Description:
An introductory ELK challenge to get you started with Kibana.
Scenario:
Overnight we've had an attack on our network, we have two devices in the cloud and it appears both have been compromised.
The attack appears to have taken place on the 25th of May between 9pm and 11:30pm. Our network is composed of one box that is front facing with an SSH port open to the web and a second server behind it running an old Elastic Stack. Please recover the information requested in these challenges so we can piece together what happened.
Thanks, OussHr and th3c0rt3x for reveweing the challenge.
# | Question | Weight | Solved | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents after the id GDQOB3IBwJHf9VOW-r0Y? | 50 | 59 | ||||||||||||
2 | Using the "View Surrounding Documents" option, find the ip of the document that is 16 documents before the id vDQOB3IBwJHf9VOW-Lyd? | 50 | 58 | ||||||||||||
3 | How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC) | 50 | 74 | ||||||||||||
4 | What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC) | 50 | 48 | ||||||||||||
5 | How many 503 errors were there on the 8th of May? (time is in UTC) | 50 | 71 | ||||||||||||
6 | How many connections to the host "www.elastic.co" were made on the 12th of May? (time is in UTC) | 50 | 65 | ||||||||||||
7 | What is the second most common extension of files being accessed on the 12th of May? (time is in UTC) | 50 | 64 | ||||||||||||
8 | Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC) | 50 | 66 | ||||||||||||
9 | What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC) | 50 | 51 | ||||||||||||
10 | What's the host machine's hostname? | 50 | 54 | ||||||||||||
11 | Using current data, what version of the stack is running? | 50 | 59 | ||||||||||||
12 | Using current data in the auditbeat index, what is the name of the elasticsearch node? | 50 | 32 | ||||||||||||
13 | What is the name of the beat to collect windows logs? | 50 | 56 | ||||||||||||
14 | What is the name of the beat that sends network data? | 50 | 54 | ||||||||||||
15 | What are the three core programs in an ELK stack? | 50 | 61 | ||||||||||||
16 | How many fields are in the auditbeat-* index pattern? | 50 | 42 | ||||||||||||
17 | On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC) | 100 | 40 | ||||||||||||
18 | On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC) | 100 | 34 | ||||||||||||
19 | What username did they crack? | 100 | 37 | ||||||||||||
20 | What host was attacked? | 100 | 35 | ||||||||||||
21 | How many were failed attempts made on the machine? | 100 | 29 | ||||||||||||
22 | What time was the last failed attempted login? | 100 | 31 | ||||||||||||
23 | What time did the attacker successfully login? | 100 | 31 | ||||||||||||
24 | What is the first command the attacker ran on the box? | 100 | 30 | ||||||||||||
25 | What tool did the attacker use to get the exploit onto the machine? | 100 | 35 | ||||||||||||
26 | Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file? | 100 | 33 | ||||||||||||
27 | What is the filename of the exploit that was run? | 100 | 34 | ||||||||||||
28 | What is the first ID of the log that shows the exploit being run? | 100 | 17 | ||||||||||||
29 | What parameter turned the script from testing to exploiting? | 150 | 29 | ||||||||||||
30 | Using filebeat data - What IP was the shell sent to? | 150 | 31 | ||||||||||||
31 | Using filebeat data - After running the exploit, they accessed the /etc/passwd file, what is the ID of the doc that shows this? | 150 | 21 | ||||||||||||
32 | Using filebeat data - We think they created a new user. What was the name of that user? | 150 | 23 | ||||||||||||