# SOC ALPHA 2 **Scenario:** You are provided with use-cases to conduct some proactive searches in ELK. Answer the following questions by using the information provided in README.txt. ELK should start within 5 mins, if not please start the services - elasticsearch,kibana and logstash in terminal **Tools:** ELK | LogAnalysis | Network Analysis ## Q1) Hunt 1 (1/3) - What is the IP address from which the suspicious brute force traffic is seen? (Format: X.X.X.X) README.txt shows us that the logs associated with the first hunt (Brute Force Detected) can be found in *winevent-security* index pattern. To investigate brute force traffic, we can look for failed logins by filtering for `Event_System_EventID: 4625`. We can identify the attacker's IP address by looking at the values within *Event\_EventData\_IpAddress* field. We can see that for the filtered logs there is only one IP address:

Source IPs of failed login attempts

### Answer

Q&A 1

## Q2) Hunt 1 (2/3) - What is the observed logon type? (Format: Logon Type Name) Looking at the same logs as in Q1, we can find the logon type of the login attempts by looking at the top values for *Event\_EventData\_LogonType* field. By doing so, we can see that 100% of logs are of the value 3 which is Network logon type:

Logon types of failed login attempts

### Answer

Q&A 2

## Q3) Hunt 1 (3/3) - What is the time of the first successful logon after the brute force? (Format: Format:DD-MM-YYYY hh:mm:ss) To find the first successful logon of the attacker, we need to filter for successfull logins originating from the attacker's IP address - `Event_EventData_IpAddress: 192.18.1.20 AND Event_System_EventID: 4624`. This filter will give us only one hit which is the successful logon:

Successful logins originating from attacker's IP

### Answer

Q&A 3

## Q4) Hunt 2 (1/2) - What is the full command used for bypassing the defender scan on the malicious file? (Format: powershell.exe ... Full Command (Do not include the file path)) Logs associated with the second hunt (Windows Defender Bypass) can be found in *winevent-powershell* index pattern. To find the command used for bypassing the Defender scan, I have searched for couple of keywords. First was "\*bypass\*", for which there are multiple hits for logs containing the full command that tries to bypass the execution policy in PowerShell. While it is still interesting finding, this is not what the question is asking for. Second keyword I searched for was "\*exclusion\*" and this gave me the answer to this question - command that attempts to exclude the path of the malicious file from being scanned by Defender:

Filtering for *exclusion* to find the command used for bypassing Defender

### Answer *NOTE: Question is asking for the full command EXCLUDING THE FILE PATH*

Q&A 4

## Q5) Hunt 2 (2/2) - What is the filename of the malicious application? (Format: filename.extension) Looking at the same log as in Q4, we can find the malicious filename at the very end of the command:

Malicious filename found in the executed command

### Answer

Q&A 5

## Q6) Hunt 3 (1/2) - What is the domain name? (Format: domain.tld) Logs associated with the third hunt (WannaCry KillSwitch Domain) can be found in *sysmon* index pattern. To find the kill switch domain, I have filtered for the Sysmon Event ID 22 which records DNS events - `Event_System_EventID: 22`. Then, I have checked the top values for *Event\_EventData\_QueryName* field and second value is long URL that looks suspicious:

WannaCry kill switch domain found in the DNS logs

### Answer

Q&A 6

## Q7) Hunt 3 (2/2) - What is the Execution ProcessID and ThreadID? (Format: pid, tid) If we filter for the above domain, we can find the Exection Process ID and Thread ID in *Event\_System\_Execution\_#attributes\_ProcessID* and *Event\_System\_Execution\_#attributes\_ThreadID* fields:

Execution PID and TID found in the DNS logs

### Answer

Q&A 7

## Q8) Hunt 4 (1/1) - What is the full path of the exe used for dumping password? (Format: C:\path\to\file.extension) For fourth hunt (Passord Dumping), we are staying in *sysmon* index pattern. To find the .exe file used for dumping password, I have tried to filter for "mimikatz" as it is well-known password extracting software/exploit:

Filtering for "mimikatz"

### Answer

Q&A 8

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://write-ups.e-vrsho.com/btlo/investigations/soc-alpha-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.