Breach Analysis

Breach Analysis
One of our client’s machines may have been compromised by some ferocious malware. The CISO has declared an “incident” and now wants you to investigate the compromised box to determine what might be going on. The machine is located at their “super secret” engineering facility, but we are fortunate to have a virtual image of the compromised FTP Server on the SimSpace range. You can conduct a root cause analysis of the FTP server using any tools you find useful on SimSpace. You get this right and you get a permanent slot on the incident response team...if you don’t, more work on the help desk.
Accessing the Compromised VM
To access the FTP server you will need to login to your SimSpace account. Once logged in, access the range and find an available win-xp-xx VM. Determine the IP address of the win-xp-xx VM. Open the win-xp-xx VM by selecting Open Console. See if canyou login. At this point you will leave this VM alone for now. Treat it as the “suspect machine”.
Select another VM on the range you wish to use to remotely analyze the win-xp-xx VM (FTP Server). Once this is done, login to your selected VM and open a terminal window. In the terminal window try pinging the win-xp-xx VM that you opened.
If you can ping your win-xp-xx VM, you are ready to go.
Since the VMs will be shared with the rest of the class make sure to close out of your session once you are done using your win-xp-xx machine. Any progress may be lost in between sessions so make sure you are at a stopping point when ending a session. Don’t leave the data you collect laying around on your VM. Also note there are only 20 win-xp-xx VMs, and if you wait to the last minute to do this lab you may be waiting around for a free VM to analyze.
Once you are connected to a win-xp-xx VM think about what you can do remotely. What would a hacker do? How can I get persistent access? Labs you had in IS-6303 and 6323 have prepared you for this state-of-the-world “incident.”