THM打靶日寄34-Advent of Cyber 2024：Day2

把 host.hostname user.name event.category process.command_line event.outcome 这堆和 PowerShell 有关的条目加到显示的部分里

看起来有人在执行 Powershell 命令

加上 source.ip 字段来查看执行命令的人（service_admin），并扩大时间范围，看到峰值位于12.1末端

再筛 user.name 为 service_admin , source.ip 为 10.0.11.11

再反选 10.0.11.11 ，筛选身份验证事件，可以看到一连串失败的登录在一次成功登录后停止了

1) What is the name of the account causing all the failed login attempts?
Ans - service_admin
2) How many failed logon attempts were observed?
Ans - 6791
3) What is the IP address of Glitch?
Ans - 10.0.255.1
4) When did Glitch successfully logon to ADM-01? Format: MMM D, YYYY HH:MM:SS.SSS?
Ans - Dec 1, 2024 08:54:39.000
5) What is the decoded command executed by Glitch to fix the systems of Wareville?
Ans - Install-WindowsUpdate -AcceptAll -AutoReboot