CCNA Cybersecurity Operations v1.

0
Skills Assessment
Submitted by: Maryam Hussain Al- Eshaq
Part 1: Gathering Basic Information
a. How many events were generated by the entire exploit?
11 Exploits

b. According to SGUIL, when did the exploit begin? When did it end? Approximately how long did it take?
It took 22 seconds from 15:31:12 to 15:31:34

c. What is the IP address of the internal computer involved in the events?

http://192.168.0.12

d. What is the MAC address of the internal computer involved in the events? How did you find it?
00:1b:21:ca:fe:d7 , you can find it by right clicking on Alert ID and opening Wireshark
e. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the Source IDs
from?
____________________________________________________________________________________
f. Do the events look suspicious to you? Does it seem like the internal computer was infected or
compromised? Explain.
The events look compromised and the computer looks infected because in the short period of
time, a large number of events occurred. Angler EK also shows sign of computer infection
g. What is the operating system running on the internal computer in question?
Windows XP 2000

Part 1: Learn About the Exploit

h. According to Snort, what is the exploit kit (EK) in use?
Angler Exploit Kit
____________________________________________________________________________________
i. What is an exploit kit?
An exploit kit is a malicious toolkit that automates the exploitation of client-side vulnerabilities,
usually targeting browsers and programs that a website can invoke through the browser.
____________________________________________________________________________________
j. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit.
Summarize your findings and record them here.
Angler is the one of the top exploit kits infecting victims with various ransomware variants. Angler
uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player,

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0

Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware
and point-of-sale (PoS) malware. It uses various techniques to defeat traditional detection
methods including unique obfuscation, antivirus and virtualization software detection, encrypted
payload, and fileless infections.

____________________________________________________________________________________
k. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in SGUIL.
Angler can deliver “fileless” infections, which means that, throughout the process, not a single
file will be downloaded by the attackers into your PC. Traditional antivirus products scan your
files to detect malware infections. But if there’s no file to scan, then it just concludes that there’s
no infection either. Another factor that contributes to Angler’s success is that the encrypted
payload it uses. The payload represents the attacker’s commands. In order for antivirus to block
the infection, it has to first decrypt the payload. Then it has to analyze it, quarantine it and then
delete it.

l. What are the major stages in exploit kits?

Stage 2 (Lure)
Stage 3 (Redirect)
Stage 4 (Exploit Kit)
Stage 5 (Dropper Files)

Part 1: Determining the Source of the Malware

m. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses involved.
93.114.64.118
173.201.198.128
192.168.0.12
208.113.226.171
192.99.198.158
192.168.0.1
209.126.97.209
n. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash Version M1”.
The event refers to which host? What does that event imply?
host: 192.168.0.12 and outdated flash version M1

o. According to SGUIL, what is the IP address of the host that appears to have delivered the exploit?
192.199.198.158
____________________________________________________________________________________
p. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the
IP address of the host that appears to have delivered the exploit?
http://qwe.mvdunalterableairreport.net

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0

q. This exploit kit typically targets vulnerabilities in which three software applications?
Flash, Java, Silverlight
____________________________________________________________________________________
r. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit?
Flash

s. What is the most common file type that is related to that vulnerable software?
SWF (Shockwave Flash file)
____________________________________________________________________________________

t. Use ELSA to gather more evidence to support the hypothesis that the host you identified above delivered
the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to
adjust the timeframe accordingly.
Were you able to find more evidence? If so, record your findings here.
Open ELSA (username=analyst password=cyberops)
Go to HTTP → Top/Bottom Sites hosting SWFs → click Top → write the date →Press submit Query

u. At this point you should know, with quite some level of certainty, whether the site listed in Part 3b and
Part 3c delivered the malware. Record your conclusions below.
The site listed did deliver the malware. It came by downloading a malicious SWF

Part 2: Analyze Details of the Exploit

v. Exploit kits often rely on a landing page used to scan the victim’s system for vulnerabilities and exfiltrate a
list of them. Use ELSA to determine if the exploit kit in question used a landing page. If so, what is the
URL and IP address of it? What is the evidence?
Hint: The first two SGUIL events contain many clues.
IP address : from the second Sguil event 173.201.198.128 The URL :
http://adstirs.ro/544b29bcd035b2dfd055f5deda91d648.swf

w. What is the domain name that delivered the exploit kit and malware payload?
http://qwe.mvdunalterableairreport.net
x. What is the IP address that delivered the exploit kit and malware payload?
http://192.99.198.158

y. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets as was
done in a previous lab. What files or programs are you able to successfully export?

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4