Follina
This is an incident response challenge on BTLO. It is categorised as easy. To complete this challenge, the following tools were useful.
- VirusTotal
- Any.Run
Scenario
On a Friday evening when you were in a mood to celebrate your weekend, your team was alerted with a new RCE vulnerability actively being exploited in the wild. You have been tasked with analyzing and researching the sample to collect information for the weekend team.
The sample can be found here.
Submission Questions
Question 1) What is the SHA1 hash value of the sample? (Format: SHA1Hash) (1 points)
Question 2) According to VirusTotal, what is the full filetype of the provided sample? (Format: X X X X) (1 points)
Question 3) Extract the URL that is used within the sample and submit it (Format: https://x.domain.tld/path/to/something) (1 points)
Question 4) What is the name of the XML file that is storing the extracted URL? (Format: file.name.ext) (1 points)
Question 5) The extracted URL accesses a HTML file that triggers the vulnerability to execute a malicious payload. According to the HTML processing functions, any files with fewer than
Question 6) After execution, the sample will try to kill a process if it is already running. What is the name of this process? (Format: filename.ext) (1 points)
Question 7) You were asked to write a process-based detection rule using Windows Event ID 4688. What would be the ProcessName and ParentProcessname used in this detection rule? [Hint: OSINT time!] (Format: ProcessName, ParentProcessName) (1 points)
Question 8) Submit the MITRE technique ID used by the sample for Execution [Hint: Online sandbox platforms can help!] (Format: TXXXX) (1 points)
Question 9) Submit the CVE associated with the vulnerability that is being exploited (Format: CVE-XXXX-XXXXX) (2 points)
Summary
This was indeed an easy challenge. However, as easy it was, I learnt something.
- I learnt how to