Cisco 300-215 - Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

The Apache access logs in the exhibit show a sequence of HTTP requests and responses indicative of a malicious upload via WordPress:

A POST to:

/wp-admin/admin-ajax.php with parameters that include uploading r57.php (a known PHP web shell).

The uploaded file name appears as r57.php in:→ &name=%5B%5D=r57.php&FILES...

There are plugin installation and activation attempts, specifically for:

file-manager plugin:→ plugin=file-manager&...

Which is known to be vulnerable and exploited for file uploads.

GET requests to:

/wp-content/57.php and variations such as 57.php?28 — This suggests that r57.php was successfully uploaded and is being accessed.

These logs reveal that:

D. The attacker used the WordPress file manager plugin to upload r57.php — confirmed by plugin activity and file uploads.

B. The attacker uploaded the WordPress file manager trojan — as evidenced by the direct access to /wp-content/57.php (r57 shell variant).

Other options are invalid or speculative:

A is correct in identifying r57 as a web shell, but the logs don't show privilege escalation.

C mentions brute force and SQL injection, which are not indicated here.

E assumes legitimate access — logs suggest exploitation, not standard login.

The Wireshark output shows SMB protocol transactions, including NT Create AndX Response and Write AndX Response, indicating the transfer of files or objects. SMB (Server Message Block) is a protocol used for file sharing and printer access in Windows networks. The log does not indicate phishing or redirection behavior but rather normal SMB communication such as accessing files or shared resources.

—

Fileless malware resides in memory and does not leave traditional file artifacts, making it difficult for antivirus solutions to detect. The most effective next step is to isolate the endpoints to prevent lateral movement and perform memory forensics to capture volatile data and identify any running malicious processes.

/etc/shadow: This file stores encrypted passwords and password aging information, including the date of the last password change (stored as the number of days since January 1, 1970). It is only readable by the root user, making it the primary source for forensic auditing of local password changes.

According to the CyberOps Technologies (CBRFIR) 300-215 study guide curriculum, when analyzing suspicious behavior—especially when scripts or shell commands are executed from applications like Word (which is uncommon)—the encoded PowerShell payload must be decoded to determine if malicious intent is present. Deobfuscation is a critical step in identifying command-and-control behavior, persistence, or malware execution paths.

—

The Cisco Secure Firewall Threat Defense (Firepower) includes advanced capabilities such as intrusion prevention, URL filtering, and deep packet inspection. According to the CyberOps guide, it can detect and block C2 communications by analyzing traffic patterns and comparing them to threat intelligence data. The guide specifically states: "Advanced solutions such as Firepower provide detection capabilities for command and control (C2) traffic by identifying unusual outbound connections and behavioral anomalies".