Qradar101 blue team ctf

What is the IDS software used to monitor the network?

What is the domain name used in the network?

Multiple IPs were communicating with the malicious server. One of them ends with "20". Provide the full IP.

What is the SID of the most frequent alert rule in the dataset?

What is the attacker's IP address?

The attacker was searching for data belonging to one of the company's projects, can you find the name of the project?

What is the IP address of the first infected machine?

What is the username of the infected employee using 192.168.10.15?

Hackers do not like logging, what logging was the attacker checking to see if enabled?

Name of the second system the attacker targeted to cover up the employee?

When was the first malicious connection to the domain controller (log start time - hh:mm:ss)?

What is the md5 hash of the malicious file?

What is the MITRE persistence technique ID used by the attacker?

What protocol is used to perform host discovery?

What is the email service used by the company?(one word)

What is the name of the malicious file used for the initial infection?

What is the name of the new account added by the attacker?

What is the PID of the process that performed injection?

What is the name of the tool used for lateral movement?

Attacker exfiltrated one file, what is the name of the tool used for exfiltration?

Who is the other legitimate domain admin other than the administrator?

The attacker used the host discovery technique to know how many hosts available in a certain network, what is the network the hacker scanned from the host IP 1 to 30?

What is the name of the employee who hired the attacker?