BOTSv1 3.1: MD5 (10 pts)
In Level 2, you found the name of an executable file the attackers uploaded to the server.Find that file's MD5 hash.
Hints:
- Read about Sysmon Event IDs
- Find events from Sysmon for process creation.
- Examine cmdline to find the correct event.
BOTSv1 3.2: Brute Force (10 pts)
What was the first brute force password used?Hints:
- Start with 1:10 sampling.
- Find events containing "login".
- Find top values of "url".
- Examine the "form_data" values to identify the brute force attack.
BOTSv1 3.3: Correct Password (10 pts)
What was the correct password found in the brute force attack?Hints:
- Find the events with the "form_data" values indicating a login attempt.
- There are two different "http_user_agent" values.
BOTSv1 3.4: Time Interval (10 pts)
How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.Hints:
- HINT: Find the two events with the correct password in the "form_data" field.
BOTSv1 3.5: Number of Passwords (10 pts)
How many unique passwords were attempted in the brute force attack?