Trick or Treat on Specter Street: Ghost of the SOC

Question

Hi,I am being very blind here but i am struggling so a hint would be great. I am at Q3 trying to find the username the Glitch Geist executed the script under.The alert i have found in kibana relates to a powershell issue, but everything i see around that alert suggests the user.name is Administrator which is not accepted as the answer. Also tried this which i have seen S-1-5-18 and what i believe it relates to Local System.Any nudges in the right direction would be appreciated.

lewismutton · Answer

Hi Hazzie​,There are a few hint already in this this post!Hope this helps!&nbsp;

dragonstar16 · Answer

The question tells that there was no alert for those commands, so i would suggest you to check the logs for that question

neeemu · Answer

Hi Hazzie​ , as it's PowerShell script that was executed have you tried searching for *.ps1 to see what users executed that file type?

Forum Discussion

Trick or Treat on Specter Street: Ghost of the SOC

3 Replies

Featured Places

Help & Support Forum

Related Content

Trick or Treat on Specter Street: Ripper's Riddle

Trick or Treat on Specter Street: Ghost of the SOC

Trick or Treat on Specter Street: Manor of Madness

1 - 3 Specter St

Labs Live on Specter St - Week 1

Recent Discussions

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

Lab 9: Macro Polo

"What is the token from the table?"

Trick or Treat on Specter Street: Manor of Madness

Microsoft Sentinel: SOAR Demonstrate your skills