Question
Question 1
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _.exe
index="main" EventCode=10 lsass | stats count by SourceImage, RuleName
Description:
rundll32.exewas used to load a DLL/loader that accessed lsass.exe memory.Likely Tool/Method: Using tools like Mimikatz (or equivalent functionality) to extract hashes and credentials.
Action taken: Read/dump the memory of the lsass.exe process.
Objective: Credential theft (hashes, clear text passwords, Kerberos tickets).
MITER ATT&CK Technique: Credential Dumping (T1003.001 – LSASS Memory)
Question 2
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: _.dll
index="main" "rundll32.exe" *.dll
Responsible process: rundll32.exe
Misused DLL: comsvcs.dll
Action taken: Dump the lsass.exe process
Objective: Theft of credentials stored in system memory
Question 3
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe
index="main" CallTrace="*UNKNOWN*" SourceImage!="*Microsoft.NET*" CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64* | where SourceImage!=TargetImage | stats count by SourceImage
Responsible process: rundll32.exe
DLL/Library observed: clr.dll
Description: rundll32.exe loaded clr.dll, suggesting code injection via .NET runtime.
Probable method: loading malicious .NET assemblies into memory (injection/execution without writing to disk).
Action taken: Execution of malicious code within the rundll32.exe process.
Goal: stealth execution of payloads, evasion of detection and persistence/remote control.
MITER ATT&CK Technique: Process Injection (T1055) / Signed Binary Proxy Execution / Living off the Land (T1218).
Question 4
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | stats count by RuleName, DestinationIp
Tactic: Defense Evasion (TA0005) — T1218 (Signed/System Binary Proxy Execution) is a defense evasion technique according to MITER.
What the technique does: Adversaries use signed or trusted binaries (LOLBins, e.g.: rundll32.exe, regsvr32.exe, mshta.exe, notepad.exe) to proxy‑execute malicious code and bypass signature/enforcement controls.
Question 5
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 (SourceIp="10.0.0.186" OR SourceIp="10.0.0.91")
| stats values(DestinationPort) as destination_portsLast updated