BOTSv1 Level 3: Sysmon and Splunk Stream (50 pts)

BOTSv1 3.1: MD5 (10 pts)

In Level 2, you found the name of an executable file the attackers uploaded to the server.

Find that file's MD5 hash.


  • Read about Sysmon Event IDs
  • Find events from Sysmon for process creation.
  • Examine cmdline to find the correct event.

BOTSv1 3.2: Brute Force (10 pts)

What was the first brute force password used?


  • Start with 1:10 sampling.
  • Find events containing "login".
  • Find top values of "url".
  • Examine the "form_data" values to identify the brute force attack.

BOTSv1 3.3: Correct Password (10 pts)

What was the correct password found in the brute force attack?


  • Find the events with the "form_data" values indicating a login attempt.
  • There are two different "http_user_agent" values.

BOTSv1 3.4: Time Interval (10 pts)

How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.


  • HINT: Find the two events with the correct password in the "form_data" field.

BOTSv1 3.5: Number of Passwords (10 pts)

How many unique passwords were attempted in the brute force attack?

Posted 10-30-20