THM-Advent of Cyber 2024 Day2

One man’s false positive is another man’s potpourri.

The Story

It’s the most wonderful time of the year again, and it’s also the most stressful day for Wareville’s Security Operations Center (SOC) team. Despite the overwhelming alerts generated by the new and noisy rules deployed, Wareville’s SOC analysts have been processing them nonstop to ensure the safety of the town.

However, the SOC analysts are now burning out of all the workload needed before Christmas. Numerous open cases are still pending, and similar alerts are still firing repeatedly, making them think of the possibility of false positives out of all this mess.

Now, help the awesome Wareville’s SOC team analyse the alerts to determine whether the rumour is true — that Mayor Malware is instigating chaos within the town.

Answer the questions below

1- What is the name of the account causing all the failed login attempts?

2- How many failed logon attempts were observed?

Question Hint: Set the event.category filter to authentication and event.outcome to failure.

3- What is the IP address of Glitch?

4- When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS

Question Hint: Set the event.category filter to authentication, event.outcome to success, and host.hostname to ADM-01.

5- What is the decoded command executed by Glitch to fix the systems of Wareville?