The section starts off discussing two filters: one for event.codes 4732, 4733 and one for group name: administrators. However on the 4th screenshot in the article it inexplicably changes to just event.code 4625. When I follow along with either of these filters no events are returned. The question then asks me for a common date which I haven’t been taught how to find (The screenshots show how to change the time range but not how to find the date that a given event has occured), can someone explain what I’m doing wrong here? I’ve tried restarting my target VM and pwnbox but still get the same results (or lack of results).
Ok so I took a break and figured it out by adding the @timestamp field and setting the time range to after March 5th, seems they’ve reused a screenshot from an earlier section which confused me. Also using the same target VM from the previous examples seems to have led to an error so might want to replace the screenshot and add in a note about restarting the VM.
Im stuck on this same bit, i had figured out the @timestamp part but the date it tells me is saying its an incorrect answer. the date shows 2023-02-27 for all 3 admin accounts
Edit:
These questions are worded very strange they dont want to know the common date they want to know the date of the filter you applied. I wish they would re-write the questions correctly and save me 1.5hrs of google searching time filters.
4 Likes
Thank goodness I found this thread. They should fix this section ASAP.
■■■ I my head was exploding, its pretty bad worded, thx to all of you for your help
Wow this question really was worded poorly. Thanks to @Y0fal for the help.
Im stuck at the same problem, weird wording and I did the same with @timestamp but none of the answers are correct… not sure what they want me to do… really frustrating
Edit: just brute forced it… I have no idea where the actual value was supposed to be… I re-set the VM but it didn’t populate with the right answers. I added the @timestamp but the right answer wasn’t there. I actually have zero idea how this was supposed to be done so I’m really lucky they format the question in a really easily bruteforcable way