Cyberdefenders ELASTIC CASE write up

Cyberdefenders is a big opportunity for cyber security analysts. Platform has a very different rooms for investigate for cyber crimes. One of them is the elastic case room in which it gives you a server with an Elk stack deployed.

Let’s deep dive into the ELK stack !!

We will download file and extract. When the virtual box is open, we double-click on the ova file that comes out of it and our machine is ready.

Zip Password:

SHA1: 0eda6605d309486110f012bc8dc73e4652059b04

Access Kibana interface via

username: elastic


#1 Who downloads the malicious file which has a double extension?

We can see malicious file alerts at Observability>Security>Overwiev field. Double extension file looks like orhan.xml.exe

Use this pattern for search the double extension file

filename *.*.*

#2 What is the hostname he was using?

Same field show us hostname

#3 What is the name of the malicious file?

Also same field include a filename answer.

#4 What is the attacker’s IP address?

#5 Another user with high privilege runs the same malicious file. What is the username?

The other username appeared on our previous screen.

#6 The attacker was able to upload a DLL file of size 8704. What is the file name?

We will use 8704 filter for answer.

#7 What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

#8 The previous process was able to access a registry. What is the full path of the registry?

In kibana logs index search use : 8856 then extract registry.path field from selected fields.

#9 PowerShell process with pid 8836 changed a file in the system. What was that filename?

we will use

Filter: “powershell.exe” and : 8836 filters.

#10 PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

Filter: 11676 and file.extension : ps1

#11 What is the machine’s IP address that is in the same LAN as a windows machine?

Machine Ip is

Filter: host.ip: and NOT host.ip:

#12 The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

Check Security>Hosts>ubuntu>Authentications

#13 After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

Filter: hostname: “ubuntu” and process.args: “wget” and username: “salem”

#14 After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?

Filter: “ubuntu” and process.executable :*pkexec and event.action: “uid_change”

#15 Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

Filter: “ubuntu” and 3011

bash -i

#16 What is the hostname which alert “Netcat Network Activity”?

Filter: “Netcat Network Activity”

#17 What is the username who ran netcat?

Filter: process.args : “nc” and event.action : exec

#18 What is the parent process name of netcat?

Filter: process.args : “nc” and event.action : exec

#19 If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

Filter: process.args : “nc” and event.action : exec

#20 From the previous three questions, you may remember a famous java vulnerability. What is it?


#21 What is the entire log file path of the “solr” application?

Filter: log.file.path : *solr*

#22 What is the path that is vulnerable to log4j?

Filter: log.file.path : *solr*

Answer: /admin/cores

#23 What is the GET request parameter used to deliver log4j payload?

Filter: log.file.path : *solr*

Answer: foo

#24 What is the JNDI payload that is connected to the LDAP port?

Filter: log.file.path : “/var/solr/logs/solr.log” and message: *jndi*



Blue Team Member. I am writing articles for helping you about cyber security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Orhan Öztaş

Blue Team Member. I am writing articles for helping you about cyber security.