Blizzard
Premium roomA critical alert was triggered from a sensitive server. You are tasked to perform a live investigation on multiple machines to determine the root cause of the incident.
medium
To access material, start machines and answer questions login.
Health Sphere Solutions, a healthcare systems provider on the path to expansion, is taking its first steps towards fortifying its infrastructure security. With the rise of cyber threats, particularly the emergence of Midnight Blizzard, a sophisticated threat group targeting the healthcare sector, the company recognizes the urgent need to protect sensitive customer data.
Midnight Blizzard, a notorious threat group, has been implicated in cyber-attacks against healthcare providers. Employing ransomware and tactics, this group has successfully breached healthcare systems, causing significant data loss and operational interruptions.
Prerequisites
It is suggested to clear the following rooms first before proceeding with this room:
- Windows Forensics 1
- Expediting Registry Analysis
- Windows Network Analysis
- Windows User Activity Analysis
- Windows User Account Forensics
- Windows Applications Forensics
Scenario
A critical alert was detected on one of Health Sphere Solutions' database servers, highlighting the company's early challenges in securing its network.
| Alert Timestamp | Alert Name | Alert Description | Host Name |
| 03/24/2024 19:55:29 | POTENTIAL_DATA_EXFIL_DETECTED | A high bandwidth outbound connection from HS--01 has been detected. | HS--01 |
Since the security controls are still being established, alerts have only come from servers, and only network-level events are being audited, it's essential to manually investigate both servers and workstations to connect the dots and fully understand the incident.
Connection Details
Before we proceed with the investigation, start the attached lab machine by clicking the Start Lab Machine button at the top-right of this task. The machine will start in Split-Screen view. If the is not visible, use the blue Show Split View button at the top of the page. You can also use these credentials to access the machine via .
| Username | administrator |
| Password | Resp0nder! |
| IP Address | MACHINE_IP |
In addition, your team has prepared the following items to assist your investigation:
- Standalone tools in the
C:\Toolsdirectory. - Tools prepared as desktop shortcuts.
Investigation Guide
As part of your playbook, you are tasked to determine the following information during the investigation:
- Determine any unusual login attempts to the database server.
- Note any suspicious binaries executed within the server.
- Look for typical mechanisms deployed in the server.
The IT team has also shared that the infected database server is set up for internal access only and is not yet linked to other systems, as it is still in the setup phase. This information could help narrow down potential sources of the threat.
What is the full file path of the binary used by the attacker to exfiltrate data?
What email is used by the attacker to exfiltrate sensitive data?
Where did the attacker store a persistent implant in the registry? Provide the registry value name.
Aside from the registry implant, another persistent implant is stored within the machine. When did the attacker implant the alternative backdoor? (format: MM/DD/YYYY HH:MM:SS)
Ready to learn Cyber Security?
The Blizzard room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in