Soc-Is-Mandatory [Defcamp Quals 2023]
You are part of a cybersecurity team working in a state-of-the-art Security Operations Center (SOC). Your SOC has been tasked with monitoring a critical infrastructure network that includes various servers, databases, and communication channels. As a SOC analyst, it’s your duty to keep this infrastructure secure and ensure that it remains operational.
Early this morning, your team received alerts from the intrusion detection system (IDS) indicating suspicious network activities. The alerts suggest a potential security incident. Your SOC has just received an official request to investigate this incident.
Your mission is to identify, analyze, and provide information about the threats inside the affected network.
- the logs dashboard (index-pattern) is soc-is-mandatory
- the logs are from 4 years ago, therefore a timeframe should be set accordignally.
The challenge is divided into 4 questions.
The challenge provides a link to a Kibana dashboard.
Provide the IP of the infected host.
For all the questions, we need to set the index
soc-is-mandatory*, put the date filter as
Last 4 years rounded to the year and use the
To find the IP of the infected host, we can use the
source_ip field and see how many records are there for each IP.
The private IP with the most records is the one we are looking for.
source_ip field and see how many records are there for each IP. The private IP with the most records is the
one we are looking for.
Provide the name of the malware used to infect the host.
Let’s look for some suspicious activity. For our IP by adding the
payload_data field and start scrolling down.
payload_data field contains the payload of the request. We can see that there is a request that contains a
ckav.ru and the following data
Admin GSNTPAWQ GSNTPAWQ. If we google this url we can find the malware name.
Provide the malicious URL path which was the start point of the infection.
I have to search for an HTTP request that looks suspicious after the date of the request I found in question 2.
Provide the time when the first malicious request was sent.
I have to copy the
timestamp field of the malicious request from question 3.
This one is very easy but tricky because the correct answer is not the timestamp of the first request but the time ( hour, minute, second and millisecond) of the first request.