Stuxbot - INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC

I’m stuck in Hunt 3 from last 2 days, Any hint?

PwrVe is the correct answer

for those who still struggling to get answer for P----V— question, just try filtering with powershell.file.script_block_text and use the value as P(star)V(star). In place of (star) just use star symbol.This will highlight all the strings with P and V. You dont need to expand and read, just scroll through all the highlighted strings and answer will be there. There are lot of strings actually that doesnt make any sense, just go for those that you can form a word or readable spelling. Good luck, and if you cant find let me know

2 Likes

I tried this but step 3 didnt work for me. I simply get no logs when I type in that filter in the search bar

actually nvm bro found it thank you so much. legend

hey peeps,

Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, …) as your answer.

I seem to have a slight challenge with this question. I got the mimikatz execution, but the arguments I entered all seem not to be correct. Is there something I’m missing out, please?

ok man, it has to be 100% perfectly copied otherwise it will not be correct, my answer is kinda close to it but not 100, look stuff like .arg

“Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, …) as your answer.”

Some hint?

In .arg field, take everything behind the comma, no space at the begin or the end.

1 Like

I sent you a message explaining my problem

The ‘process.args’ and ‘process.command_line’ in the event are slightly different - ‘process.args’ doesn’t have double apostrophes, and that’s what it accepted as the correct answer.