Forum Discussion
Silver ITrick or Treat on Specter Street: Ghost of the SOC
Hi there,
Am I right as obvious that it may seem that for me to login to Kibana, I need to access this through the Elastic IP address that I have entered in my browser? If so I'm getting the error message on my screenshot. I tried this a few days ago as well and the problem persisted then as well.
16 Replies
S1m0n07Bronze I
If I remember correctly you need to add 5601, the port in the url and should work.
- Dark_Knight666
For question 1, I can see an active alert but it appears I'm not able to view it? I also played about with the option for Group alerts by: ...... - yet to no avail? Am I doing something incorrectly?
Samh051Bronze III
Your set to last 24 hours, try changing the time range and you should see something.
- Dark_Knight666
So I've moved it from Sep 15 as specified on the briefing panel to Sep 16, but still no results?
- ThreatWhisperer
Bronze II
I succeeded in practically all steps except the last one.
I found the ghost's first communication, the human account, the scripts folder, and the service account.
I can connect with the human account (for which I know the password), but I don't know how to use the service account, for which I don't have the credentials, so I can't do much.
I found a simple way to avoid the annoying messages using the human account, but I can't really eliminate the presence.
Did I miss something?
Any good advice?- Samh051
Its tricky. The svc account password is stored plain text in a file somewhere.
Try look for something on the machine which looks a little out of place, then go deeper.
- ThreatWhisperer
Ah, that was easy, thx!
Now I've got the password, and I can e.g. use it to disable that account, but it doesn't seem to be enough to remove the persistence :-(
Edit: Never mind, I found another thread here discussing the same lab with the right hint to proceed!
- Dark_Knight666
Still a little stuck on Q1 🤯
So looking through the Powershell command line, I understand that the script is Base64 string, and found what I think may be the Ghosts communication, but when I pass this through using CyberChef it appears not to be correct. So I am decoding it from Base64. Am I completely off the mark here?
- Samh051
Expand the alert instead of clicking on the rule name.
Use this button -
You should then be able to see the base64 encoded argument.
- Dark_Knight666
Oh dear! I have expanded the alert but still can't find the base64 encoded argument (Am I really that blind, I wonder?)
- JackGorman21
Morning all, do we know if and when this exercise will be available again? I'm really close to getting the digital badge, but it's been showing as down for maintenance for a while now.
Ironically I've completed the exercise.. but I didn't note down the token needed for the 13th challenge... arghh!!! 😑
- SamDickison
Community Manager
Ah, that's annoying! I didn't realise it was down. Just investigating how long for... Perhaps we need an extention.
To me, it sounds like you have won a badge 😉
- Dark_Knight666
Can someone please answer the actual question asked?
- Samh051
Its in the process.args box, do show more to see it
- Dark_Knight666
SamDickison​ - Hi there, would you be able to able to get someone to help me with Q3? I've been looking around for a while and found what I felt may lead me to uncover the username, but appears not....
