Day 2: One man's false positive is another man's potpourri.
Task 1 - What is the name of the account causing all the failed login attempts?
- Start the lab and visit the provided url. Click on three line in top left corner then click on Discover.
- Now update the time frame from 29-nov-24 00:00 to 01-dec-24 09:30
- Add following filters >>
- host.hostname
- user.name
- process.command_line
- event.category
- event.outcome
- source.ip
- You can see , there are a lot of hits on 1 dec around 08:00. May be these hits occurs when someone tries to bruteforce the authentication. And we can see there is an username service_admin which is causing all failed login attempts.
Answer š service_admin
Task 2 - How many failed logon attempts were observed?
To find all the failed login hits , set the filters event.category = authentication and event.outcome = failure
Answer š 6791
Task 3 - What is the IP address of Glitch?
We can see the source ip address of the attacker (GLITCH) who was performing the brutefore attack. And after being successfull may be he stopped or chenged device or possibly used the cracked account.
Answer š 10.0.255.1
Task 4 - When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
After doing a lot of failed login attempts, Glitch found success on :
Answer š Dec 1, 2024 08:54:39.000
Task 5 - What is the decoded command executed by Glitch to fix the systems of Wareville?
After successfull attempt, glitch ran a encoded command in powershell which is : SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==
- Open cyberchef and use the recips From Base64 and Decode text with encoding type of UTF-16LE(1200) (POWERSHELL default encoding type)
- In output you can see the decoded command
Answer š Install-WindowsUpdate -AcceptAll -AutoReboot
Task 6 - If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.
No Answer Needed