SOC(Security Operations Centre)
Breach in the Network
You’re a SOC analyst at NetSecure Inc. The SIEM (Security Information and Event Management) system has raised an alert for unusual network activity on one of the company’s servers.
Your task is to investigate the incident, identify the threat, and respond accordingly.
You’re analyzing the following server log:
Mar 21 08:12:45 server sshd[2345]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 21 08:14:01 server sshd[2346]: Failed password for root from 10.0.0.6 port 22 ssh2
Mar 21 08:15:15 server sshd[2347]: Accepted password for root from 10.0.0.7 port 22 ssh2
Mar 21 08:16:40 server sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
Mar 21 08:17:50 server sshd[2348]: Failed password for root from 10.0.0.8 port 22 ssh2
Mar 21 08:18:55 server sshd[2349]: Accepted password for root from 10.0.0.9 port 22 ssh2
Question 1:
Identify the suspicious login attempts.
Question 2:
Which IP address successfully accessed the system as root?
Question 3:
What could be the potential risk with this activity?
Question 4:
Provide the final flag for this incident.
The Phantom Port Scan
Scenario:
You’re a SOC analyst at CyberDefense Ltd. A network intrusion detection system (NIDS) has raised an alert about a possible port scanning activity from an internal IP address.
Your task is to investigate the alert, identify the source, and determine if it’s a potential threat.
You’re provided with the following network log:
Mar 22 14:05:23 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54321 PROTO=TCP SPT=12345 DPT=22 FLAGS=S
Mar 22 14:05:25 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54322 PROTO=TCP SPT=12345 DPT=80 FLAGS=S
Mar 22 14:05:27 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.50 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54323 PROTO=TCP SPT=12345 DPT=443 FLAGS=S
Question 1.
What type of activity does this log indicate?
Question 2.
Which IP address is performing the suspicious activity?
Question 3.
What service ports are being targeted?
Question 4.
Provide the final flag for this incident.
The Suspicious File Download
Scenario:
You’re a SOC analyst at SecureNet Solutions. The Security Operations Center (SOC) has detected an unusual file download activity from an internal system. This could be an attempt to exfiltrate sensitive data or a sign of a compromised system
Log Data:
Mar 23 10:20:15 server wget[1234]: downloading file from http://192.168.1.150/malware.zip
Mar 23 10:21:30 server sshd[5678]: Accepted password for user1 from 192.168.1.151 port 22 ssh2
Mar 23 10:22:05 server scp[6789]: file transfer from 192.168.1.151 to 192.168.1.100
Mar 23 10:23:50 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.152 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54324 PROTO=TCP SPT=12346 DPT=80 FLAGS=S
Question 1.
What type of activity does this log indicate?
Question 2.
Which IP address is involved in the suspicious file download?
Question 3.
What could be the potential risk associated with this activity?
Question 4.
Provide the final flag for this incident.
The Suspicious Outbound Connection
Scenario:
You’re a SOC analyst at DataSecure Corp. A network monitoring tool has flagged an unusual outbound connection from an internal server to an external IP address. This could indicate a potential data breach or unauthorized communication with a malicious server.
The Unauthorized File Access
You’re a SOC analyst at InfoSecure Technologies. A security alert has been triggered due to suspicious file access on a sensitive server. The file was accessed at an unusual time, and the user accessing it is not part of the regular team.
Your job is to analyze the logs, identify the suspicious activity, and determine if this is an insider threat or an external compromise.
Log Data:
Mar 25 03:12:45 server auditd[123]: USER_AUTH pid=4567 uid=1001 auid=1001 ses=3 msg='op=access dir=/sensitive/data file=confidential.docx exe="/usr/bin/vi" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
Mar 25 03:13:01 server sshd[789]: Accepted password for user1 from 192.168.1.150 port 22 ssh2
Mar 25 03:14:30 server auditd[124]: USER_ACCESSED pid=4568 uid=1001 auid=1001 ses=3 msg='op=read file=/sensitive/data/confidential.docx exe="/usr/bin/vi" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
The Suspicious Outbound DNS Query
You’re a SOC analyst at GlobalSecure Corp. The DNS monitoring system has flagged an unusual outbound DNS query from an internal system. This could be an attempt to communicate with a malicious domain or exfiltrate data using DNS tunneling.
Your task is to investigate the DNS logs, identify the suspicious activity, and determine if it’s part of a security incident.
Log Data:
Mar 26 15:30:12 server dnsmasq[1234]: query[A] suspicious-domain.com from 192.168.1.200
Mar 26 15:30:15 server dnsmasq[1234]: reply suspicious-domain.com is 203.0.113.55
Mar 26 15:31:00 server sshd[5678]: Accepted password for user2 from 192.168.1.201 port 22 ssh2
Mar 26 15:32:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.200 DST=203.0.113.55 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54327 PROTO=TCP SPT=12347 DPT=53 FLAGS=S
Question 1.
What type of activity does this log indicate?
Question 2.
Which internal IP address made the suspicious DNS query?
Question 3.
What domain was queried that raises suspicion?
Question 4.
Provide the final flag for this incident.
The Suspicious Process Execution
You’re a SOC analyst at ThreatDefend Inc. A security alert has been triggered due to an unusual process execution on a critical server. The process appears to be running with elevated privileges and was executed from an unexpected location.
Your task is to analyze the logs, identify the suspicious activity, and determine if this is part of a security breach.
Log Data:
Mar 27 11:45:22 server auditd[123]: EXECVE /usr/bin/python3 pid=4567 uid=0 auid=0 ses=2 msg='op=execve exe="/usr/bin/python3" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
Mar 27 11:46:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=192.168.1.150 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54328 PROTO=TCP SPT=12348 DPT=22 FLAGS=S
Mar 27 11:47:05 server auditd[124]: USER_EXECUTED pid=4568 uid=0 auid=0 ses=2 msg='op=execve file=/usr/bin/python3 exe="/usr/bin/python3" hostname=server1 addr=192.168.1.150 terminal=pts/0 res=success'
Question 1.
What type of activity does this log indicate?
Question 2.
Which process was executed that raises suspicion?
Question 3.
From which directory was the process executed?
Question 4.
Provide the final flag for this incident.
The Unusual Login Time
You’re a SOC analyst at CyberFort Security. An alert has been triggered due to a login attempt that occurred at an unusual hour. The login was successful, but the source IP address is from an unexpected location.
Your job is to investigate the login logs, determine if this was a legitimate access or part of a potential credential compromise.
Log Data:
Mar 28 02:15:45 server sshd[1234]: Accepted password for admin from 203.0.113.75 port 22 ssh2
Mar 28 02:16:10 server kernel: IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e:6f:7g:8h:9i:0j:1k SRC=203.0.113.75 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54329 PROTO=TCP SPT=22 DPT=22 FLAGS=S
Mar 28 02:17:30 server auditd[5678]: USER_LOGIN pid=1235 uid=0 auid=0 ses=3 msg='op=login user=admin exe="/usr/sbin/sshd" hostname=server1 addr=203.0.113.75 terminal=pts/0 res=success'
Question 1.
What type of activity does this log indicate?
Question 2.
Which user account was used for the login?
Question 3.
What is the source IP address of the login?
Question 4.
Provide the final flag for this incident.
The Failed Login Brute-Force Attempt
You’re a SOC analyst at NetShield Technologies. A security alert has been triggered due to multiple failed login attempts from the same IP address. This could indicate a brute-force attack trying to guess user credentials.
Your task is to analyze the login logs, identify the suspicious activity, and determine if it’s part of a security incident.
Log Data:
Mar 29 18:03:12 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:15 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:17 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:20 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Mar 29 18:03:23 server sshd[1234]: Failed password for invalid user admin from 198.51.100.45 port 22 ssh2
Question 1.
What type of activity does this log indicate?
Question 2.
Which IP address is making the failed login attempts?
Question 3.
How many failed attempts were made?
Question 4.
Provide the final flag for this incident.
The Suspicious Port Scan
You’re a SOC analyst at SecureSys Inc. A network intrusion detection system (NIDS) has flagged a suspicious port scan originating from an internal server. This could indicate an internal reconnaissance attempt or an attacker probing for vulnerabilities.
Your task is to analyze the network logs, identify the suspicious activity, and determine if it’s part of a security incident.
Question 1.
What type of activity does this log indicate?
Question 2.
Which internal IP address is performing the port scan?
Question 3.
What external IP address is being scanned?
Question 4.
Provide the final flag for this incident.