AF-2DFB-LG · Loglar / AD

Log Trail Analysis

DOWNLOADABLE real sshd auth.log. Find the brute-force, compromise and persistence chain by CORRELATION. A planted forged entry points to the wrong culprit.

Scenario

A real Linux sshd auth.log. A naive grep for 'Accepted' shows both the real login and a planted FORGED entry. Find the true culprit by correlation: which IP ran a brute-force burst AND then logged in successfully, then escalated and established persistence. The forged entry is a single line with no supporting activity, timestamped before the attack.

Anti-forensics techniques

Log noise (triage)
Planted forged log entry (red herring)
Time inconsistency (requires correlation)

Provided artifacts

Linux sshd auth.log (text)

Sample questions

q1: What is the attacker's true source IP address?
q2: Which account was compromised?
q3: How was persistence established? (e.g. authorized_keys)
trap1: Do NOT report the IP pointed to by the forged entry as the culprit.

Soundness trap

The forged 'Accepted ... root' entry (no support, before the attack) points to the wrong IP. Naming it as the culprit is heavily penalized; correlation refutes it.

Scoring

Correlation accuracy + forged-log resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.