Happy December 2nd, we’re back at it again for Day 2 of TryHackMe’s Advent of Cyber event! I posted about yesterdays challenge for Day 1, if you want to get caught up on the event or you’re not super familiar with it, I explain it some more over there. Again, to go along with the holiday season and this event of daily challenges, I’m going to try my best to complete the new challenge each day and some days I might post writeup here, like I am again today. This won’t be a daily thing as each days challenge is very long, and I am fastly approaching finals week but I’ll post here when possible. Today isn’t a super long walkthrough but lets get into the challenge!
Day 2: One man's false positive is another man's potpourri.
Todays challenge focuses on:
Log analysis
Making the decision between True Positives or False Positives
Helping Wareville’s SOC team differentiate TPs from FPs.
Read through the provided info in the task to learn more about True Positives, False Positives and Security Operations Center (SOC) analysts.
Hit the start machine button and give it about five minutes for it to initialize before accessing the URL, if you go to it right away you will be met with a 502 Forbidden error. After about five minutes, you should be able to access the Elastic login page. Use the provided credentials to gain access and you are ready to begin. Once you are in it might be a lot if you have never seen an application similar to it, follow along with TryHackMe’s steps to learn how to navigate the site, change the date and time of the logs, look at specific details of each log, and filtering. The main area of focus for information will be the bar graph showing system activity and the columns below it showing details regarding each log.
THM for todays challenge does a very good job at explaining step by step what you are doing and the importance of those steps. It even shows where to find answers regarding the questions for today without revealing the actual answer, and it introduces one of my favourite tools, CyberChef. If you need help with the challenge, read through all the info they provide as it breaks down everything really nicely.
Questions
Question 1: What is the name of the account causing all the failed login attempts?
Filtering for the event.outcome is failure will show failed login attempts and reveal the account.
Question 2: How many failed logon attempts were observed?
Keeping on the same filter as above, listed just below where the filter is and in the top left corner of the chart will be the hits. This is the amount of logs that are counted within a certain timeframe. The timeframe I have set is from Nov 29, 2024 00:00 to Dec 1, 2024 09:30.
Question 3: What is the IP address of Glitch?
Setting our filters as user.name is service_admin, event.category is authentication, and event.outcome is not failure, will give us a very short list of 11 successful login attempts. Looking through the list of IPs will reveal one IP that stands out from the rest with a hostname that is also different than the common “WareHost-#”. This reveals the Glitch’s IP address.
Question 4: When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS
Looking closer at the log from the last question revealing the IP will also show the successful logon time under the Time column.
Question 5: What is the decoded command executed by Glitch to fix the systems of Wareville?
Removing the filter for the event.category is authentication will show some new logs for some processes. Looking closely at the process.command_line will reveal “-EncodedCommand” followed by a string of characters. Copying that string and putting it into something like CyberChef will help us decode it and reveal the command. Stated in the room, it looks to be Base64 so that is what we are going to use to decode it. After using “From Base64” you can either decode it further for it to be more easily readable or just by looking between all the “NUL” in the output with reveal the command.
Question 6: If you enjoyed this task, feel free to check out the Investigating with ELK 101 room.
Conclusion
This challenge was a great start for learning more about True Positives and False Positives, and getting the chance to practice differentiating between the two. Introducing users to tools like CyberChef and Elastic is also great because they really walk you through how to use an application like Elastic. And it was a nice simple introduction to what a tool like CyberChef can do without it overtaking the main point of the room which was log analysis. I’m looking forward to the challenge tomorrow!