Week 6: Capstone Investigation

Path: Defensive Operations | Module: 6 of 6

The Final Exam

Welcome to your first real investigation. You will apply everything you have learned in the last 5 weeks.

The Scenario

The web server WEB-01 has been acting sluggish. Today, the homepage was defaced with a message: "HACKED BY TEAM X".

Your Mission

Review the artifacts provided below (simulated) and answer the following questions:

  1. Identification: What time did the attack happen?
  2. Identification: What IP address did the attack come from?
  3. Containment: What port needs to be blocked at the firewall?
  4. Eradication: What file needs to be deleted?

Evidence Artifact: Access Log

192.168.1.50 - - [12/Oct/2024:10:00:01] "GET /index.html HTTP/1.1" 200
192.168.1.50 - - [12/Oct/2024:10:05:22] "GET /login.php HTTP/1.1" 200
10.0.0.666 - - [12/Oct/2024:11:45:00] "POST /upload.php HTTP/1.1" 200 (Malicious IP!)
10.0.0.666 - - [12/Oct/2024:11:45:05] "GET /images/shell.php?cmd=id HTTP/1.1" 200 (Web Shell Execution)
← Previous Week Next Path: Ethical Hacking →