Introduction To The Elastic Stack

Qn: Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Discover”. Then, click on the calendar icon, specify “last 15 years”, and click on “Apply”. Finally, choose the “windows*” index pattern. Now, execute the KQL query that is mentioned in the “Comparison Operators” part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

Ans: anni

1. Navigate to Target IP Address 

• Launch your preferred web browser (e.g., Chrome, Firefox, Edge).
• Navigate to the Target IP
• Enter the following URL in the address bar: http://[Target-IP]:5601
• Replace [Target IP] with the actual IP address of the target server.
• Press Enter to go to the webpage.

2. Navigate to Discover

• On the Elastic interface, click on the side navigation toggle (usually a hamburger menu icon or a vertical bar on the left side).
• Select “Discover” from the navigation menu. This will take you to the Discover page where you can search and view your data.

3. Set Time Range

• Click on the calendar icon or time filter option, typically found at the top-right corner of the Discover page.
• In the time range selector, specify “last 15 years”.
• Click on “Apply” to set the time filter to cover this period.

4. Select Index Pattern

• Click the +Add Filter button 
• Choose the windows* index pattern from the list of available index patterns. This ensures you are querying the relevant data related to Windows logs.

5. Enter the KQL Query

In the search bar at the top of the Discover page, enter the KQL query mentioned in the “Comparison Operators” part of your instructions. Based on the information provided, the query you need to execute is:
event.code:4625 AND winlog.event_data.SubStatus:0xC0000072

• This query filters the data to show Windows event logs with code 4625 (failed login attempts) and a SubStatus value of 0xC0000072 (indicating the account is disabled).

6. Review the Search Results

• Examine the search results for records matching the query.

Within this i also added a further filter user.name 

Here we see that the username is actually anni 🙂 

Summary of Steps:

1. Navigate to http://[Target-IP]:5601.
2. Go to “Discover”.
3. Set the time range to “last 15 years”.
4. Choose the windows* index pattern.
5. Enter and execute the KQL query: event.code:4625 AND winlog.event_data.SubStatus:0xC0000072.
6. Review the search results and find your ans.

Qn: Now, execute the KQL query that is mentioned in the “Wildcards and Regular Expressions” part of this section and enter the number of returned results (hits) as your answer.

Ans: 8

1. Enter the KQL Query

In the search bar at the top of the Discover page, enter the following KQL query that uses wildcards:

event.code:4625 AND user.name: admin*

• This query filters the data to show Windows event logs with code 4625 (failed login attempts) where the username starts with “admin” (e.g., “admin”, “administrator”, “admin123”, etc.).

6. Execute the Query

• Press “Enter” or click the search icon to execute the query.

Here we see that there is actually 8 hits which would mean our answer is 8. 

SOC DEFINITION AND FUNDAMENTALS

Qn: True or false? SOC 2.0 follows a proactive defense approach.

Ans: True

SOC 2.0, which is often referred to in the context of modern Security Operations Centers (SOC), emphasizes a proactive defense approach. This involves anticipating potential threats and vulnerabilities before they can be exploited, rather than just responding to incidents after they occur. Key elements of this approach include:

• Threat Hunting: Actively searching for signs of potential threats within the network before they become active incidents.
• Continuous Monitoring: Implementing advanced monitoring tools and techniques to detect unusual activities early.
• Vulnerability Management: Regularly assessing and addressing vulnerabilities in the system to prevent exploitation.
• Predictive Analysis: Using data and analytics to predict and mitigate potential security issues.

By focusing on these proactive strategies, SOC 2.0 aims to enhance overall security posture and reduce the likelihood and impact of security incidents.

SIEM VISUALISATION DEVELOPMENT

SIEM Visualization Example 1: Failed Logon Attempts (All Users)

Qn: Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Browse the refined visualization we created or the “Failed logon attempts [All users]” visualization, if it is available, and enter the number of logins for the sql-svc1 account as your answer.

Ans: 2 

1. Navigate to Target IP Address at http://[Target-IP]:5601

2. Access the Side Navigation Menu

• Once the webpage loads, locate and click on the side navigation toggle. This toggle is typically represented by a hamburger icon (three horizontal lines) on the left side of the screen.
• Click on “Dashboard”
• In the expanded side navigation menu, look for an option labeled “Dashboard”.
• Click on “SOC-Alerts” to navigate to the dashboard section.
• Browse the Available Visualisations
• You will be presented with a list of available dashboards and visualizations. Look for the visualization titled “Failed logon attempts [All users]”.

3. Review the Visualization for sql-svc1

• Examine the “Failed logon attempts [All users]” visualization to find the section related to the sql-svc1 account.
• Identify the number of failed login attempts associated with the sql-svc1 account.

4. Record the Number of Logins

• Enter the Number of Logins

Summary of Steps: 

1. Head over to the specified website  http://[Target-IP]:5601
2. Access the side menu (Dashboard) look for “Failed logon attempts [All users]”
3. Review the Visualization for sql-svc1
4. Note down the number of login attempts. 

SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)

Qn: Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Either create a new visualization or edit the “Failed logon attempts [Disabled user]” visualization, if it is available, so that it includes failed logon attempt data related to disabled users including the logon type. What is the logon type in the returned document?

Ans : Interactive 

1. Navigate to the target IP at http://[Target-IP]:5601

2. Open the Dashboard

• Go to SOC-Alerts dashboard 
• Browse through the list of visualisation to locate “Failed logon attempts [Disabled user]” visualisation.
• Click the edit button on the top right corner of the page 
• Click on the cog button for the “Failed logon attempts [Disabled user]” visualisation.

3. Edit the Visualization

• Look for an “Edit lens” button. This is usually found in the top-right corner or in a context menu associated with the visualization.
• Click on the “Edit Lens” button to open the visualization editor.

4. Modify the Visualization:

• On the right hand side there is a collum labed table here we can edit by adding or subtracting rows to our visualisation. 
• Lets add a row. Click the Add or drop a field under the Rows Section 
• Once there select a field and type “winlogon.logon.type.keyboard” feel free to add your own display name. I just made mine “Logon Type ”
• Once our table has been adjusted click the “Save and return” button on the top right corner of the page. And from here we can see that our logon type for “Failed logon attempts [Disabled user]” was Interactive 

Qn:  Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Either create a new visualization or edit the “Failed logon attempts [Admin users only]” visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword “admin” anywhere within it. What should you specify after user.name: in the KQL query?

Ans: *admin*

1. Adjust filter 

In the larger search bar named KQL Query we use the Query 

user.name: *admin*

This used the star *whatever* as a wildcard that finds any occurrence of the word admin.

SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts

Qn: Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Browse the visualization we created or the “RDP logon for service account” visualization, if it is available, and enter the IP of the machine that initiated the successful RDP logon using service account credentials as your answer.

Ans : 192.168.28.130

I think by now you get the idea how to get to the Target IP as well as how to get a dash board. In this case we are navigating to the “RDP logon for service account” visualization. 

Once here we see the IP address.

SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

Qn: Navigate to http://[Target-IP]:5601, click on the side navigation toggle, and click on “Dashboard”. Extend the visualization we created or the “User added or removed from a local group” visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

Ans: 2023-03-05

Navigating to the “User added or removed from a local group” visualization we see there is only one record and the date the record specified was 2023-03-05

Conclusion: 

That concludes my Walkthrough of the topic. For the skills assessment area I think you should do it on your own. I hope this walkthrough was useful to you. I decided to make this walkthrough both as a way to revise what I have learnt as well as to be able to help those who may be stuck. Just a disclaimer: my solutions may not be the best way to go about solving the problems. I suggest only using my solutions if you are really stuck and try to really understand the methods that go into solving the problems.  If you have any questions feel free to reach out to me through linkedIn. I will be making more walkthroughs for Hack The Box SOC Pathway. All the best !