The way that helped me start to understand pipes is to think of them as like type of network socket that is created. It can be used to send and receive information between processes or even hosts.
As a rudimentary example, you can query the current pipes on your host:
Collected from over 1000 configurations, here are some high-level statistics that demonstrate some of the common trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from live servers around early May 2021.
User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database.
Applicable OS: Windows Server 2012+
What is the PID of the application where you might learn “how hackers hack, and how to stop them”?
Format: #### Warning: Only 1 attempt allowed!
From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question.
This search was…
What is the IPv4 address that myaccount.google.com resolves to?
At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor…
*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *
What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
I started this week with the netscan plugin
vol.py -f memdump.mem --profile=Win7SP1x64 netscan
From the netscan output…
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
I started off by running kdbgscan over the image to get the profile:
When reading the question for part 1, I had…
What package(s) were installed by the threat actor? Select the most correct answer!
- hosting a database
- serving a webpage
- to run a php webshell
- create a fake systemd service
Especially considering last weeks question, we know where to look when we…
Part 1 Domains and Such
What is the IP address of the HDFS primary node?
Is the IP address on HDFS-Primary dynamically or statically assigned?
What is the interface name for the primary HDFS node?
If you navigate to /etc/network/interfaces on the primary image, you can currently see the interface information. The main interface en33 will provide the answers to the first answer.
So the next question, is really a 50/50 but we can see in the image above that the answer is there!
Again, we have already solved this question from the first answer.
One file provided all 3 answers this week! It was defintely a nice break from the last couple of weeks.
Challenge 6 (Nov. 9–16) The Elephant in the Room 25
Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On…