Challenge 12: Malware Aftermath Cleanup - ChristopherJamesMorton/Nice-Challenge-Solutions GitHub Wiki

Challenge Details

Network Map

NICE Framework Map

I noticed Fileshare was the only logical connection from the MSP within our network and logged into that box (Fileshare) and found many unknown processes (freesweep_scores) running from that machine.

Artifact Quarantined

From Fileshare run the following commands:
sudo mkdir -p /tmp/virus
sudo mv /usr/games/freesweep_scores /tmp/virus

Retrieve files from Security-Desk:
scp 172.16.30.100:/tmp/virus* /home/playerone/Desktop/quarantine/

Malicious User Removed from Compromised System

sudo deluser lpena

Thwarted Root of Malicious Activity

sudo mv /usr/games/freesweep_scores /tmp/virus

Malicious Activity Stopped

remove freesweep_scores from /etc/crontab Before:

After:

Challenge 12: Malware Aftermath Cleanup - ChristopherJamesMorton/Nice-Challenge-Solutions GitHub Wiki

Challenge Details

Network Map

NICE Framework Map

Artifact Quarantined

Malicious User Removed from Compromised System

Thwarted Root of Malicious Activity

Malicious Activity Stopped

TaDa!!

⚠️ GitHub.com Fallback ⚠️

Challenge 12: Malware Aftermath Cleanup - ChristopherJamesMorton/Nice-Challenge-Solutions GitHub Wiki

Challenge Details

Network Map

NICE Framework Map

Artifact Quarantined

Malicious User Removed from Compromised System

Thwarted Root of Malicious Activity

Malicious Activity Stopped

TaDa!!

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️