I found the 3rd solution to the challenge exercise. Not by wazuh, but by going into the logs and using ol’ fashioned grep until i came across an odd domain.
Looking back at this, I don’t feel like this exercise really guides people towards the answer. The domain in question is very vague, and barely appears in the logs. I know it’s meant as an exercise to find it for the students, but honestly… I can’t really see HOW you get there with the explanation you’re given.
What is the Pastebin URL (pastebin.com/somepath) that our compromised endpoint successfully connected to?
From the Guided Exercise
Working on 1.2 Guided exercise in Web Activity logs. Stymied by Task queston # 4 ( Based on correlating your DNS and proxy logs, what malicious URL was likely contacted using a non-HTTP/HTTPS protocol?) Found the ftp.rekt.systems alert and then the ensuing pastebin.com alert indicating compromise. I can’t see in the record where the malicious URL is indicated. Any help would be appreciated.
Hii, did you find the answer for web activity log questions? I am not able to find the answers for question number 3 and 5