HTB Academy Introduction to Threat Hunting & Hunting With Elastic SOC Job Path

Diligence · October 7, 2023, 10:26pm

I have been on the skill assessment for Introduction to Threat Hunting & Hunting With Elastic )Mini-Module. I cannot seem to get past the first Hunt.

Hunt 1: Create a KQL query to hunt for ["Lateral Tool Transfer"](https://attack.mitre.org/techniques/T1570/) to C:\Users\Public. Enter the content of the user.name field in the document that is related to a transferred tool that starts with "r" as your answer.

I cannot seem to figure out the query to even search for the tools. I have tried to look for transfers and shares, not an option. I then did a file destination, but it cannot find Public. Has anyone done this yet? I would appreciate any assistance anyone can offer.

MaxDrljic · November 16, 2023, 7:41am

I am also stuck with this one, did you managed to solve it?

Diehard · November 30, 2023, 3:36pm

You’re on the right path with the file destination. Check some of the pre-populated queries in Elastic and tweak it to find what you need. It narrows the results down a ton. Hope that helps!

keymeal · January 12, 2024, 12:11am

I searched user.name field that starts with “r” but there is no user.name value that starts with r. is there any field that i need to look on?

I googled this:

I have tried the cmd.exe involved or powershell yet still cant find this “starts with r” answer. would appreciate if anyone helps, thanks

kakarotken · January 12, 2024, 5:20am

hope it helps

mnouman · January 16, 2024, 7:38am

Those who still can’t find the answer, just filter for the path they’ve given and add the related fields to it.

Hope this helps!

Bamidele · January 20, 2024, 5:31pm

My Question intepretation:

A tool has been transferred to the C:\Users\Public path Directory (not file path -read the difference), the name of the tool starts with R
Enter the user.name field of the Path

The question is asking to create a KQL for event code 13 and the File Directory which is given

Thought Proces:

Create a EVENT.CODE 11 Query and Filter with the File Directory of C:\Users\Public (Such as event.code: 13 AND …? (complete it)
Select the user.name field and include on the column then be on look out for any Tool that the name starts with R - For further dial Down also include the file.name field in the column

airg3kk0uga157 · January 29, 2024, 6:01pm

Hey all, I am also literally stuck in Hunt 1 of this skills assessment. I tried all the filters with C:\Users\Public and had no luck finding the name starting with r. I tried rubeus which is a file name, but that also did not work. If there is a better process to find the name, it would be greatly appreciated. Look at my filters I used:
event code 13 AND directory (no luck)
event code 11 AND directory (rubeus but not working)

Bamidele · February 1, 2024, 3:43pm

Thought Proces

Create a EVENT.CODE 11 Query and Filter with the File.directory of C:\Users\Public
Select the user.name field and include on the column then be on look out for any Tool that the name starts with “R”
For further dial Down also include the file.name field in the column

slimchady · February 7, 2024, 6:54pm

you not looking for rubeus as a answer, find the username for that…start with svc

N8181 · February 9, 2024, 4:26am

bit tricky question. we all looking for answer to start with ‘r’ that`s why we never been able to get it. Actual file name starts with r, but we need the user name as the answer. So where ever you find file name starts with r, expand it and look for user name

Liam · February 23, 2024, 11:47am

For anyone a bit lost on this question, the answer does NOT begin with R. The question is in fact: Enter the content of the user.name field in the document that is related to a transferred TOOL THAT STARTS WITH “R” as your answer.

Nohrix · February 28, 2024, 2:47pm

So if you are still having issues with this, create a KQL command with event code 11 and file. Directory :C:\Users\Public.
Then add filter for user.name and file.name.
you will see your answer.