#1 How many log sources available?

We can find this information going to Admin > Log Sources.

#2 What is the IDS software used to monitor the network?

We can see in Log Sources section the IDS is one of the log sources.

# 3 What is the domain name used in the network?

The Event ID 4624 in the Windows Event Log indicates a successful logon event. The log will contain details such as the username, logon type, and the source IP address of the logon. The domain name may also be included in the log, depending on the specific configuration of the system.

When we examine the details of one of the logs that resulted from the 4624 search, we can easily find the domain name.

#4 Multiple IPs were communicating with the malicious server. One of them ends with “20”. Provide the full IP.

We can display a log of activity by source IP to see which IPs generated the most communication.

#5 What is the SID of the most frequent alert rule in the dataset?

We can search for ‘sid:’ in the payload using a regular expression.

#6 What is the attacker’s IP address?

In closed offenses, we can observe a suspicious public IP address.

#7 The attacker was searching for data belonging to one of the company’s projects, can you find the name of the project?

#8 What is the IP address of the first infected machine?

We can arrange the events in chronological order. We may notice a suspicious event.

#9 What is the username of the infected employee using 192.168.10.15?

By applying a filter where the source IP is set to 192.168.10.15, we can locate the first username that logged in.

#10 Hackers do not like logging, what logging was the attacker checking to see if enabled?

Let’s search for the initial events that the attacker initiated. We can notice a tool commonly utilized in attacks.


We can also observe that the attacker is utilizing PowerShell to locate project48.

#11 Name of the second system the attacker targeted to cover up the employee?

We can search for files that have been deleted.

#12 When was the first malicious connection to the domain controller (log start time — hh:mm:ss)?

We can identify network connections that have been detected by examining the payloads. From the first event, it appears that a connection has been made to the attacker’s server at IP address 192.20.80.25 by a process that should not be making this connection.

#13 What is the md5 hash of the malicious file?

By filtering using the hash, we discovered 10 events. When we examined the first event from the infected machine (IP address: 192.168.10.15), we found the malicious .docx file with the corresponding hash.

#14 What is the MITRE persistence technique ID used by the attacker?

By searching for persistence techniques in MITRE, we can identify logs that show which techniques the attacker may have used.

#15 What protocol is used to perform host discovery?

We can obtain this information by examining the outgoing traffic from the initial host that was compromised.

#16 What is the email service used by the company?(one word)

We attempted to search for traffic directed to the standard ports of the IP’s services, but were unsuccessful. Therefore, we decided to examine HTTPS traffic on port 443. After checking on https://viewdns.info, we discovered that most of the IP’s belong to Microsoft, thus finding our answer.

office365

#17 What is the name of the malicious file used for the initial infection?

We located the file using the MD5 hash.

#18 What is the name of the new account added by the attacker?

We can search for the Event ID 4720, which indicates that a user account has been created.

#19 What is the PID of the process that performed injection?

On the infected host, we can search for the creation of processes.

#20 What is the name of the tool used for lateral movement?

It was easy for me to answer this question as I was also involved in Red team activities. You will have a better understanding of what I am referring to when you investigate the Impacket tool.

wmiexec.py

#21 Attacker exfiltrated one file, what is the name of the tool used for exfiltration?

Searching for events where there was communication with the attacker.

#22 Who is the other legitimate domain admin other than the administrator?

We can view a list of users grouped by their username and search for event 4672.

#23 The attacker used the host discovery technique to know how many hosts available in a certain network, what is the network the hacker scanned from the host IP 1 to 30?

We can determine if the initial infected device conducted a network scan.

#24 What is the name of the employee who hired the attacker?

While investigating which tool the attacker was using to extract data, we discovered a suspicious .xlsx spreadsheet.