Help needed for Threat Hunting: Mining Behaviour
Hey everyone! I need some help with this last question of a lab. I already identified the JSON authentication token and the packet that holds it. But within that packet, I just can't find the authentication key that identifies the miner. Anyone was able to solve and help? Thanks!
APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills
Hello! I could rather easily get the answers for the other questions, but Q6 has really taken me aback. The question is: A PowerShell script was executed to assist with further enumeration. What command in this script assists with the reverse shell call back? On attacker side, the reverse shell is just deployed with Metasploit shellcode, in Elasticsearch this is a block of base64 powershell in which binary shellcode will be executed. Directly after, the "Invoke-SeaDuke" stage is called, there is no specific handler for the callback one could ask for, what does "assist" even mean here? Even a slight clue would help me out, maybe I'm too lost now. Thank you for your patience!
Introduction To Elastic: Ep.9 – ES|QL
I'm stuck on questions 13 and 15. My eval statement seems to be working, and I thought it was fairly straight-forward overall but the values returned are not being accepted. I noticed there was a default limit of 500 being set, so I tried manually added a limit of 255000 to make sure all results are calculated but this still doesn't work. I tried expanding the date range back a year leading to present, but that didn't work. I'm using to_long() for the conversions. I managed to get #13 by guess/checking, but I don't even see the correct value in the list of values I'm looking at. It's in the right range, however, so it makes me think I'm doing this mostly correct. Not sure what else to include here without providing too many spoilers. Let me know what you need.Malware Analysis: Tracking a LOLBins Campaign – Examination
I have completed all of the questions within this lab except for question 7 and question 13. Both of these questions appear to have something to do with execution of the 1st and 2nd downloaded files in the lab. I have successfully completed the deobfuscation of each file but I can not seem to execute the appropriate step(s) or action(s) to go to the correct answers for these last 2 questions. Any insight or guidance on what I'm missing / doing incorrectly and how to correctit would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.
CVE-2022-29799/CVE-2022-29800 (Nimbuspwn) – Defensive
Hello community, I can't find the answer to these question I tried using the Sigma file provided in the lab to query Splunk it returned no events. I also tried doing custom queries with using similar strings. But I never got the correct answers Any helpis appreciated. Thanks
