-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDay-22
29 lines (22 loc) · 1.34 KB
/
Day-22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Day 22: It's because I'm kubed, isn't it?
----------------------------------------------------------------------------------------------------------------------------------------------
# Learning Objectives
- Learn about Kubernetes, what it is and why it is used.
- Learn about DFIR, and the challenges that come with DFIR in an ephemeral environment.
- Learn how DFIR can be done in a Kubernetes environment using log analysis.
-----------------------------------------------------------------------------------------------------------------------------------------------
# Answer the questions below
1) What is the name of the webshell that was used by Mayor Malware?
Ans - shelly.php
2) What file did Mayor Malware read from the pod?
Ans - db.php
3) What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
Ans - nc
4) What IP connected to the docker registry that was unexpected?
Ans - 10.10.130.253
5) At what time is the first connection made from this IP to the docker registry?
Ans - 29/Oct/2024:10:06:33 +0000
6) At what time is the updated malicious image pushed to the registry?
Ans - 29/Oct/2024:12:34:28 +0000
7) What is the value stored in the "pull-creds" secret?
Ans - {"auths":{"http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}