Detect Attacks with Sysmonnn

ChagataiTR60 · December 11, 2024, 2:58pm

I couldn’t solve these two questions. Is there anyone who can help? Do we use Event Viewer to find it? I couldn’t find it that way.

yorusec · December 11, 2024, 3:42pm

Think about the first attack, what is it? it gives you the answer for the 2nd question. In other question, attacker downloaded a file to es****** pr******* after getting shell. you can see in the sysmon log.

ChagataiTR60 · December 11, 2024, 4:13pm

We are supposed to write the attack type as shown in the image, right? Whatever I wrote, it didn’t work. For the other question, I checked those with Event ID 11, but none of them were correct.

yorusec · December 11, 2024, 5:22pm

actually you are right, but how the attacker connect with RDP? since it doesnt seem to connect directly. An attack happened before the connection. How could you find the time of first attack, according to what? You should focus these questions.

yorusec · December 11, 2024, 5:28pm

Did you find the downloaded file? answer format just path without file name and it may not be suitable with the given format

ChagataiTR60 · December 11, 2024, 5:34pm

There was an extra / at the end of my answer, that’s why I couldn’t answer it. In the other question, it didn’t work because I wrote it as ****.001, but it should have been just ****. I’m a bit stupid today. Thank you for your help.

Minaitor · January 4, 2025, 8:44pm

I’m curious about this task, we must be check all event at Event Viewer one by one or do you know easiest way ?

yorusec · January 5, 2025, 7:23am

You can filter logs based on specific event IDs according to the question. For example, you can identify the created file using event ID 11 logs, or for network-related questions, you can filter event ID 3 logs. I haven’t tried it during this lab, but there are tools like DeepBlueCLI that perform threat hunting using event logs.

Minaitor · January 5, 2025, 9:01pm

Yeah, I know this filtering, I mean its have else filtering?

busesuna · February 11, 2025, 2:34pm

Merhabalar , bu üç soruda tıkandım kaldım. Bir türlü ilerleyemiyorum. Nasıl bir yol izleme gerektiğine dair ya da log da tam olarak nereye odaklanmam gerektiğine dair yardımcı olabilir misiniz ?

Selkaya · February 15, 2025, 2:33pm

son soru için öncelikle event id 11 yani Sysmon Event ID 11 : FileCreate bakmak lazım. event id 11 e fokuslanabilirsin. indirilen dosyanın yolu ise saldırgan bir dosya indiriyor onun current directory kısmına odaklanman lazım. ilk soru ise genel olarak düşün çok ayrıntıya girmeden sence bu saldırgan hangi saldırı yöntemini denemiş

busesuna · February 17, 2025, 6:28am

Yardımınız için çok teşekkür ederim