TryHackMe - ItsyBitsy - writeup

ItsyBitsy room is second room in Security Information and Event Management module of the SOC Level 1 path on TryHackMe. Put your ELK knowledge together and investigate an incident. First you will need to boot up VM and Attackbox which will take few minutes. After attackbox is is booted up we can open Firefox browser and access the Kibana.

1. Question 1 - How many events were returned for the month of March 2022?
Change the date range to look at March 2022 log and you can answer first question.
2. Question 2 -What is the IP associated with the suspected user in the logs?
Question is asking about the source_ip filed. From the logs we can see 2 IP addresses so you much work to find right one.
3. Question 3 - The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
Answering this question took me longest time because I didnt find the right answer because I was either looking at wrong place or looked at right answer but not realising this was the answer. Hint look at the user_agent field ;)
4. Question 4 - The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
When we filter by IP from Question 2 we can answer this one quckly because there are only 2 logs from that source_ip.
5. Question 5 - What is the full URL of the C2 to which the infected host is connected?
Hostname + url field
6. Question 6 - A file was accessed on the filesharing site. What is the name of the file accessed?
We can connect to the filesharing site from URL from previous question and find a file there.
7. Question 7 - The file contains a secret code with the format THM{_____}.
Open file in the filesharing site and copy the flag code.

I hope anyone who gets stuck finds it helpful
AudiTTRSi