M25 Practice Quiz

#incident_response #firewall #logs #metadata

Question 1

  1. Jason, a cybersecurity analyst at Dion Training, is reviewing the log from a web application firewall and believes an attack was attempted by a threat actor. Here is the log snippet used during the review:

    Time | Source IP | Request URL | Status | Action
    "-----------------------------------------------------------------------"
    12:30:15 | 203.0.113.5 | /products?category=' OR '1'='1 | 200 | Allowed
    12:30:16 | 203.0.113.5 | /login?username=admin'-- | 200 | Allowed
    12:30:17 | 203.0.113.5 | /search?query=laptops | 200 | Allowed
    12:30:18 | 203.0.113.5 | /products?category='; DROP TABLE users; -- | 403 | Blocked

    Based on the log entries above, which of the following types of attacks was most likely being attempted by the attacker?

    Options:

    • Cross-site scripting
    • Denial of service
    • SQL injection
    • XML injection

    Overall explanation:

    • The log indicates that requests containing malicious payloads, such as ' OR '1'='1 and '; DROP TABLE users; --, are being sent to the server. These payloads are attempting to manipulate the SQL queries executed by the application, which is an indication of an SQL Injection attack. The web application firewall, in this example, has correctly blocked the last attempt, which directly tries to drop a table from the database.

    Tags: SQL and XML Injections, Firewall Logs

Question 2

  1. Tony, a cybersecurity analyst at Dion Training, is examining the following snippet from an authentication log:

    Time | Source IP | Username | Event | Password Attempted
    "-----------------------------------------------------------------------"
    15:32:00 | 203.0.113.7 | Admin | Authentication Attempt | admin1
    15:32:01 | 203.0.113.7 | Admin | Authentication Attempt | Xyz@123
    15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | qwertyABCD!
    15:32:02 | 203.0.113.7 | Admin | Authentication Attempt | 1Adm!nP@ss
    15:32:03 | 203.0.113.7 | Admin | Authentication Attempt | $ecUr3P@55

    Based on the log snippet above, which type of attack is most likely being attempted?

    Options:

    • Password spraying attack
    • Dictionary attack
    • Rainbow table attack
    • Brute Force attack

    Overall explanation:

    • The log shows multiple authentication attempts from the same source IP for the same username with various complex and random passwords in a very short time frame. This pattern is indicative of a brute force attack in which an attacker tries numerous password combinations to gain unauthorized access.

    Tags: Brute Force Attack, Password Attacks, OS-specific Security Logs

Question 3

  1. Mateo, a cybersecurity analyst at Dion Training, is reviewing the following snippet from a web server access log:

    Time | Source IP | Request URL | HTTP Status
    "---------------------------------------------------------------------------"
    18:02:00 | 198.51.100.2 | /images/logo.png | 200
    18:02:10 | 198.51.100.2 | /css/style.css | 200
    18:02:15 | 198.51.100.2 | /api/products | 200
    18:02:20 | 198.51.100.2 | /../../../etc/passwd | 404
    18:02:25 | 198.51.100.2 | /images/../../../../etc/shadow | 404

    Based on the log snippet above, which type of attack was most likely being attempted by the computer located at 198.51.100.2?

    Options:

    • Denial of Service (DoS)
    • Cross-Site Scripting (XSS)
    • SQL Injection
    • Directory Traversal

    Overall explanation:

    • The log entries indicate attempts to access files (/../../../etc/passwd and /images/../../../../etc/shadow) outside of the web server's root directory using relative paths, which is characteristic of a Directory Traversal attack. This attack aims to access sensitive files and directories that are stored outside the web root folder by manipulating a URL or injecting malicious code.

    Tags: Directory Traversal Attack

Question 4

  1. Reed, a network administrator at Dion Training, has noticed a large number of simultaneous connections are being attempted from various IP addresses towards the company's web server. According to the log, several hundred concurrent connections are all being attempted within just a few seconds.
    Time | Source IP | Destination IP | Destination Port | Protocol | Event | Packets
    "---------------------------------------------------------------------------"
    20:00:00 | 192.0.2.10 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
    20:00:01 | 192.0.2.11 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
    20:00:01 | 192.0.2.12 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
    20:00:01 | 192.0.2.13 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
    20:00:01 | 192.0.2.14 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000
    ...
    20:00:02 | 192.0.2.250 | 203.0.113.5 | 80 | TCP | Connection Attempt | 10000

    Based on the log snippet above, which of the following types of attacks are most likely being attempted. by the threat actors?

    Options:

    • Directory traversal
    • Cross-site request forgery
    • Distributed Denial of Service
    • SQL injection

    Overall explanation:

    • The log shows a large number of connection attempts to the same destination IP and port from multiple source IPs in a very short time frame. This pattern is indicative of a Distributed Denial of Service (DDoS) attack, where an attacker attempts to overwhelm a system's resources to disrupt its normal functioning and deny service to legitimate users.

    Tags: DDoS Attacks

Question 5

  1. Jackie, a cybersecurity analyst at Dion Training, is reviewing the following snippet from a web server log:

    Time | Source IP | Request URL | HTTP Status | Payload
    "-----------------------------------------------------------------------"
    21:45:00 | 203.0.113.4 | /api/createUser | 200 | <user><name>John</name><password>abc123</password></user>
    21:45:05 | 203.0.113.4 | /api/createUser | 200 | <user><name>Jane</name><password>xyz789</password></user>
    21:45:10 | 203.0.113.4 | /api/createUser | 400 | <user><name>Bob</name><password>123&<isAdmin>1</isAdmin></password></user>
    21:45:15 | 203.0.113.4 | /api/createUser | 400 | <user><name>Alice</name><password>456<!-- injected --></password></user>

    Based on this log snippet, which of the following types of attacks is the threat actor attempting to perform?

    Options:

    • Denial of service
    • SQL Injection
    • XML injection
    • Cross-site scripting

    Overall explanation:

    • The log shows malformed XML payloads in the request URLs, specifically at 21:45:10 and 21:45:15, indicating an attempt to inject malicious XML content (<isAdmin>1</isAdmin> and <!-- injected -->). This pattern is indicative of an XML Injection attack, where an attacker tries to manipulate the logic of the application by injecting malicious XML data.

    Tags: SQL and XML Injections