Qradar101 blue team ctf
Category : Threat Hunting
-
Weight : 50 | Solved : 988
-
Weight : 50 | Solved : 995
-
Weight : 100 | Solved : 843
-
Weight : 100 | Solved : 890
-
Weight : 100 | Solved : 744
-
Weight : 100 | Solved : 832
-
Weight : 150 | Solved : 621
-
Weight : 150 | Solved : 762
-
Weight : 200 | Solved : 760
-
Weight : 200 | Solved : 673
-
Weight : 200 | Solved : 584
-
Weight : 200 | Solved : 451
-
Weight : 200 | Solved : 558
-
Weight : 250 | Solved : 501
-
Weight : 250 | Solved : 625
-
Weight : 250 | Solved : 435
-
Weight : 300 | Solved : 548
-
Weight : 300 | Solved : 561
-
Weight : 300 | Solved : 463
-
Weight : 300 | Solved : 427
-
Weight : 300 | Solved : 494
-
Weight : 300 | Solved : 526
-
Weight : 500 | Solved : 498
-
Weight : 500 | Solved : 483
Instructions:
This challenge is designed to work with VirtualBox. Download challenge VM and uncompress it using the password 'cyberdefenders.org'
- Please make sure to watch the instructional video under the Walkthroughs section.
- Make sure you have a host-only subnet within the following IP range 192.168.20.0/24.
- Assign the proper network adapter (192.168.20.0/24) to the VM before starting it.
- Wait for some minutes after the import completes then visit: https://192.168.20.21/.
- Challenge credentials: QRadar Dashboard: admin:[email protected] - SSH: root:cyberdefenders
In case you face a license issue, please go to > License Pool Management. Edit and set eps > 0 and edit the FPM and set it to 0. This will ensure you will not have a license problem.
Hardware Requirements: 8GB of memory and 65GB of disk space.
A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.
The initial analysis performed by the company's team showed that many systems were compromised. Also, alerts indicate the use of well known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.
Dataset:
- Sysmon - swift on security configuration
- Powershell logging
- Windows Eventlog
- Suricata IDS
- Zeek logs (conn, HTTP)
Thanks to
- Özer Sarılar for testing and verifying the challenge.
- Hasan Alabbad for the help provided during the preparation phase.
WriteUps
Submit Writeup-
SHA1SUM:4c14d92d534870b665f08d9f23c73c21f7292ce2
-
Password:cyberdefenders.org
-
Size:20 GB
-
Published:Jan. 1, 2021, midnight
Authors