Day 2

One man’s false positive is another man’s potpourri.

This Challenge revolves around investigating logs within a SIEM interface to answer questions related to a cyber incident.

Concept Overview

• False Positive vs. True Positive:

  • A False Positive refers to an alert flagged incorrectly as malicious.

  • A True Positive is a valid detection of malicious activity.

Start the machine and access the Elastic dashboard

Use elastic:elastic as username and password

To Identify the account with the most failed login attempts, Set the timeframe: November 29, 2024, 00:00:00.000 to December 1, 2024, 23:30:00.000.

Apply the filter: event.outcome: failure.

Examine the logs for the username linked to the failed logins.

Use the same filter and count the total failed attempts.

Glitch's successfull logon's to ADM-01:

For this, we can set the filters to host.hostname: ADM-01, event.category: authentication and event.outcome: success:

To find the decoded command executed by Glitch: set the filter to event.category: process

We get: SQBuAHMAdABhAGwAbAAtAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIAAtAEEAYwBjAGUAcAB0AEEAbABsACAALQBBAHUAdABvAFIAZQBiAG8AbwB0AA==

On decoding this to base64 and then setting the encoding format to UTF-16LE (1200) for PowerShell commands.

Decoded Output: Install-WindowsUpdate -AcceptAll -AutoReboot

Questions

1.What is the name of the account causing all the failed login attempts?

A: service_admin

2.How many failed logon attempts were observed?

A: 6791

3.What is the IP address of Glitch?

A: 10.0.255.1

4.When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS

A: Dec 1, 2024 08:54:39.000

5.What is the decoded command executed by Glitch to fix the systems of Wareville?

A: Install-WindowsUpdate -AcceptAll -AutoReboot

Thank you!