CNIT 152: Incident Response for CCSF

Submitting Projects

CCSF students must do these things to get credit:

Perform the project steps until you find a flag
Capture a whole-desktop image showing the flag
Outline or highlight the flag in the image
Submit the image in the appropriate Project in Canvas
Type the flag into the text field

Splunk Boss of the SOC
BOTSv1: Threat Hunting with Splunk	325

ATT&CK Matrix v9
Reference: ATT&CK Matrix v9 for Enterprise
ATT 1: ATT&CK Tactics	10
ATT 2: ATT&CK Techniques for Tactics 43, 42, & 1‑3	10
ATT 3: ATT&CK v9 Techniques for Tactics 4-6	10
ATT 4: ATT&CK v9 Techniques for Tactics 7-9	10
ATT 5: ATT&CK v9 Techniques for Tactics 11, 10, and 40	10
ATT 6: ATT&CK v9 Groups	10
ATT 7: ATT&CK v9 Navigator	10 extra

Windows and Linux Machines
IR 100: Windows and Linux Machines	20

Threat Intelligence
IR 380: STIX Threat Intelligence	35 extra
IR 381: TAXII	15 extra

Velociraptor
IR 371: Velociraptor Server on Linux	20 + 5 extra
IR 372: Investigating a PUP with Velociraptor	25 + 15 extra
IR 373: Investigating a Bot with Velociraptor	50 extra
IR 374: Investigating a Two-Stage RAT with Velociraptor	35 extra
IR 370: Installing Velociraptor on Windows	30 extra

Zeek
IR 350: Zeek Interactive Tutorial	15 + 44 extra
IR 351: Installing and Using Zeek	25 extra

Defending Windows
IR 301: Installing Splunk on a Windows Server	15 extra
IR 330: Detecting Ransomware with Splunk and Sysmon	20 extra
IR 303: Capturing RAM from a Process	15 extra
IR 304: VirusTotal & Wireshark	35 extra
IR 305: PacketTotal	45 extra
IR 306: Yara	40 extra
IR 307: Prefetch Forensics	15 extra

ATT 100: Caldera	25 extra
ATT 101: Caldera Operation	15 extra

Defending Linux Servers
ED 200: Google Cloud Linux Server	15 extra
IR 201: Splunk & Suricata	45 extra
IR 202: Metasploit & Drupalgeddon	85 extra
IR 308: osquery	15 extra

Binary (Extra Credit)
H 101 - 104: Binary Games	40 extra

Command Line (Extra Credit)
Don't submit these projects in Canvas; use the scoring system below Enter Flags · Scoreboard
LJ: Linux Journey	83 extra
B: Bandit Challenges	69 extra
U-Cen and U-Cyb: PowerShell	75 extra
Scores archived 12-11-22

Networking
H 410: Nmap	40 extra
H 420: Wireshark	110 extra
H 430: Scapy	20 extra

Making Your Own Windows VM Optional
Recommended PMA 41: Windows 10 with Analysis Tools	20 extra
Not Recommended PMA 40: FLARE-VM	20 extra
Alternative Local System H 2: Windows 2016 Server Virtual Machine	15 extra
Best Cloud System PMA 60: Windows 10 on Azure Cloud	15 extra
Alternate Cloud System PMA 30: Windows 2016 Server on Google Cloud	15 extra

Virtual Machine Resources

Practical Malware Analysis Samples

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

Scoreboard · Submit Flags

Updated 9-9-2021
IR 374 added 9-30-21
IR 380 added 10-7-21
IR 381 & 382 added 10-14-21
IR 373 changed to all extra credit 11-9-22
IR 382 and 383 removed 11-18-22
CTF scoreboard added 1-26-24

CNIT 152: Incident Response for CCSF

Submitting Projects

Splunk Boss of the SOC

ATT&CK Matrix v9

Windows and Linux Machines

Threat Intelligence

Velociraptor

Zeek

Defending Windows

Defending Linux Servers

Binary (Extra Credit)

Command Line (Extra Credit)

Networking

Making Your Own Windows VMOptional

Virtual Machine Resources

Hypervisors

VMware Player (for Windows hosts, free) VMware Fusion (for Mac hosts, 30-day trial) VirtualBox (free for all platforms)

Making Your Own Windows VM
Optional

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)