browser name and version are then
exfiltered to a malicious server, often via encoded HTTP POST.
5) Based on the exfiltrated data, the malicious server prepares a customized exploit ackage and sends it
to victim’s browser.
6) The exploit package often contains the customized exploit and the payload; the exploit is used to gain
code execution privillages in the victim’s system. The payload consist of extra malicious code that can
only be executed after the exploit has done its job.
n. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in SGUIL.

The exploit kit gathers information on the victim machine. Finds vulnerabilities and determines the
appropriate exploit and delivers the exploit which typicaly silelently drive by downloads and executes
malware. and executes malware, and further running post-exploitation modules to maintain further remote
access to the compromised system. Exploit kits that have been named include the MPack, Phoenix,
Blackhole, Crimepack, RIG, Angler, Nuclear, Neutrino, and Magnitude exploit kits.

o. The exploit uses a compromised website to scan a host for vulnereabilies and then download malicious
software.
Exploit kits are sold in cybercriminal circles, often with vulnerabilities already loaded onto them. Exploit
kits tend to be deployed covertly on legitimate Web sites that have been hacked, unknown to the site
operators and visitors.

p. What are the major stages in exploit kits?

1) Attackers compromise a number of high traffic sites and inject malicious code.
2) Users visit the compromised sites and their browsers run the malicious injected code.
3) The malicious code scans the victim’s system, searching for vulnerabilies and exfiltrates the result to
another malicious server via POST.
4) Based on the exfiltrated data, the malicious server prepares a customized exploit and sends it to the
victim’s browser

Part 2: Determining the Source of the Malware

q. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses involved.
 192.168.0.12,
 93.114.64.118,
 173.201.198.128,
 192.99.198.158,
 208.113.226.171,
 192.168.0.1,
 209.126.97.209

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 5
Skills Assessment CCNA Cybersecurity Operations v1.0

r. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash Version M1”.
The event refers to which host? What does that event imply?
192.168.0.12; it implies the host is using an old version of the flash plugins
s. According to SGUIL, what is the IP address of the host that appears to have delivered the exploit?
192.99.198.158
t. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the
IP address of the host that appears to have delivered the exploit?
Qwe.mydunalterableairreport.net
u. This exploit kit typically targets vulnerabilities in which three software applications?
Flash, java
v. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit?
Outdated flash plugin
w. What is the most common file type that is related to that vulnerable software?
Adobe Flas authoring file (FLA), action script file (AS), Flash XML file (XML), compiled flash file (SWF)

x. Use ELSA to gather more evidence to support the hypothesis that the host you identified above delivered
the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to
adjust the timeframe accordingly.
Were you able to find more evidence? If so, record your findings here.
Yes, there is 192.203.0.21
y. At this point you should know, with quite some level of certainty, whether the site listed in Part 3b and
Part 3c delivered the malware. Record your conclusions below.
192.168.0.12, the internal host, was likely infected. It has an outdated version of the flash plugin which
was noticed by the exploit kit. 192.168.0.12 was then led to download a malicious SWF (flash filr) from
Qwe.mydunalterableairreport.net

Part 3: Analyze Details of the Exploit

z. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities and exfiltrate a
list of them. Use ELSA to determine if the exploit kit in question used a landing page. If so, what is the
URL and IP address of it? What is the evidence?
Hint: The first two SGUIL events contain many clues.
Landing page : lifeinsidedetroit.com(173.201.198.128)
Server script name : 02024880e46444b68814aadfbb58a75bc.php
Exfiltrated data :e8bd3799ee879933259b0b9caaqf426
Fulpost URI : POST /0207834023124434343878790873984733438571348
this is the first site involved in the attack. Based on the first event and knowledge of ANGLER EK
operation, it is logical to suspect that www. Surgery.org was compromised

aa.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 5
Skills Assessment CCNA Cybersecurity Operations v1.0

b. What is the domain name that delivered the exploit kit and malware payload?
Qwe.mvdunalterableairreport.net

bb. What is the IP address that delivered the exploit kit and malware payload?

192.99.198.158

cc. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets as was
done in a previous lab. What files or programs are you able to successfully export?
 3xdz3bcxc8
 xPF_HaXN7tk9BAgMagBj…

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 5