Day 2: One man's false positive is another man's potpourri.

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

We have been given access to a SIEM (Security Information and Event Management) platform.

A Security Information and Event Management (SIEM) system aggregates and analyses security data from multiple sources, providing real-time threat detection and response capabilities. It helps organisations centralise log management, correlate events to identify suspicious activity, and maintain compliance with regulatory requirements. By offering actionable insights into potential threats, SIEM tools enhance overall security posture and streamline incident investigation processes.

Navigate and login to Elastic SIEM with the credentials and navigate to the “Discovery” dashboard from the left hand side menu.

Username - elastic

Password - elastic

Q: What is the name of the account causing all the failed login attempts?

A: Filter for time between 29th November 00:00:00.000 and 1st December 00:00:00.000

We can create a KQL filter for "event.outcome : failure” check the “user.name” field for the answer.

Q: How many failed logon attempts were observed?

A: Use the same filters as before and check the number of hits this is your answer

Q: What is the IP address of Glitch?

A: We know that the GLITCH is trying to login to the machine “ADM-01”, so let’s filter for a successful full login.

Let's remove the old KQL filters and filter for

1. “event.outcome : success”
2. “host.name : ADM-01”

Add “Source.ip” as a “Selected Field”.

The “Source.ip” column contains the answer.

Q: When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS

A: We can use the same filters as before to get the answer.

Q: What is the decoded command executed by Glitch to fix the systems of Wareville?

A: Based on the story we can use the “event.catogory : process” filter, to filter for Powershell process creation events.

The powershell command has an “-EncodedCommand” with a payload.

The payload seems to be encoded with base64.

Using CyberChef we can decode the base64.

The “-EncodedCommand” uses UTF-16LE text format therefor we need to decode from UTF-16LE as well, this will give us the answer.

Q: If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.

A: No Answer needed!