Description

• Help the ElfSOC analysts and test your technical and security skills while you investigate a malicious attack. You will parse a set of log files to identify the malicious attack vector and various events within an attack chain.
• The log parsing skills emphasized by this challenge can be done with the provided containerized Elf Stack SIEM, through traditional Linux CLI tools, or however you want. There are two challenge modes (EASY and HARD) which determines the difficulty of questions presented to you.
• Note: You do not have to use the containerized SIEM to solve any of the questions, but it might make things a bit easier!
• You can download the containerized Elf Stack SIEM configuration and log files by selecting the "Download" button.

Challenge Modes

Easy Mode

• This mode teaches basic log parsing with a common SIEM utility like the ELK stack. You are provided a Docker Compose configuration that allows you to fully setup an ELK stack within a containerized environment.
• Select this mode if you are new to security, or you want to continue on with the story. This mode is meant to help you learn while doing.

Hard Mode

• This mode expects you have some knowledge on parsing log files. The attack path is more complex and you will need to research how to identify the steps within the attack chain.
• Select this mode if you want to challenge your security skills.

---

Optional: Elf Stack SIEM

Containerized ELK Stack

• The containerized SIEM is provided to assist in solving the challenge. The SIEM is fully functional and configured to ingest the provided log files.
• Note: This was built and tested on an Ubuntu 22.04 Linux virtual machine.

Containerized ELK Stack: Prerequisites

• Minimum system specs to run the containerized SIEM. The specs below minimize the loss of logs during ingestion. Adjusting the specs down may cause longer delays in log ingestion, loss of logs during ingestion, or slow performance:
  • RAM: Minimum 16GB
  • CPU Cores: Minimum 4
  • Hard drive space: Minimum 30GB / Recommended 40GB
  • A network interface with internet connectivity
• Follow the instructions on Docker Installation Guide to install Docker on your respective platform.
• After installation of Docker, download the Elf Stack files from the download page.
• Unzip/Extract the containerized files into a single directory.

Containerized ELK Stack: Setup

• NOTE: Setup time depends on internet connectivity and system resources.
• Browse to the directory containing the container SIEM files and setup the environment. Time to complete ~2-10 minutes:

  docker compose up setup

• Run the ELF Stack SIEM to automatically ingest the logs. Time to complete ~20-30 minutes:

  docker compose up

• The terminal output will display:
  • When logs ingestion is complete.
  • The login URL and credentials.
• After the login URL and credentials are displayed, the Elf Stack SIEM is ready for use.
• NOTE: After your Elf Stack SIEM is setup, ensure you set the timeframe to look at events in 2024.

Containerized ELK Stack: Teardown

• Use the following command to shut down the Elf Stack SIEM:

  docker compose down --volumes

• NOTE: The command requires the --volumes syntax to clear the volume data which may skew your results if you set the stack up again later.