Recent Discussions
Sentinel Labs
My team and I have been encountering a few peculiar issues with the Microsoft Azure Sentinel based labs (KQL, Sentinel Blue Team Ops, Sentinel SOAR, etc.) where correct answers do not appear to be getting accepted. My team and I have even gone back to try solving previously completed labs and found that the answers/methods used to solve the labs do not seem to work. Have there been any issues/problems identified/reported with this style of lab?1like3CommentsWinDbg: Ep.5 – Kernel Internals
Question 9:Looking at the system process and the !token command, what is the User field? What I did: [...] lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffdf0609685200 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa002 ObjectTable: ffffc8001ac04d40 HandleCount: 1895. Image: System lkd> dt nt!_eprocess ffffdf0609685200 [...] lkd> !token Thread is not impersonating. Using process token... _EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000 TS Session ID: 0x2 User: S-1-5-21-926794839-1820024918-4247477861-500 Is it possible the Lab was migrated to a new OS? Or what do I miss here?Solved1like4CommentsAPT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?
I was able to complete Ep. 1-4 without much difficulty because I have previous experience with Elasticsearch. But this lab feels like getting pushed into the deep end with no floaties. Not only is this lab not related at all to Elasticsearch, I don't see any links to the suite of tools that I am supposed to know about (Ghidra, procmon, HxD?) in order to decode and analyze malware.Did I miss the prerequisites for this series? I am trying to find a path forward. I don't know where to start with this lab. I have been poking around for a while, but it hasn't been productive. Are there supporting labs that I should consider completing first? And if so, can the course material be updated to reflect this?0likes1CommentWinDbg: Ep.3 – Debugging Malware
The briefing says: [...] bp kernel32!LoadLibraryA ".printf \"Loading Library: %ma\",poi(esp+0x4);.echo};g"bp kernel32!GetProcAddress ".printf \"\t Looking up function: %ma\",poi(esp+0x8);.echo;g"bp advapi32!CreateServiceW ".printf \"Creating Service: \";.echo;.printf \"\tService Name: %mu\",poi(esp+0x4);.echo;.printf \"\tDisplay Name: %mu\",poi(esp+0x8);.echo;g" [...] Yet, none of these work. The OS was updated, the instructions not. Fix: bp KernelBase!LoadLibraryA bp KernelBase!GetProcAddress bp sechost!CreateServiceWSolved1like1CommentRansomware: Annabelle Entry Point
I am attempting to solve the question in the Ransomware: Annabelle lab that goes as follows: "Review the ransomware sample in Ghidra. What is the memory address for the entry point of this export?". Under the symbol tree I navigate to the entry point and see that the value is 1400000b0, yet this doesn't appear to be the correct answer. Can someone point me in the right direction? See screenshot below:Solved0likes1CommentSystems Manager: Run Command (AWS)
Hi, I am attempting to complete the Systems Manager: Run Command lab and successfully complete run the commands (both turn green). It mentions there should be a token output from the second command but the commands fail each time. Anywhere else I should be looking to get the token and/or successful run the command.3likes3CommentsIntroduction to Detection Engineering: Ep.5 – Custom Alerting
Struggling to get the token for this one. Got the Python script working (I think?) - it's generating alerts into Elastic, without replaying duplicates. But I get the select LatMov events - then wait and wait - before eventually getting; @timestamp<actual timestamp here> alert_messageNot all instances of lateral movement detected. Please restart the lab to try again._id7qvVgpMBEQ2Wr4UXppEV_indexcustom_alert_index_score - Sometimes I don't even get that, just a handful of events then the Lab expires. Is there any more detailed guidance on this lab? Feels like the guidance was written at 4:59pm on Friday, if you know what I mean 😂 Also a bit confused, the guidance says play around with the sleep() function, as it describes the "WAIT_TIME_MINUTES" - fairly sure it's actually seconds? Unless IL have written their own custom 'time' module?Solved1like2Comments