Need help: Endace: Ep.3 – Elastic Integration Scenario
I stumbled upon this lab after my holidays and I was able to solve all questions except:
So far I was able to follow the path from the first user, over to the second user and the service installement, priv. escalation, base64 decodings, pwd changes on domain controllers, etc.
Problem 1: I can't find any named pipe for Q15. Not in the Elastic (and I'm checking there all datasources) nor in the wireshark dump/endance gui.
Problem 2: But when I download files via "Extract File" in the Send Option I don't get any files (even when I take the whole timeline (~1h). I can download the logs and see some stuff in there but not one single file will help me to answer the Q16.
So, does anyone has an idea where to look at? (or is the lab development not yet finished?)
-steven
Hay Steven! Hope you're well. I've had a quick run through the lab and to your points above:
1. I was able to find the named pipe, but not in Elastic. The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.2. I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue. I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.
Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems. I was able to complete the lab however.
Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot.
UPDATE: With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave? We will continue to look at this and see if we can make any improvements.