Advent of Cyber 2024 — Day 2 Report

Odiomonafe Jamal . A
2 min readDec 9, 2024

--

The SOC team in Wareville was overwhelmed with numerous alerts during the holiday season, leading to potential alert fatigue. A peculiar set of alerts about encoded PowerShell commands prompted an investigation into the activities surrounding the service_admin account.

Key Learnings

True Positives (TP) vs. False Positives (FP)

  • True Positive (TP): An alert indicating actual malicious or significant activity.
  • False Positive (FP): An alert triggered by benign activity that appears suspicious.

Effective differentiation is crucial:

  • Misclassifying a TP as FP may result in missed cyberattacks.
  • Misclassifying an FP as TP leads to wasted resources and attention.

SOC Superpowers:

  1. User Validation: Confirming activities directly with users.
  2. Change Management: Verifying if activities align with approved changes.
  3. Contextual Analysis: Understanding historical behavior patterns.
  4. Correlation: Building timelines from events to uncover patterns.

Investigation Steps

1. Initial Discovery:

  • Timeline: Set to Dec 1, 2024, from 09:00 to 09:30.
  • Filters Applied:
  • Hostname: host.hostname
  • User: user.name
  • Event Category: event.category
  • Command Line: process.command_line
  • Outcome: event.outcome
  • Observation: Encoded PowerShell commands executed across multiple machines preceded by successful authentication events.

2. Expanding the Context:

  • Timeframe extended: Nov 29 — Dec 1, 2024.
  • Narrowed events by filtering for user.name (service_admin) and source.ip (10.0.11.11).
  • Found an unusual spike in failed logins from another IP: 10.0.255.1.

3. Correlation Analysis:

  • Failed Logins: 6791 attempts over the days.
  • Successful Login: Dec 1, 2024, at 08:54:39.
  • Command Executed: Encoded PowerShell command decoded to Install-WindowsUpdate -AcceptAll -AutoReboot.

Revelation

  • Glitch’s Actions: A brute-force attack was carried out by Glitch, who fixed expired credentials and applied updates using a PowerShell command.
  • Outcome: Glitch’s actions helped secure Wareville’s systems, though unconventional.

TASKS

  1. Name of the Account Causing Failed Logins: service_admin
  2. Number of Failed Logon Attempts: 6791
  3. IP Address of Glitch: 10.0.255.1
  4. Time of Successful Logon to ADM-01: Dec 1, 2024 08:54:39.000
  5. Decoded PowerShell Command Executed by Glitch: Install-WindowsUpdate -AcceptAll -AutoReboot

This task underscored the importance of context and thorough analysis in a SOC environment. Misjudging alerts can have significant consequences, as shown by the misunderstood actions of Glitch, who turned out to be an unexpected hero for Wareville.

--

--

Odiomonafe Jamal . A
Odiomonafe Jamal . A

Written by Odiomonafe Jamal . A

Making the world a Better place day by day!

No responses yet