Help in Volatility Memory Analysis: Ep.2 – Processes and DLLs
Hello everyone, I started with Volatility memory analysis and am stuck in question 13 on SID It ask for first SID that is returned which in this case seems to be "S-1-5-18" (Maybe I am wrong here too). However, it won't take my answer. "PID - 1096"44Views1like3CommentsRadare2 Reverse Engineering: Ep.1 – Windows Binary Part 1
I have managed to find the answers to all of the questions within this lab except for question 6. I can not seem to figure out the appropriate step(s) or action(s) to take find the correct answer for this question. Any insight or guidance on what I'm missing / doing incorrectly and how to correct it would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.33Views2likes2CommentsHelp needed for Threat Hunting: Mining Behaviour
Hey everyone! I need some help with this last question of a lab. I already identified the JSON authentication token and the packet that holds it. But within that packet, I just can't find the authentication key that identifies the miner. Anyone was able to solve and help? Thanks!Solved171Views1like5CommentsAPT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills
Hello! I could rather easily get the answers for the other questions, but Q6 has really taken me aback. The question is: A PowerShell script was executed to assist with further enumeration. What command in this script assists with the reverse shell call back? On attacker side, the reverse shell is just deployed with Metasploit shellcode, in Elasticsearch this is a block of base64 powershell in which binary shellcode will be executed. Directly after, the "Invoke-SeaDuke" stage is called, there is no specific handler for the callback one could ask for, what does "assist" even mean here? Even a slight clue would help me out, maybe I'm too lost now. Thank you for your patience!37Views0likes2CommentsIntroduction To Elastic: Ep.9 – ES|QL
I'm stuck on questions 13 and 15. My eval statement seems to be working, and I thought it was fairly straight-forward overall but the values returned are not being accepted. I noticed there was a default limit of 500 being set, so I tried manually added a limit of 255000 to make sure all results are calculated but this still doesn't work. I tried expanding the date range back a year leading to present, but that didn't work. I'm using to_long() for the conversions. I managed to get #13 by guess/checking, but I don't even see the correct value in the list of values I'm looking at. It's in the right range, however, so it makes me think I'm doing this mostly correct. Not sure what else to include here without providing too many spoilers. Let me know what you need.50Views1like4CommentsMalware Analysis: Tracking a LOLBins Campaign – Examination
I have completed all of the questions within this lab except for question 7 and question 13. Both of these questions appear to have something to do with execution of the 1st and 2nd downloaded files in the lab. I have successfully completed the deobfuscation of each file but I can not seem to execute the appropriate step(s) or action(s) to go to the correct answers for these last 2 questions. Any insight or guidance on what I'm missing / doing incorrectly and how to correct it would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.Solved63Views0likes3CommentsEvents & Breaches: Magecart Skimmer
Hello - I need a hand locating the domain. (Q7) I've found the name of the file that contains the skimmer then exported that. I have then opened that in a text editor and searched for "http://" and "https://" in the big chunk of text but nothing is matching.Solved98Views2likes6CommentsWeb Log Analysis: Ep.5 – Searching Web Server Logs using Linux CLI
In the access logs, how many requests were successful and resulted in a 200 HTTP status code from the identified IP address? I've tried the following solutions which are not correct. What obvious thing am I missing? I assume GET HEAD OPTION are all valid request in the context of the above question, there is at least one log line which relates to X11 and not the vuln scanner found in the previous question. linux@web-log-analysis:~/Log-Files$ grep -E '193.37.225.202' access.log* | grep -E 'HTTP/1\.1\" 200' | sort | wc -l 235 linux@web-log-analysis:~/Log-Files$ grep -E '193.37.225.202' access.log* | grep -i GET | grep -E 'HTTP/1\.1\" 200' | sort | wc -l 221Solved92Views1like5CommentsIntroduction to Detection Engineering: Ep.5 – Custom Alerting
Struggling to get the token for this one. Got the Python script working (I think?) - it's generating alerts into Elastic, without replaying duplicates. But I get the select LatMov events - then wait and wait - before eventually getting; @timestamp<actual timestamp here> alert_messageNot all instances of lateral movement detected. Please restart the lab to try again._id7qvVgpMBEQ2Wr4UXppEV_indexcustom_alert_index_score - Sometimes I don't even get that, just a handful of events then the Lab expires. Is there any more detailed guidance on this lab? Feels like the guidance was written at 4:59pm on Friday, if you know what I mean 😂 Also a bit confused, the guidance says play around with the sleep() function, as it describes the "WAIT_TIME_MINUTES" - fairly sure it's actually seconds? Unless IL have written their own custom 'time' module?Solved79Views1like2Comments