Sharon Jebitok
The Advent of Cyber: Day 2: Log Analysis - One Man's False Positive is Another Man's Potpourri (TryHackMe)

The Advent of Cyber: Day 2: Log Analysis - One Man's False Positive is Another Man's Potpourri (TryHackMe)

J3bitok's photo
J3bitok
·

2 min read

In this article, we’ll cover the Log Analysis—One Man's False Positive is Another Man's Potpourri writeup as the Day 2 challenge of the Advent of Cyber event challenge. It was interesting to navigate the platform and filter different events and logs based on timestamps, IP addresses, and the events, i.e., authentication, process, etc. We’re still at Wareville for SOC-mas!

The use-case website: Elastic Security just for learning purposes. Elastic Security combines Elastic SIEM, whose detection engine automates threat detection so you can quickly investigate and respond to threats, and Endpoint Security into a single solution that unifies prevention, detection, and response across your entire network.

Start your machine within the Day 2 challenge and follow the description and given steps. To start we’ll visit our browser within the machine and open the URL that is given based on your IP_ADDRESS, use the given username & password. Once on the platform we’ll select Discover and start setting the date as guided. It would be advisable to expand the machine in order to have a new tab to get a proper view of the site and filter better.

Just follow the different filter options and selected fields that are important in order to help you solve the challenge or access what’s required. In the case below the date that’s limited to Dec 1, 2024, from 9 am to 9:30 am

Here the filtered field is event.category: authentication

Here the filtered source.ip: 10.0.11.11 and user.name: service_admin

Here we remove the previously filtered source.ip in order to remain with the user.name: service_admin and event.category: authentication

  1. What is the name of the account causing all the failed login attempts? service_admin

  2. How many failed logon attempts were observed? 6791

  3. What is the IP address of Glitch? 10.0.255.1

  4. When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS Dec 1, 2024 08:54:39.000

  5. What is the decoded command executed by Glitch to fix the systems of Wareville? Install-WindowsUpdate -AcceptAll -AutoReboot

    use CyberChef to bake from Base64 and Decode Text UTF-16LE(1200).

Thank you for reading through this article. You can leave a comment with your thoughts: areas to improve or other suggestions and questions if any. Till the next one, stay secure!

Did you find this article valuable?

Support Sharon Jebitok by becoming a sponsor. Any amount is appreciated!

elastic-securityLogAnalysisSIEMtryhackmeWrite UpAdventOfCyber2024