Created
January 26, 2024 17:50
-
-
Save johnfelipe/abedda886a030d15e4557a7534c66896 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 | |
00:00:00,660 --> 00:00:06,860 | |
what's going on guys welcome back today we're doing a bit of challenge with | |
2 | |
00:00:06,860 --> 00:00:11,860 | |
Splunk so the room name is investigating with Splunk and we're given a scenario | |
3 | |
00:00:11,860 --> 00:00:18,100 | |
we are required to answer the questions in an attempt to analyze what happened | |
4 | |
00:00:18,100 --> 00:00:24,250 | |
and what was the reason or the key artifacts of the breach so if you the | |
5 | |
00:00:24,250 --> 00:00:29,170 | |
description it says SOC analyst Johnny has observed some anomalous behaviors in | |
6 | |
00:00:29,170 --> 00:00:54,280 | |
In the logs of a few Windows machines. So that's where the incident happened. In a Windows workstation. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. | |
7 | |
00:00:54,280 --> 00:00:58,340 | |
so there you go a Windows machine or a couple of Windows machines have been | |
8 | |
00:00:58,340 --> 00:01:04,519 | |
compromised the Windows event logs have been pulled and uploaded to Splunk for | |
9 | |
00:01:04,519 --> 00:01:11,310 | |
quick investigation we are required to find out what happened our task as a | |
10 | |
00:01:11,310 --> 00:01:20,320 | |
SOC analyst is to examine the logs and identify the anomalies okay all right so | |
11 | |
00:01:20,320 --> 00:01:26,600 | |
deploying the machine here we have Splunk now the data has been uploaded it's | |
12 | |
00:01:26,600 --> 00:01:30,760 | |
available to access the data as we mentioned in the previous video | |
13 | |
00:01:30,760 --> 00:01:33,840 | |
when when you upload data you create an index | |
14 | |
00:01:33,840 --> 00:01:38,720 | |
the index for the data is index equal main | |
15 | |
00:01:38,720 --> 00:01:43,800 | |
and by retrieving the index we will retrieve all the events make sure to | |
16 | |
00:01:43,800 --> 00:01:48,760 | |
click on all time and we have a total of 12 | |
17 | |
00:01:48,760 --> 00:01:53,600 | |
256 events that's the answer for the first question | |
18 | |
00:01:53,600 --> 00:01:58,540 | |
okay on one of the infected hosts the person you are successful in | |
19 | |
00:01:58,540 --> 00:02:07,140 | |
creating a backdoor user what is the username okay so basically we're looking | |
20 | |
00:02:07,140 --> 00:02:12,790 | |
to find out how the username has been created we have two methods we can | |
21 | |
00:02:12,790 --> 00:02:19,540 | |
either search for the command or we can search for the event ID so here on the | |
22 | |
00:02:19,540 --> 00:02:27,210 | |
left we have event IDs over 55 and if we look at the command we then have filter | |
23 | |
00:02:27,210 --> 00:02:37,070 | |
or field for command line so we're gonna filter by event id and specifically we're going to filter | |
24 | |
00:02:37,070 --> 00:02:51,230 | |
for event id that refers to a user creation so that happens to be 4720 4720 and that would give | |
25 | |
00:02:51,230 --> 00:02:58,940 | |
us only one event which actually indicates the or that user account was created so finding out | |
26 | |
00:02:58,940 --> 00:03:09,180 | |
the account name we scroll down and we see it's a one berto it's alberto but the one or the uh one | |
27 | |
00:03:09,180 --> 00:03:16,860 | |
here replaces the l so that's the account name or the username that has been created on the same | |
28 | |
00:03:16,860 --> 00:03:25,440 | |
host a register key was also updated regarding the new backdoor user what's the full path of | |
29 | |
00:03:25,440 --> 00:03:32,400 | |
that registry key so we were looking to find out all the events where a registry key has been added | |
30 | |
00:03:32,400 --> 00:03:39,630 | |
modified or deleted so if we take a look at the left we can see the category and we can see the | |
31 | |
00:03:39,630 --> 00:03:47,710 | |
top 10 values of the event of the event categories you can see this registry object added or deleted | |
32 | |
00:03:47,710 --> 00:03:55,460 | |
exactly describes the question so a register key as deleted we click on that | |
33 | |
00:03:55,460 --> 00:04:05,160 | |
and we have 1496 events all right so to filter these down more we're looking to | |
34 | |
00:04:05,160 --> 00:04:10,610 | |
find out the these events that are related to the new back-door user which | |
35 | |
00:04:10,610 --> 00:04:19,560 | |
happens to be A1Berto and now we narrowed down the number to 2 so we | |
36 | |
00:04:19,560 --> 00:04:24,210 | |
have two events and from here we can find out the registry key that has been | |
37 | |
00:04:24,210 --> 00:04:28,800 | |
deleted as you can see the late key and this is the key how about the other | |
38 | |
00:04:28,800 --> 00:04:33,360 | |
event if we take a look down there you see he create key but we're not looking | |
39 | |
00:04:33,360 --> 00:04:40,360 | |
to keys that were created we're looking that support the key that were modified | |
40 | |
00:04:40,360 --> 00:04:47,160 | |
or update or deleted which happens to be this key so user account has been | |
41 | |
00:04:47,160 --> 00:04:56,160 | |
created and a register key was modified as such examine the logs and identify the user that the | |
42 | |
00:04:56,160 --> 00:05:02,850 | |
adversary was trying to impersonate so basically the adversary has created a factor user it's a1 | |
43 | |
00:05:02,850 --> 00:05:10,860 | |
berto so by choosing this name they were trying to impersonate a specifically or a currently | |
44 | |
00:05:10,860 --> 00:05:19,320 | |
existing username so we have to take a look again at the current users in the host and see which one | |
45 | |
00:05:19,320 --> 00:05:26,990 | |
is similar to a1berto so we have alberto that's the real one alberto that's the real username | |
46 | |
00:05:26,990 --> 00:05:32,670 | |
okay the back to the one the fake version was a1berto the real one is alberto that's the | |
47 | |
00:05:32,670 --> 00:05:39,480 | |
username that attacker was trying to impersonate so that they go undetected in the attack so up | |
48 | |
00:05:39,480 --> 00:05:45,860 | |
until now the attacker got access they created one username or a back to username called a1berto | |
49 | |
00:05:45,860 --> 00:05:53,500 | |
that looks similar to alberto next what's the command used to add a backdoor user from a remote | |
50 | |
00:05:53,500 --> 00:06:02,490 | |
computer so from here we are trying to find out how the username a1berto has been created | |
51 | |
00:06:02,490 --> 00:06:10,960 | |
okay there must be a command that has been executed from a remote computer why because the | |
52 | |
00:06:10,960 --> 00:06:15,560 | |
windows machines have been compromised of course from the attacker computer which is a remote | |
53 | |
00:06:15,560 --> 00:06:20,840 | |
computer the attacker executed a command on their machine the remote | |
54 | |
00:06:20,840 --> 00:06:25,580 | |
computer to add the backdoor user we want to find out this command how we | |
55 | |
00:06:25,580 --> 00:06:35,660 | |
ended up with this command here okay so if we go back index main and here we | |
56 | |
00:06:35,660 --> 00:06:41,080 | |
search for net user but that's the only command that's actually used to add a | |
57 | |
00:06:41,080 --> 00:06:52,250 | |
username so net username scrolling down taking a look at the fields here so | |
58 | |
00:06:52,250 --> 00:07:00,360 | |
looking to find out the exact command but we ended up with one 6000 events for users if we | |
59 | |
00:07:00,360 --> 00:07:10,320 | |
narrow these down to alberto we have three in the command line we have three commands but these are | |
60 | |
00:07:10,320 --> 00:07:24,680 | |
not the commands we're looking for so we're going to go back let's see here the attacker executed | |
61 | |
00:07:24,680 --> 00:07:30,920 | |
the command from a remote computer so not exactly the username so we're looking for | |
62 | |
00:07:31,720 --> 00:07:45,530 | |
here net user we have 6000 events we have to narrow these down somehow if we search for | |
63 | |
00:07:45,530 --> 00:07:58,280 | |
double mic 89 comma 89 events still we are far from the answer we're looking here to find out | |
64 | |
00:07:58,280 --> 00:08:10,560 | |
the exact command but we're getting too many events for the net user add okay going back | |
65 | |
00:08:11,550 --> 00:08:19,100 | |
so the attacker first they got access as one of these users this user is the original user | |
66 | |
00:08:19,660 --> 00:08:32,200 | |
how about james command line for command lines so why i selected james here basically | |
67 | |
00:08:32,200 --> 00:08:38,299 | |
James could be the username that the attacker got access to when they first | |
68 | |
00:08:38,299 --> 00:08:44,100 | |
compromised the machine so if I look at the command line command line field I | |
69 | |
00:08:44,100 --> 00:08:50,150 | |
see four interesting commands and I can see this one see Windows system 32 | |
70 | |
00:08:50,150 --> 00:08:56,770 | |
WMIC indicating the WMIC indicates that the attacker got access through | |
71 | |
00:08:56,770 --> 00:09:02,790 | |
powershell specifically evil winrm and the executed this command to add the | |
72 | |
00:09:02,790 --> 00:09:09,190 | |
user A1 Berto. So A1 Berto is a backdoor user name that has been created with this command | |
73 | |
00:09:09,830 --> 00:09:16,470 | |
starting from the first access or the first foothold account which was James. So that's | |
74 | |
00:09:16,470 --> 00:09:22,050 | |
the command. How many times was the login attempt from the backdoor user observed | |
75 | |
00:09:22,050 --> 00:09:29,800 | |
during the investigation? How many times was the login attempt from the backdoor user observed | |
76 | |
00:09:29,800 --> 00:09:34,680 | |
through the investigation how many times they logged in with the back to the username back to | |
77 | |
00:09:34,680 --> 00:09:45,410 | |
the username is a1berto we want to find out in the category here what are the events we're looking to | |
78 | |
00:09:45,410 --> 00:09:54,660 | |
find if there is a log on so there is no log on means there is no log in or successful login with | |
79 | |
00:09:54,660 --> 00:10:01,730 | |
this username taking a look at the event ids we have eight event ids and none of these event ids | |
80 | |
00:10:01,730 --> 00:10:07,150 | |
match to a successful or failed login attempt which means we are left with 0 | |
81 | |
00:10:07,150 --> 00:10:12,730 | |
what's the name of the infected host on which suspicious partial commands were | |
82 | |
00:10:12,730 --> 00:10:18,770 | |
executed so here we are trying to also to find out the host name of the | |
83 | |
00:10:18,770 --> 00:10:24,250 | |
infected machine we already found that the username was James so if we go back | |
84 | |
00:10:24,250 --> 00:10:31,920 | |
and type partial just type partial as you can see here it gives you all of the | |
85 | |
00:10:31,920 --> 00:10:41,100 | |
partial commands that have been executed and the host happens to be james brown partial logging is | |
86 | |
00:10:41,100 --> 00:10:46,460 | |
enabled on this device how many events were logged for the malicious partial execution | |
87 | |
00:10:46,460 --> 00:10:53,260 | |
partially logging is a feature that lets you log all of the partial commands executed on a specific | |
88 | |
00:10:53,260 --> 00:11:00,450 | |
host the catch is once you enable partial logging an event id is triggered in windows the event id | |
89 | |
00:11:00,450 --> 00:11:08,050 | |
is 4103 so we want to find out how many events were generated as a result of partial logging | |
90 | |
00:11:08,050 --> 00:11:25,940 | |
we have to filter for this event id so events 4103 exactly we have 79 events and encoded | |
91 | |
00:11:25,940 --> 00:11:33,010 | |
partial script from the infected host initiated a web request what's the full url okay back to | |
92 | |
00:11:33,010 --> 00:11:44,690 | |
powershell so here we want to decode the command that has been executed there is exactly one only | |
93 | |
00:11:44,690 --> 00:11:53,650 | |
one command which is this one so we're looking to decode this command scrolling all the way down | |
94 | |
00:11:57,620 --> 00:12:18,540 | |
let's copy all of that and we will go to cyber chef from page 64 again delete all of these | |
95 | |
00:12:18,540 --> 00:12:28,200 | |
and down there okay so we have decoded the base 64 as you can see we need some | |
96 | |
00:12:28,200 --> 00:12:32,420 | |
encoding some modifications on the output so we're going to use decode | |
97 | |
00:12:32,420 --> 00:12:41,600 | |
decode text so this is text I'm going to need to decode this to us to formula | |
98 | |
00:12:41,600 --> 00:12:45,910 | |
that we can understand so you tf8 exactly not good | |
99 | |
00:12:45,910 --> 00:12:55,420 | |
UTF-6716 this one sounds good okay so now if we scroll down we see here the | |
100 | |
00:12:55,420 --> 00:13:01,420 | |
user agents and we said user agent we see a base64 string right after the string we | |
101 | |
00:13:01,420 --> 00:13:08,500 | |
have directory or path indicating that a page named news.php or a file | |
102 | |
00:13:08,500 --> 00:13:14,020 | |
named news has been accessed so that's the path of the URL what about the URL | |
103 | |
00:13:14,020 --> 00:13:23,420 | |
itself I'm going to duplicate this copy the page 64 probably this page 64 if we decode it we will | |
104 | |
00:13:23,420 --> 00:13:34,540 | |
have the URL full URL as you can see it is the IP address now if we take that slash new so php | |
105 | |
00:13:35,260 --> 00:13:40,110 | |
we have the full URL but we need to write the full URL in a specific formula | |
106 | |
00:13:40,110 --> 00:13:56,620 | |
as you can see defend the URL so we go to let's see remove these and this is the final answer | |
107 | |
00:13:56,620 --> 00:14:06,260 | |
that was an intermediate challenge with Splunk it didn't involve so many filters so many processing | |
108 | |
00:14:06,260 --> 00:14:14,260 | |
search queries in Splunk it was just simple analysis of an incident it required us to | |
109 | |
00:14:14,260 --> 00:14:19,300 | |
understand the event IDs and how to jump between different stages during a | |
110 | |
00:14:19,300 --> 00:14:25,840 | |
compromise okay guys I hope you like that and I will definitely see you in | |
111 | |
00:14:25,840 --> 00:14:28,640 | |
the next video |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment