I found the 3rd solution to the challenge exercise. Not by wazuh, but by going into the logs and using ol’ fashioned grep until i came across an odd domain.
Looking back at this, I don’t feel like this exercise really guides people towards the answer. The domain in question is very vague, and barely appears in the logs. I know it’s meant as an exercise to find it for the students, but honestly… I can’t really see HOW you get there with the explanation you’re given.
2 Likes
What is the Pastebin URL (pastebin.com/somepath) that our compromised endpoint successfully connected to?
From the Guided Exercise
Working on 1.2 Guided exercise in Web Activity logs. Stymied by Task queston # 4 ( Based on correlating your DNS and proxy logs, what malicious URL was likely contacted using a non-HTTP/HTTPS protocol?) Found the ftp.rekt.systems alert and then the ensuing pastebin.com alert indicating compromise. I can’t see in the record where the malicious URL is indicated. Any help would be appreciated.
Hii, did you find the answer for web activity log questions? I am not able to find the answers for question number 3 and 5
1 Like
I cant find the answers either.
I cant find 3 and 5 either
This lab is taking for ever, not even worth it. I think I will do Hack the Box SOC course and TCM SOC-101 instead.
I just found the answer to Question 5. You have to filter on 192.168.0.4 not 203.0.113.200. then you should see two alerts ( 403 & 200), you should see the URL under the status code 200
I just found the answer to Question 5. You have to filter on 192.168.0.4 not 203.0.113.200. then you should see two alerts ( 403 & 200), you should see the URL under the status code 200
Question #3 is /Forums