Description of assignment
The assignment proceeds in several phases:
- Set up a (basic) lab:
-
1 AD (+ DNS)
-
1-2 Windows
-
Workstations1 Kali Linux
-
- Go through the attack chain in the lab, document it, and create a report of the steps:
- What techniques were used to establish a foothold in the lab?
- What steps were taken to obtain data and how was it used?
- Are there any new, lesser-known attack techniques to maintain undetected persistence?
- Conduct an investigation using the Nynox Incident Response Toolkit:
- This tool will collect the main artifacts from the impacted systems.
- These need to be examined to trace the steps of the attack.
- What do we see or not see in the logs? Are there artifacts found elsewhere?
- Are there other things we do not find in the output?
- Create a report of the data found in step 3:
- Explain what data was found, its significance, and what the attacker tried to achieve with it.
- Describe future preventive measures:
- Incident Response is not just about knowing what happened. An important aspect, besides containment, is also preventing attackers from using the same method to get in again.
Objectives
Students are asked to deliver at least the following functionalities:
- Successfully execute an attack on their own environment + documentation
- Create queries to find data in the delivered artifacts
- List found Indicators of Compromise + documentation
Optional extensions
- Automation of the attack
Technologies / concepts Involved
ELK-stack
Cloud
Data-analyse
PowerShell
Python
Project methodology
Nynox uses agile project methodologies such as SCRUM for its projects. The project described above is no exception. These methodologies focus on the quality of software solutions. This is achieved by dividing the project into shorter iterations and maintaining very intense communication within and outside the project team. Intensive communication is inherent to agile and consequently leads to thorough internship supervision.