Elastic-Case blue team ctf

What is the hostname he was using?

What is the name of the malicious file?

What is the attacker's IP address?

Another user with high privilege runs the same malicious file. What is the username?

The attacker was able to upload a DLL file of size 8704. What is the file name?

What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

The previous process was able to access a registry. What is the full path of the registry?

PowerShell process with pid 8836 changed a file in the system. What was that filename?

PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

What is the machine's IP address that is in the same LAN as a windows machine?

The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?

Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

What is the hostname which alert signal.rule.name: "Netcat Network Activity"?

What is the username who ran netcat?

What is the parent process name of netcat?

If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

From the previous three questions, you may remember a famous java vulnerability. What is it?

What is the entire log file path of the "solr" application?

What is the path that is vulnerable to log4j?

What is the GET request parameter used to deliver log4j payload?

What is the JNDI payload that is connected to the LDAP port?