Understanding Log Sources & Investigating with Splunk - Introduction to Splunk & SPL

Last question of Exercise, related to timespan 10 minutes and 4624.
URL: Login To HTB Academy & Continue Learning | HTB Academy

Could any body give me a little bit help?
I tried to use SPL with and, all results are incorrect.

2 Likes

Have you found a solution?
If so, can you give me a tip?

I have solved the task, but not as the author has invented.

1 Like

yes please, any help appreciated!

I am stuck on the same LOL

I’ve tried this command but no results any idea to the last exercice?

You may definitely check the hints, the hints next to the submit button is the key to solution.
I have to say, this question is totally language-understanding question.

check this blog on Splunk community and try mimic the time range used by the author:

Anyone completed this question "open the “Search & Reporting” application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX " in Intrusion Detection With Splunk (Real-world Scenario)

After hours of reading documentation, I found that streamstats. Read up on the usage there. I hope that it helps.

I found the answer but surely not in the intended way. I scoured the internet and nothing seemed to work to get the answer they want. I really thought I found the right way as I constructed a search using the “|timechart span=10m count by Account_Name” command. Which separates the time into 10minute intervals, then, looking at the number of login attempts by account name in those 10 minute intervals, I saw that SYSTEM had 256 login attempts between 9:00 and 9:10, and Desktop-Egss51s$ had 260 login attempts between 8:00 and 8:10. Neither of these are even close to being the correct answer, as the answer only had 9 login attempts total. What have I done that is horribly wrong? I don’t understand this at all.

guys reason why your query do not work out as intended is because span=10m function lists events at 10 minute intervals not within ten minutes . Use range() how ? Ok listen, look over the fields and find the value that would point out minute , cuz we need events within 10 minutes and put it in range() .

same problem here . did you manage to solve it bro

Look at the time range of when the logs were populated. Hint (Play with the date time range). Hope it helps! goodluck

take a look to human accounts, i used timechart, little guess work and right answer will be on hand. Sad to say that correct account does not have largest count using timechart, seems to get same result ar htb you need use streamstats for getting floating span, not fixed. But anyway i do not see how get same result as htb and lager then first answer username in topic

Anyone solved last question in topic - find process started infection?

After multiple people ask and respond to the question, it seems how I understood the question was not the best way to go about finding the answer. One person in the discord chat rephrased the question, which helped me to craft the query and finally get the answer.

“I had difficulty with this question too. The wording of the question was a bit confusing for me, so basically you have to find the account whose first login and last login attempt falls under 10 minutes.”

Hope this helps

1 Like

That helped a lot. Thank you.

Hello guys! I am stuck with that question “For which “service” did the user named Barbi generate a silver ticket?” Although I found out that Barbi account logged into SQLSERVER, it doesn’t accept SQL as an answer. Could you please give me an hint with regards to that question? Thanks.

Have you solved it ?

Yes. some hints: answer is case sensitive,
You need take attention how dll load proccess happens, syntax and etc. After that if you narrow search to place where payload found, you will see process that started infection. I did not known load dll syntax, and missed it.
On this stage i stopped and could not find answer, then noticed stange thing for windows (browsing event fields). That was answer, after undestood syntax, how it loaded and why other topics answers would pointed investigate this process and specific directory.

Hope this would help, and HTB should place there hint :slight_smile: