Skip to content

Lab 4.4: Capstone

Est. Time: 60 minutes

Goals:

  • Use any of your Elastic resources to resolve a customer’s request
  • Provide a ticket write-up in Jira

Instructions

If you’re on your own machine, these are the scripts you will need for this lab:

Lab4-4.ps1

Lab4-4-Cleanup.ps1

Scenario:

A customer has reached out to you that while doing some of their normal work in the HR department their computer has started acting very strange. They’ve seen commands pop up on the screen at times, and swear they have seen files get downloaded they don’t remember downloading.

  1. For this lab you’ll once against execute some atomics, but there will be a number of them in a sequence intended to simulate a real attack. I’m not going to execute real malware on your host- so this is just a simulation with different Atomics.
  2. As stated before, I can’t stop you from decoding the commands, but it’s more realistic (and fun) if you don’t.
  3. Do your best to find all of the attacks on your system! If you’re getting stuck, I’ll be happy to give out some hints as time goes on.
  4. Lean on the different parts of Elastic you worked with throughout this course. Dashboards, alerts, timelines- and if it comes down to it, don’t be afraid of putting some wildcards in your queries.
  5. To begin the lab, in an administrative PowerShell window run the script: Lab4-4.ps1 . Now is a great time to grab a cup of coffee while your VM definitely is idle.
  6. As you investigate, keep a running note either in Jira, an Elastic Case, or somewhere else- of the active that you find, writing this up like a SOC investigation.
  7. We will review the results of this lab, and what was executed, in class
  8. Once you’re done investigating, you can run Lab4-4-Cleanup.ps1

Thank you: Once again, Thank you!

Next (Bonus Lab): LAB 5.1 (Bonus): Detection Engineering Capstone