Advent of Cyber 2024 — Day 2 Report
2 min readDec 9, 2024
The SOC team in Wareville was overwhelmed with numerous alerts during the holiday season, leading to potential alert fatigue. A peculiar set of alerts about encoded PowerShell commands prompted an investigation into the activities surrounding the service_admin account.
Key Learnings
True Positives (TP) vs. False Positives (FP)
- True Positive (TP): An alert indicating actual malicious or significant activity.
- False Positive (FP): An alert triggered by benign activity that appears suspicious.
Effective differentiation is crucial:
- Misclassifying a TP as FP may result in missed cyberattacks.
- Misclassifying an FP as TP leads to wasted resources and attention.
SOC Superpowers:
- User Validation: Confirming activities directly with users.
- Change Management: Verifying if activities align with approved changes.
- Contextual Analysis: Understanding historical behavior patterns.
- Correlation: Building timelines from events to uncover patterns.
Investigation Steps
1. Initial Discovery:
- Timeline: Set to Dec 1, 2024, from 09:00 to 09:30.
- Filters Applied:
- Hostname:
host.hostname
- User:
user.name
- Event Category:
event.category
- Command Line:
process.command_line
- Outcome:
event.outcome
- Observation: Encoded PowerShell commands executed across multiple machines preceded by successful authentication events.
2. Expanding the Context:
- Timeframe extended: Nov 29 — Dec 1, 2024.
- Narrowed events by filtering for
user.name
(service_admin
) andsource.ip
(10.0.11.11
). - Found an unusual spike in failed logins from another IP:
10.0.255.1
.
3. Correlation Analysis:
- Failed Logins: 6791 attempts over the days.
- Successful Login: Dec 1, 2024, at 08:54:39.
- Command Executed: Encoded PowerShell command decoded to
Install-WindowsUpdate -AcceptAll -AutoReboot
.
Revelation
- Glitch’s Actions: A brute-force attack was carried out by Glitch, who fixed expired credentials and applied updates using a PowerShell command.
- Outcome: Glitch’s actions helped secure Wareville’s systems, though unconventional.
TASKS
- Name of the Account Causing Failed Logins:
service_admin
- Number of Failed Logon Attempts:
6791
- IP Address of Glitch:
10.0.255.1
- Time of Successful Logon to ADM-01:
Dec 1, 2024 08:54:39.000
- Decoded PowerShell Command Executed by Glitch:
Install-WindowsUpdate -AcceptAll -AutoReboot
This task underscored the importance of context and thorough analysis in a SOC environment. Misjudging alerts can have significant consequences, as shown by the misunderstood actions of Glitch, who turned out to be an unexpected hero for Wareville.