ItsyBitsy
Put your ELK knowledge together and investigate an incident.
Investigate Potential C2 Communication Alert
Examine the network connection logs of user, Browne. Find the link and the content of a suspicious file, and answer the questions. Initially, no logs were populating until changing the dates to go back 2 years. This revealed information for March 2022.
Knowing now the baseline dates, the information can be resolved more accurately.
How many events were returned for the month of March 2022?
1482
What is the IP associated with the suspected user in the logs?
192.166.65.54
The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
bitsadmin
The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
pastebin.com
What is the full URL of the C2 to which the infected host is connected?
pastebin.com/ytg0Ah6a
Last updated
