Reliable Threat
HTB
What is the application that starts the suspicious chain of processes?
A) Code.exe
Provide the full path of the malicious file used to gain initial access.
A) C:\Users\User2.vscode\extensions\0xs1rx58d3v.chatgpt-b0t-0.0.1\extension.js
What user input, when executed, will run the malicious code?
A) help
What are the hostname and port used to establish a reverse shell?
A) 6.tcp.eu.ngrok.io:16587
What is the display name of the developer who created this malicious file?
A) 0xS1rx58.D3V
What time was the malicious file released? (UTC).
A) 2024-07-23 00:41:19
Provide the SID for the user who has been compromised.
A) S-1-5-21-1998887770-13753423-1649717590-1001
Provide the full path of the suspicious executable being run during the infection chain.
A) C:\Users\Public\RuntimeBroker.exe
The threat actor has modified the Windows registry to include a new entry. This change ensures that whenever a legitimate component runs, it triggers the malicious process, allowing the threat actor to maintain control of the system. Specify the name of the legitimate component.
A) Recycle Bin
Which MITRE technique corresponds to the previous action?
A) T1546.015
The threat actor has identified the location for all projects and manipulated one of the project files. Could you provide details about the malicious code that was added by the threat actor?
A) $testc = $_GET[‘s1’]; echo $testc;