LinkedinTryHackme

Question

Question 1

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests. Enter it as your answer.

index="main" sourcetype="WinEventLog:Security" EventCode=4768 | stats count by Account_Name | sort - count | head 1

  • EventCode=4768: Event ID 4768 represents Kerberos TGT ticket requests.

  • stats count by Account_Name: Counts the number of events for each account, grouped by the Account_Name field.

  • sort - count: Sorts the results in descending order based on the number of requests.

  • head 1: Returns only the first result (the account with the highest number of requests).

Question 2

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the count of distinct computers accessed by the account name SYSTEM. Enter it as your answer.

index="main" sourcetype="WinEventLog:Security" EventCode=4624 Account_Name="SYSTEM" | stats dc(ComputerName) as Distinct_Computer_Count

  • EventCode=4624: Filters only successful logon events (4624).

  • Account_Name="SYSTEM": Filters only events where the account name is SYSTEM.

  • stats dc(ComputerName) as Distinct_Computer_Count:

dc(ComputerName): Counts the distinct values ​​of the ComputerName field, which represents the computers accessed.

as Distinct_Computer_Count: Renames the output column to something more readable.

Question 3

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

index="main" sourcetype="WinEventLog:Security" EventCode=4624 | stats range(_time) as time_range count by Account_Name | where time_range <= 600 | sort - count | head 1

  • EventCode=4624: Filters only successful login events.

  • stats range(_time) as time_range count by Account_Name:

  • Calculates the maximum time difference (range(_time)) in seconds for each Account_Name.

  • Counts the number of events (count) per account.

  • where time_range <= 600: Filters accounts whose time range (time_range) is 10 minutes (600 seconds) or less.

  • sort - count: Sorts accounts by the highest number of attempts.

  • head 1: Returns only the account with the highest number of logins.

PreviousCore SPL CommandsNextUsing Splunk Applications

Last updated