How many events were collected and Ingested in the index main?
- Just input query index=main and the event will display
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
- index=main EventID=4720
- 4720 is the EventID for newly created user
On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
- index=main Hostname="Micheal.Beaven" EventID="12" A1berto
- EventID:12 is the event id for updating registry key
Examine the logs and identify the user that the adversary was trying to impersonate.
- index=main
- This is very interesting question, You can basically answer it by just a logic but I didn’t get the logic. The adversary trying to impersonate the user that is very close to the name attacker created.
- Navigate to user and see all the username. You can see the answer
What is the command used to add a backdoor user from a remote computer?
- index=main EventID=1
- In there, navigate to commandline and you can see the command used to create a backdoor which is creating a user.
How many times was the login attempt from the backdoor user observed during the investigation?
- index=main A1berto
- Navigate to EventID and I search for all EventID and no logon attempt is being made
What is the name of the infected host on which suspicious Powershell commands were executed?
PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
- index=main EventID=4103
- EventID 4103 is used to detect powershell activities
An encoded Powershell script from the infected host initiated a web request. What is the full URL?