Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • Instructions:
  • Scenario:
  • Dataset:
  • Note for The Setup
  • Accessing QRadar Console
  • Now, Let’s Start
  1. QRadar101 Lab Challenge

Scenario and Instructions

PreviousQRadar101 Lab ChallengeNextThe Walkthrough

Last updated 11 days ago

Instructions:

  • Compatibility: VirtualBox

  • Uncompress the lab (pass: cyberdefenders.org)

  • Zip SHA1: 7d2e0b18bc11e9987431369b180577886d956b0a

  • Zip size: 20 GB

  • Make sure you have a host-only subnet within the following IP range 192.168.20.0/24.

  • Assign the proper network adapter (192.168.20.0/24) to the VM before starting it.

  • Wait for some minutes after the import completes then visit: .

  • Challenge credentials: QRadar Dashboard: admin:Admin@123 - SSH: root:cyberdefenders

In case you face a license issue, please go to > License Pool Management. Edit and set eps > 0 and edit the FPM and set it to 0. This will ensure you will not have a license problem.

Hardware Requirements: 8GB of memory and 65GB of disk space.

Scenario:

A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.

The initial analysis performed by the company's team showed that many systems were compromised. Also, alerts indicate the use of well-known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.

Dataset:

  • Sysmon - swift on security configuration

  • PowerShell logging

  • Windows Eventlog

  • Suricata IDS

  • Zeek logs (conn, HTTP)

Note for The Setup

Accessing QRadar Console

After starting the QRadar virtual machine, begin the investigation by accessing the QRadar web console through the following URL:

Now, Let’s Start

💡 Before starting the investigation this video explains how to run the machine and prepare the environment for the analysis. 📺 A full setup and walkthrough guide is available here:

🔗

https://192.168.20.21/
https://www.youtube.com/watch?v=4uM4JEhbEjI
https://192.168.20.21/