Kibana

CyberCorp2

⛔️ Spoiler alert!

Case Details

This is not an investigation like the previous one. This is threat hunting. So, we have only logs via Kibana available. To harden my knowledge with this technologies I’ve had a very quick overview on ElasticStack website and enrolled in this course. Basically, I will have to answer questing having a loads of logs and a query engine available.

Questions

1. WMI Event Consumer name?

✅ The Threat Hunting process usually starts with the analyst making a hypothesis about a possible compromise vector or techniques used by an attacker. In this scenario, your initial hypothesis is as follows: “The attacker used the WMI subscription mechanism to obtain persistence within the infrastructure”. Verify this hypothesis and find the name of the WMI Event Consumer used by the attacker to maintain his foothold.