For full text search please use the '?' prefix. e.g. ? Onboarding

Bruteforce

Scenario

One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.

There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there

Solution

  1. How many Audit Failure events are there? (Format: Count of Events) (3 points)

    Command: cat BTLO_Bruteforce_Challenge.txt | grep "Audit Failure" | wc

    Answer: 3103

  2. What is the username of the local account that is being targeted? (Format: Username) (2 points)

    Opening the file immediately shows "Account For Which Logon Failed", and the associated username is administrator.

    Answer: administrator

  3. What is the failure reason related to the Audit Failure logs? (Format: String) (3 points)

    Answer: Unknown user name or bad password

  4. What is the Windows Event ID associated with these logon failures? (Format: ID) (3 points)

    Answer: 4625

  5. What is the source IP conducting this attack? (Format: X.X.X.X) (3 points)

    Given by the "Source Network Address" field.

    Answer: 113.161.192.227

  6. What country is this IP address associated with? (Format: Country) (3 points)

    Look up the location IP: https://whatismyipaddress.com/ip/113.161.192.227

    Answer: Vietnam

  7. What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort - Ex: 100-541) (3 points)

    Command:

    cat BTLO_Bruteforce_Challenge.txt  | grep "Source Port" | grep -o '[[:digit:]]*' | sort -g

    Answer: 49162-65534

Tags

  1. log analysis (Private)
  2. 20 points (Private)
  3. medium (Private)