Proj 3x: BOSS OF THE SOC: Using Sysmon and Stream (50 pts)

What You Need for this Project


To practice threat hunting, using the Boss of the SOC (BOTS) Dataset.

Earlier Projects

You will need the answers you found doing the earlier projects. Don't start with this one.


Find these items. Use the forms below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

3x_1: MD5 (10 pts)

In the previous project, you found the name of an executable file the attackers uploaded to the server.

Find that file's MD5 hash.

HINT: Find events containing that file's name from Sysmon with Event Id 7 or 1. Event Id is the key when using Microsoft event logs.

Name or Email:

3x_2: Brute Force (10 pts)

What was the first brute force password used?

HINT: Start with 1:10 sampling. Find events containing "login". Find top values of "url". Examine the "form_data" values to identify the brute force attack.

Name or Email:

3x_3: Correct Password (10 pts)

What was the correct password found in the brute force attack?

HINT: find the events with the "form_data" values indicating a login attempt. There are two different "http_user_agent" values.

Name or Email:

3x_4: Time Interval (10 pts)

How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

HINT: Find the two events with the correct password in the "form_data" field.

Name or Email:
Time interval, like 123.45:

3x_5: Number of Passwords (10 pts)

How many unique passwords were attempted in the brute force attack?
Name or Email:
Number of Passwords:

Posted 3-16-19