This room is for pactice on the Jnuior Penetration tester path on TryHackMe »> here
How many events were collected and Ingested in the index main?
1
2
3
index="main"
ans: 12256
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
1
2
3
index=main EventID="4720"
ans: A1berto
On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
1
2
3
4
index=main Hostname="Micheal.Beaven" EventID="12" A1berto
ans : HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto
Examine the logs and identify the user that the adversary was trying to impersonate.
1
2
3
4
5
6
7
The attacker account is called A1berto the real account is Alberto with an 'L'
index=main (User section)
ans : Alberto
What is the command used to add a backdoor user from a remote computer?
1
2
3
4
index=main EventID="4688"
ans: "C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1"
How many times was the login attempt from the backdoor user observed during the investigation?
1
2
3
4
5
6
index=main EventID="4624" << succesful logon>>
index=main EventID="4625" <<unsuccesful logon>>
both return no results
ans : 0
What is the name of the infected host on which suspicious Powershell commands were executed?
1
2
3
index=main powershell
ans : James.browne
PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
1
2
3
index=main EventID="4103"
ans: 79
An encoded Powershell script from the infected host initiated a web request. What is the full URL?
1
2
3
4
5
6
from question 7 check the first event
base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url
ans: hxxp[://]10[.]10[.]10[.]5/news[.]php
