Forum Discussion

steven's avatar
steven
Icon for Silver I rankSilver I
2 months ago
Solved

Need help: Endace: Ep.3 – Elastic Integration Scenario

I stumbled upon this lab after my holidays and I was able to solve all questions except:

 

So far I was able to follow the path from the first user, over to the second user and the service installement, priv. escalation, base64 decodings, pwd changes on domain controllers, etc.

Problem 1: I can't find any named pipe for Q15. Not in the Elastic (and I'm checking there all datasources) nor in the wireshark dump/endance gui.

Problem 2: But when I download files via "Extract File" in the Send Option I don't get any files (even when I take the whole timeline (~1h). I can download the logs and see some stuff in there but not one single file will help me to answer the Q16.

So, does anyone has an idea where to look at? (or is the lab development not yet finished?)

-steven

  • Hay Steven!  Hope you're well.  I've had a quick run through the lab and to your points above:

    1.  I was able to find the named pipe, but not in Elastic.  The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.

    2.  I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue.  I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.  

    Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems.  I was able to complete the lab however.

    Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot. 

    UPDATE:  With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave?  We will continue to look at this and see if we can make any improvements.

  • Hay Steven!  Hope you're well.  I've had a quick run through the lab and to your points above:

    1.  I was able to find the named pipe, but not in Elastic.  The SIEM isn't collecting Sysmon logs (or something else that would show named pipe creation) - but using Endace I could find the pipe name.

    2.  I did find that on my first attempt, this didn't seem to play nicely for me, but restarting the lab and waiting 5 mins (cup of tea time), I came back to that last question and followed the process without issue.  I haven't worked out if it was a Layer 8 problem (me) or if something else happening, but we are looking into this now.  

    Because this is a challenge lab, we don't usually give out too much information, but please reply here if you have further problems.  I was able to complete the lab however.

    Our Endace expert has travelled to the APAC region this week, so waiting for them to resurface later today to help troubleshoot. 

    UPDATE:  With a little more analysis, I did notice that when you follow the stream reference link in Elastic to Endace, a little bit of patience is needed to allow the stream to load and the initial analysis to be done, otherwise trying to run the post-process action straight away can make Endace misbehave?  We will continue to look at this and see if we can make any improvements.

    • steven's avatar
      steven
      Icon for Silver I rankSilver I

      Thats interesting. I've started the lab today again, and just let it run for 15min (2 coffees) and the magically: file extraction (via send) showed the first time a file (never did before) and with the right smb filter in wireshark it was visible too (I'm pretty sure it wasn't before). 

      and I didn't put any filter before, I was always watching all packets in wireshark.

      strange... /me gets always confused about such behaviour. anyway, lab closed. thanks RobReeves

      • Bluesman's avatar
        Bluesman
        Icon for Bronze II rankBronze II

        I'd have to check my notes, but I think I completed this Lab, or at least many of the answers, by directly analyzing Wireshark packets. And there are quite a few!: yes, I've had *many* labs and *many* hours analyzing packets behind me; I've just gotten used to it :).

        And I think my eyesight is suffering for it ... ;)