Overview

This is a hands-on, simulated threat hunting sprint set within the fictional enterprise network of Megacorp One. This is a relevant and similar to what you might expect from OSTH cert test provided by OffSec. The lab’s objective was to identify indicators of compromise (IoCs) associated with a known APT group, "We Are Garfield" (WAG), whose techniques included data exfiltration, credential theft, and network persistence. The exam format included multiple Labs, each containing a single question related to a specific threat indicator or compromised asset.

Test Format and Resources

Lab Structure: Each Lab presented a unique exercise question, which required identifying artifacts related to attacker activities. The questions did not follow a specific sequence, simulating a real-world hunt where leads can emerge non-linearly. VM Setup: I worked within a controlled set of virtual machines (VMs), including a Splunk SIEM and a Windows DEV machine. Once started, the VMs remained accessible throughout the exam via a secure VPN connection. Flags and Hashes: Once I located an answer, I encoded it using a binary (flags.exe) on the DEV machine. This binary returned a MD5 hash of my answer, which I compared against a predefined list of 8 acceptable hashes for each Lab to verify formatting accuracy. Scoring and Timing: The lab had a time limit of eight hours. Each correctly flagged answer was worth points, with a total of 70 available points and a passing score of 50.

Initial Setup and Approach

To begin, I reviewed the threat intelligence report provided by Megacorp One’s third-party intelligence provider, outlining WAG’s tactics, techniques, and procedures (TTPs). This gave insight into known tools, indicators, and attack patterns likely used in the environment. I loaded the Splunk instance, configured it for the lab’s timeline (August 9 - August 15, 2024), and checked that the timestamps were set to GMT-01:00 to match the lab’s requirements.

Objectives

• Locate indicators of compromise and identify the sequence of attacker actions.
• Flag and submit correct answers, including timestamps, filenames, hashes, and IP addresses.

Provided Threat Intel Report

Description

We Are Garfield (WAG) is a rapidly emerging Advanced Persistent Threat (APT) group that specifically targets industries such as finance, healthcare, and manufacturing. Their operations typically begin with gaining initial access through phishing attacks or by exploiting vulnerabilities in Fortinet network devices and web applications. Once inside, WAG conducts thorough discovery activities to identify high-value targets. Their primary objectives include stealing and exfiltrating sensitive data, as well as carrying out ransomware operations.

Tools