OSTH Practice Exam Write-up

This content outlines a cybersecurity breach at "megacorpone.com," detailing an escalating series of incidents. It begins with unauthorized RDP access, followed by suspicious C2 communications, tool execution for network mapping, persistence on a file server, data exfiltration, and final C2 activity. The timeline suggests a significant breach with sustained unauthorized access and potential data loss.

Preston Zen

prestonzen.com

Overview

This is a hands-on, simulated threat hunting sprint set within the fictional enterprise network of Megacorp One. This is a relevant and similar to what you might expect from OSTH cert test provided by OffSec. The lab’s objective was to identify indicators of compromise (IoCs) associated with a known APT group, "We Are Garfield" (WAG), whose techniques included data exfiltration, credential theft, and network persistence. The exam format included multiple Labs, each containing a single question related to a specific threat indicator or compromised asset.

Test Format and Resources

Lab Structure: Each Lab presented a unique exercise question, which required identifying artifacts related to attacker activities. The questions did not follow a specific sequence, simulating a real-world hunt where leads can emerge non-linearly.
VM Setup: I worked within a controlled set of virtual machines (VMs), including a Splunk SIEM and a Windows DEV machine. Once started, the VMs remained accessible throughout the exam via a secure VPN connection.
Flags and Hashes: Once I located an answer, I encoded it using a binary (flags.exe) on the DEV machine. This binary returned a MD5 hash of my answer, which I compared against a predefined list of 8 acceptable hashes for each Lab to verify formatting accuracy.
Scoring and Timing: The lab had a time limit of eight hours. Each correctly flagged answer was worth points, with a total of 70 available points and a passing score of 50.

Initial Setup and Approach

To begin, I reviewed the threat intelligence report provided by Megacorp One’s third-party intelligence provider, outlining WAG’s tactics, techniques, and procedures (TTPs). This gave insight into known tools, indicators, and attack patterns likely used in the environment. I loaded the Splunk instance, configured it for the lab’s timeline (August 9 - August 15, 2024), and checked that the timestamps were set to GMT-01:00 to match the lab’s requirements.

Objectives

Locate indicators of compromise and identify the sequence of attacker actions.
Flag and submit correct answers, including timestamps, filenames, hashes, and IP addresses.