HOTSPOT -
You are a security administrator investigating a potential infection on a network.
INSTRUCTIONS -
Click on each host and firewall. Review all logs to determine which host originated the infection and then identify if each remaining host is clean or infected.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Why Are you choosing random answers. Here is real answers => { 22 is Origin. It has started infection first. 37 is Clean, because it is able to get new updates and quarantine malicious file. 41 is Infected, because it was not able to quarantine infected file. 12 is Clean, because it is able to get new updates and quarantine malicious file. 18 is Infected, because it was not able get new update and qurantine file. These are real answers.
thank you. makes so much more sense now
This is correct.
41 is the origin, since that's the one has smbv1. 22 even though the time was earlier, its not the origin.
Commenting to reiterate Fazliddin's comment: .22 infected at 2:31AM, it was infected 12 hrs before all other IPs .37 clean, quarantined at 2:43PM .41 infected at 2:43PM .12 clean, quarantined at 2:43PM .18 infected at 2:43PM I took a Sec+ Bootcamp and they went over this lab, these are the answers they gave us.
It must be origin, clean, infected, clean, infected
If I get this question i'm going to think "OH boy do I miss cici's pizza" 22- Origin - OH CICI 37 - Clean 41 - Infected 12 - Clean 18 - Infected
I AGREE 22 is Origin. It has started infection first. 37 is Clean, because it is able to get new updates and quarantine malicious file. 41 is Infected, because it was not able to quarantine infected file. 12 is Clean, because it is able to get new updates and quarantine malicious file. 18 is Infected, because it was not able get new update and qurantine file.
Every computer was clean until the 18th, & the first computer to do insecure communication protocols was 192.168.10.41 on the 17th using SMBv1 which is not a recommended, or safe protocol to use anymore. A host is still considered infected even with quarantined virus files.
for me is ORIGIN, and the rest infected because they installed the update that was the .EXE. And the first one is the ORIGIN because I sow the .exe at 2:00 AM and the rest was 2:00pm
192.168.10.22 Status: Clean Reasoning: The scan completed without finding any issues. 192.168.10.37 Status: Infected Reasoning: The scan found and quarantined the file svch0st.exe. 192.168.10.41 Status: Infected Reasoning: The scan found the file svch0st.exe but was unable to quarantine it. 10.10.9.12 Status: Origin Reasoning: The firewall log shows traffic from 10.10.9.12 to multiple IP addresses in the network, indicating it may have spread the infection. Additionally, the scan found and quarantined svch0st.exe. 10.10.9.18 Status: Infected Reasoning: The scan found the file svch0st.exe but was unable to quarantine it, similar to 192.168.10.41.
origin is 41. it uses SMBV1 (an unsecure application) first. then you can see the RPC being used which was used in multiple documented malware attacks (wannacry, etc.). so starts with 41 sending malware with SMBV1 then RPC to others
and also if you check the traffic on the Firewall at 2:31:45 AM, this trade was used for HTTP, that is an unsecured port
Conclusion Based on the logs, 192.168.10.37 appears to be the first to identify and quarantine the svch0st.exe file on 4/18/2019 at 14:34, suggesting it might have been the origin of the infection. Status of Each Host - 192.168.10.22:Infected Scheduled update disabled by svch0st.exe, no quarantine action - 192.168.10.37:Infected svch0st.exe quarantined - 192.168.10.41:Infected svch0st.exe detected and quarantined after initial failure - 10.10.9.12: Infected svch0st.exe quarantined - 10.10.9.18:Infected svch0st.exe detected and quarantined after initial failure Summary - 192.168.10.22:Infected - 192.168.10.37:Origin - 192.168.10.41:Infected - 10.10.9.12:Infected - 10.10.9.18:Infected