CyberDefenders - PoisonedCredentials Blue Team Lab

Hi, I’m Sahil Shah, In this walkthrough, I’ll be covering the PoisonedCredentials Lab, a challenge designed to test your incident response and forensic investigation skills in a simulated network security incident.

Let’s dive into the details of the investigation:

Question 1:

In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?

Answer: fileshaare

Wireshark

NetworkMiner

Question 2:

We are investigating a network security incident. For a thorough investigation, we need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?

Answer: 192.168.232.215

As you can see there is an ip on the right acting as the rogue entity

Question 3:

During our investigation, it’s crucial to identify all affected machines. What is the IP address of the second machine that received poisoned responses from the rogue machine?

Answer: 192.168.232.176

Wireshark -> Statistics -> Connections -> IPv411

Question 4:

We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?

Answer: janesmith

You can use this filter also: smb2

Question 5:

As part of our investigation, we aim to understand the extent of the attacker’s activities. What is the hostname of the machine that the attacker accessed via SMB?

Answer: AccountingPC

Thanks for your patience.

Sahil Shah.

Get in touch with me here: LinkedIn | Github