johnfelipe/en.srt

## en.srt
1
00:00:00,660 --> 00:00:06,860
what's going on guys welcome back today we're doing a bit of challenge with

2
00:00:06,860 --> 00:00:11,860
Splunk so the room name is investigating with Splunk and we're given a scenario

3
00:00:11,860 --> 00:00:18,100
we are required to answer the questions in an attempt to analyze what happened

4
00:00:18,100 --> 00:00:24,250
and what was the reason or the key artifacts of the breach so if you the

5
00:00:24,250 --> 00:00:29,170
description it says SOC analyst Johnny has observed some anomalous behaviors in

6
00:00:29,170 --> 00:00:54,280
In the logs of a few Windows machines. So that's where the incident happened. In a Windows workstation. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation.

7
00:00:54,280 --> 00:00:58,340
so there you go a Windows machine or a couple of Windows machines have been

8
00:00:58,340 --> 00:01:04,519
compromised the Windows event logs have been pulled and uploaded to Splunk for

9
00:01:04,519 --> 00:01:11,310
quick investigation we are required to find out what happened our task as a

10
00:01:11,310 --> 00:01:20,320
SOC analyst is to examine the logs and identify the anomalies okay all right so

11
00:01:20,320 --> 00:01:26,600
deploying the machine here we have Splunk now the data has been uploaded it's

12
00:01:26,600 --> 00:01:30,760
available to access the data as we mentioned in the previous video

13
00:01:30,760 --> 00:01:33,840
when when you upload data you create an index

14
00:01:33,840 --> 00:01:38,720
the index for the data is index equal main

15
00:01:38,720 --> 00:01:43,800
and by retrieving the index we will retrieve all the events make sure to

16
00:01:43,800 --> 00:01:48,760
click on all time and we have a total of 12

17
00:01:48,760 --> 00:01:53,600
256 events that's the answer for the first question

18
00:01:53,600 --> 00:01:58,540
okay on one of the infected hosts the person you are successful in

19
00:01:58,540 --> 00:02:07,140
creating a backdoor user what is the username okay so basically we're looking

20
00:02:07,140 --> 00:02:12,790
to find out how the username has been created we have two methods we can

21
00:02:12,790 --> 00:02:19,540
either search for the command or we can search for the event ID so here on the

22
00:02:19,540 --> 00:02:27,210
left we have event IDs over 55 and if we look at the command we then have filter

23
00:02:27,210 --> 00:02:37,070
or field for command line so we're gonna filter by event id and specifically we're going to filter

24
00:02:37,070 --> 00:02:51,230
for event id that refers to a user creation so that happens to be 4720 4720 and that would give

25
00:02:51,230 --> 00:02:58,940
us only one event which actually indicates the or that user account was created so finding out

26
00:02:58,940 --> 00:03:09,180
the account name we scroll down and we see it's a one berto it's alberto but the one or the uh one

27
00:03:09,180 --> 00:03:16,860
here replaces the l so that's the account name or the username that has been created on the same

28
00:03:16,860 --> 00:03:25,440
host a register key was also updated regarding the new backdoor user what's the full path of

29
00:03:25,440 --> 00:03:32,400
that registry key so we were looking to find out all the events where a registry key has been added

30
00:03:32,400 --> 00:03:39,630
modified or deleted so if we take a look at the left we can see the category and we can see the

31
00:03:39,630 --> 00:03:47,710
top 10 values of the event of the event categories you can see this registry object added or deleted

32
00:03:47,710 --> 00:03:55,460
exactly describes the question so a register key as deleted we click on that

33
00:03:55,460 --> 00:04:05,160
and we have 1496 events all right so to filter these down more we're looking to

34
00:04:05,160 --> 00:04:10,610
find out the these events that are related to the new back-door user which

35
00:04:10,610 --> 00:04:19,560
happens to be A1Berto and now we narrowed down the number to 2 so we

36
00:04:19,560 --> 00:04:24,210
have two events and from here we can find out the registry key that has been

37
00:04:24,210 --> 00:04:28,800
deleted as you can see the late key and this is the key how about the other

38
00:04:28,800 --> 00:04:33,360
event if we take a look down there you see he create key but we're not looking

39
00:04:33,360 --> 00:04:40,360
to keys that were created we're looking that support the key that were modified

40
00:04:40,360 --> 00:04:47,160
or update or deleted which happens to be this key so user account has been

41
00:04:47,160 --> 00:04:56,160
created and a register key was modified as such examine the logs and identify the user that the

42
00:04:56,160 --> 00:05:02,850
adversary was trying to impersonate so basically the adversary has created a factor user it's a1

43
00:05:02,850 --> 00:05:10,860
berto so by choosing this name they were trying to impersonate a specifically or a currently

44
00:05:10,860 --> 00:05:19,320
existing username so we have to take a look again at the current users in the host and see which one

45
00:05:19,320 --> 00:05:26,990
is similar to a1berto so we have alberto that's the real one alberto that's the real username

46
00:05:26,990 --> 00:05:32,670
okay the back to the one the fake version was a1berto the real one is alberto that's the

47
00:05:32,670 --> 00:05:39,480
username that attacker was trying to impersonate so that they go undetected in the attack so up

48
00:05:39,480 --> 00:05:45,860
until now the attacker got access they created one username or a back to username called a1berto

49
00:05:45,860 --> 00:05:53,500
that looks similar to alberto next what's the command used to add a backdoor user from a remote

50
00:05:53,500 --> 00:06:02,490
computer so from here we are trying to find out how the username a1berto has been created

51
00:06:02,490 --> 00:06:10,960
okay there must be a command that has been executed from a remote computer why because the

52
00:06:10,960 --> 00:06:15,560
windows machines have been compromised of course from the attacker computer which is a remote

53
00:06:15,560 --> 00:06:20,840
computer the attacker executed a command on their machine the remote

54
00:06:20,840 --> 00:06:25,580
computer to add the backdoor user we want to find out this command how we

55
00:06:25,580 --> 00:06:35,660
ended up with this command here okay so if we go back index main and here we

56
00:06:35,660 --> 00:06:41,080
search for net user but that's the only command that's actually used to add a

57
00:06:41,080 --> 00:06:52,250
username so net username scrolling down taking a look at the fields here so

58
00:06:52,250 --> 00:07:00,360
looking to find out the exact command but we ended up with one 6000 events for users if we

59
00:07:00,360 --> 00:07:10,320
narrow these down to alberto we have three in the command line we have three commands but these are

60
00:07:10,320 --> 00:07:24,680
not the commands we're looking for so we're going to go back let's see here the attacker executed

61
00:07:24,680 --> 00:07:30,920
the command from a remote computer so not exactly the username so we're looking for

62
00:07:31,720 --> 00:07:45,530
here net user we have 6000 events we have to narrow these down somehow if we search for

63
00:07:45,530 --> 00:07:58,280
double mic 89 comma 89 events still we are far from the answer we're looking here to find out

64
00:07:58,280 --> 00:08:10,560
the exact command but we're getting too many events for the net user add okay going back

65
00:08:11,550 --> 00:08:19,100
so the attacker first they got access as one of these users this user is the original user

66
00:08:19,660 --> 00:08:32,200
how about james command line for command lines so why i selected james here basically

67
00:08:32,200 --> 00:08:38,299
James could be the username that the attacker got access to when they first

68
00:08:38,299 --> 00:08:44,100
compromised the machine so if I look at the command line command line field I

69
00:08:44,100 --> 00:08:50,150
see four interesting commands and I can see this one see Windows system 32

70
00:08:50,150 --> 00:08:56,770
WMIC indicating the WMIC indicates that the attacker got access through

71
00:08:56,770 --> 00:09:02,790
powershell specifically evil winrm and the executed this command to add the

72
00:09:02,790 --> 00:09:09,190
user A1 Berto. So A1 Berto is a backdoor user name that has been created with this command

73
00:09:09,830 --> 00:09:16,470
starting from the first access or the first foothold account which was James. So that's

74
00:09:16,470 --> 00:09:22,050
the command. How many times was the login attempt from the backdoor user observed

75
00:09:22,050 --> 00:09:29,800
during the investigation? How many times was the login attempt from the backdoor user observed

76
00:09:29,800 --> 00:09:34,680
through the investigation how many times they logged in with the back to the username back to

77
00:09:34,680 --> 00:09:45,410
the username is a1berto we want to find out in the category here what are the events we're looking to

78
00:09:45,410 --> 00:09:54,660
find if there is a log on so there is no log on means there is no log in or successful login with

79
00:09:54,660 --> 00:10:01,730
this username taking a look at the event ids we have eight event ids and none of these event ids

80
00:10:01,730 --> 00:10:07,150
match to a successful or failed login attempt which means we are left with 0

81
00:10:07,150 --> 00:10:12,730
what's the name of the infected host on which suspicious partial commands were

82
00:10:12,730 --> 00:10:18,770
executed so here we are trying to also to find out the host name of the

83
00:10:18,770 --> 00:10:24,250
infected machine we already found that the username was James so if we go back

84
00:10:24,250 --> 00:10:31,920
and type partial just type partial as you can see here it gives you all of the

85
00:10:31,920 --> 00:10:41,100
partial commands that have been executed and the host happens to be james brown partial logging is

86
00:10:41,100 --> 00:10:46,460
enabled on this device how many events were logged for the malicious partial execution

87
00:10:46,460 --> 00:10:53,260
partially logging is a feature that lets you log all of the partial commands executed on a specific

88
00:10:53,260 --> 00:11:00,450
host the catch is once you enable partial logging an event id is triggered in windows the event id

89
00:11:00,450 --> 00:11:08,050
is 4103 so we want to find out how many events were generated as a result of partial logging

90
00:11:08,050 --> 00:11:25,940
we have to filter for this event id so events 4103 exactly we have 79 events and encoded

91
00:11:25,940 --> 00:11:33,010
partial script from the infected host initiated a web request what's the full url okay back to

92
00:11:33,010 --> 00:11:44,690
powershell so here we want to decode the command that has been executed there is exactly one only

93
00:11:44,690 --> 00:11:53,650
one command which is this one so we're looking to decode this command scrolling all the way down

94
00:11:57,620 --> 00:12:18,540
let's copy all of that and we will go to cyber chef from page 64 again delete all of these

95
00:12:18,540 --> 00:12:28,200
and down there okay so we have decoded the base 64 as you can see we need some

96
00:12:28,200 --> 00:12:32,420
encoding some modifications on the output so we're going to use decode

97
00:12:32,420 --> 00:12:41,600
decode text so this is text I'm going to need to decode this to us to formula

98
00:12:41,600 --> 00:12:45,910
that we can understand so you tf8 exactly not good

99
00:12:45,910 --> 00:12:55,420
UTF-6716 this one sounds good okay so now if we scroll down we see here the

100
00:12:55,420 --> 00:13:01,420
user agents and we said user agent we see a base64 string right after the string we

101
00:13:01,420 --> 00:13:08,500
have directory or path indicating that a page named news.php or a file

102
00:13:08,500 --> 00:13:14,020
named news has been accessed so that's the path of the URL what about the URL

103
00:13:14,020 --> 00:13:23,420
itself I'm going to duplicate this copy the page 64 probably this page 64 if we decode it we will

104
00:13:23,420 --> 00:13:34,540
have the URL full URL as you can see it is the IP address now if we take that slash new so php

105
00:13:35,260 --> 00:13:40,110
we have the full URL but we need to write the full URL in a specific formula

106
00:13:40,110 --> 00:13:56,620
as you can see defend the URL so we go to let's see remove these and this is the final answer

107
00:13:56,620 --> 00:14:06,260
that was an intermediate challenge with Splunk it didn't involve so many filters so many processing

108
00:14:06,260 --> 00:14:14,260
search queries in Splunk it was just simple analysis of an incident it required us to

109
00:14:14,260 --> 00:14:19,300
understand the event IDs and how to jump between different stages during a

110
00:14:19,300 --> 00:14:25,840
compromise okay guys I hope you like that and I will definitely see you in

111
00:14:25,840 --> 00:14:28,640
the next video
	1
	00:00:00,660 --> 00:00:06,860
	what's going on guys welcome back today we're doing a bit of challenge with

	2
	00:00:06,860 --> 00:00:11,860
	Splunk so the room name is investigating with Splunk and we're given a scenario

	3
	00:00:11,860 --> 00:00:18,100
	we are required to answer the questions in an attempt to analyze what happened

	4
	00:00:18,100 --> 00:00:24,250
	and what was the reason or the key artifacts of the breach so if you the

	5
	00:00:24,250 --> 00:00:29,170
	description it says SOC analyst Johnny has observed some anomalous behaviors in

	6
	00:00:29,170 --> 00:00:54,280
	In the logs of a few Windows machines. So that's where the incident happened. In a Windows workstation. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation.

	7
	00:00:54,280 --> 00:00:58,340
	so there you go a Windows machine or a couple of Windows machines have been

	8
	00:00:58,340 --> 00:01:04,519
	compromised the Windows event logs have been pulled and uploaded to Splunk for

	9
	00:01:04,519 --> 00:01:11,310
	quick investigation we are required to find out what happened our task as a

	10
	00:01:11,310 --> 00:01:20,320
	SOC analyst is to examine the logs and identify the anomalies okay all right so

	11
	00:01:20,320 --> 00:01:26,600
	deploying the machine here we have Splunk now the data has been uploaded it's

	12
	00:01:26,600 --> 00:01:30,760
	available to access the data as we mentioned in the previous video

	13
	00:01:30,760 --> 00:01:33,840
	when when you upload data you create an index

	14
	00:01:33,840 --> 00:01:38,720
	the index for the data is index equal main

	15
	00:01:38,720 --> 00:01:43,800
	and by retrieving the index we will retrieve all the events make sure to

	16
	00:01:43,800 --> 00:01:48,760
	click on all time and we have a total of 12

	17
	00:01:48,760 --> 00:01:53,600
	256 events that's the answer for the first question

	18
	00:01:53,600 --> 00:01:58,540
	okay on one of the infected hosts the person you are successful in

	19
	00:01:58,540 --> 00:02:07,140
	creating a backdoor user what is the username okay so basically we're looking

	20
	00:02:07,140 --> 00:02:12,790
	to find out how the username has been created we have two methods we can

	21
	00:02:12,790 --> 00:02:19,540
	either search for the command or we can search for the event ID so here on the

	22
	00:02:19,540 --> 00:02:27,210
	left we have event IDs over 55 and if we look at the command we then have filter

	23
	00:02:27,210 --> 00:02:37,070
	or field for command line so we're gonna filter by event id and specifically we're going to filter

	24
	00:02:37,070 --> 00:02:51,230
	for event id that refers to a user creation so that happens to be 4720 4720 and that would give

	25
	00:02:51,230 --> 00:02:58,940
	us only one event which actually indicates the or that user account was created so finding out

	26
	00:02:58,940 --> 00:03:09,180
	the account name we scroll down and we see it's a one berto it's alberto but the one or the uh one

	27
	00:03:09,180 --> 00:03:16,860
	here replaces the l so that's the account name or the username that has been created on the same

	28
	00:03:16,860 --> 00:03:25,440
	host a register key was also updated regarding the new backdoor user what's the full path of

	29
	00:03:25,440 --> 00:03:32,400
	that registry key so we were looking to find out all the events where a registry key has been added

	30
	00:03:32,400 --> 00:03:39,630
	modified or deleted so if we take a look at the left we can see the category and we can see the

	31
	00:03:39,630 --> 00:03:47,710
	top 10 values of the event of the event categories you can see this registry object added or deleted

	32
	00:03:47,710 --> 00:03:55,460
	exactly describes the question so a register key as deleted we click on that

	33
	00:03:55,460 --> 00:04:05,160
	and we have 1496 events all right so to filter these down more we're looking to

	34
	00:04:05,160 --> 00:04:10,610
	find out the these events that are related to the new back-door user which

	35
	00:04:10,610 --> 00:04:19,560
	happens to be A1Berto and now we narrowed down the number to 2 so we

	36
	00:04:19,560 --> 00:04:24,210
	have two events and from here we can find out the registry key that has been

	37
	00:04:24,210 --> 00:04:28,800
	deleted as you can see the late key and this is the key how about the other

	38
	00:04:28,800 --> 00:04:33,360
	event if we take a look down there you see he create key but we're not looking

	39
	00:04:33,360 --> 00:04:40,360
	to keys that were created we're looking that support the key that were modified

	40
	00:04:40,360 --> 00:04:47,160
	or update or deleted which happens to be this key so user account has been

	41
	00:04:47,160 --> 00:04:56,160
	created and a register key was modified as such examine the logs and identify the user that the

	42
	00:04:56,160 --> 00:05:02,850
	adversary was trying to impersonate so basically the adversary has created a factor user it's a1

	43
	00:05:02,850 --> 00:05:10,860
	berto so by choosing this name they were trying to impersonate a specifically or a currently

	44
	00:05:10,860 --> 00:05:19,320
	existing username so we have to take a look again at the current users in the host and see which one

	45
	00:05:19,320 --> 00:05:26,990
	is similar to a1berto so we have alberto that's the real one alberto that's the real username

	46
	00:05:26,990 --> 00:05:32,670
	okay the back to the one the fake version was a1berto the real one is alberto that's the

	47
	00:05:32,670 --> 00:05:39,480
	username that attacker was trying to impersonate so that they go undetected in the attack so up

	48
	00:05:39,480 --> 00:05:45,860
	until now the attacker got access they created one username or a back to username called a1berto

	49
	00:05:45,860 --> 00:05:53,500
	that looks similar to alberto next what's the command used to add a backdoor user from a remote

	50
	00:05:53,500 --> 00:06:02,490
	computer so from here we are trying to find out how the username a1berto has been created

	51
	00:06:02,490 --> 00:06:10,960
	okay there must be a command that has been executed from a remote computer why because the

	52
	00:06:10,960 --> 00:06:15,560
	windows machines have been compromised of course from the attacker computer which is a remote

	53
	00:06:15,560 --> 00:06:20,840
	computer the attacker executed a command on their machine the remote

	54
	00:06:20,840 --> 00:06:25,580
	computer to add the backdoor user we want to find out this command how we

	55
	00:06:25,580 --> 00:06:35,660
	ended up with this command here okay so if we go back index main and here we

	56
	00:06:35,660 --> 00:06:41,080
	search for net user but that's the only command that's actually used to add a

	57
	00:06:41,080 --> 00:06:52,250
	username so net username scrolling down taking a look at the fields here so

	58
	00:06:52,250 --> 00:07:00,360
	looking to find out the exact command but we ended up with one 6000 events for users if we

	59
	00:07:00,360 --> 00:07:10,320
	narrow these down to alberto we have three in the command line we have three commands but these are

	60
	00:07:10,320 --> 00:07:24,680
	not the commands we're looking for so we're going to go back let's see here the attacker executed

	61
	00:07:24,680 --> 00:07:30,920
	the command from a remote computer so not exactly the username so we're looking for

	62
	00:07:31,720 --> 00:07:45,530
	here net user we have 6000 events we have to narrow these down somehow if we search for

	63
	00:07:45,530 --> 00:07:58,280
	double mic 89 comma 89 events still we are far from the answer we're looking here to find out

	64
	00:07:58,280 --> 00:08:10,560
	the exact command but we're getting too many events for the net user add okay going back

	65
	00:08:11,550 --> 00:08:19,100
	so the attacker first they got access as one of these users this user is the original user

	66
	00:08:19,660 --> 00:08:32,200
	how about james command line for command lines so why i selected james here basically

	67
	00:08:32,200 --> 00:08:38,299
	James could be the username that the attacker got access to when they first

	68
	00:08:38,299 --> 00:08:44,100
	compromised the machine so if I look at the command line command line field I

	69
	00:08:44,100 --> 00:08:50,150
	see four interesting commands and I can see this one see Windows system 32

	70
	00:08:50,150 --> 00:08:56,770
	WMIC indicating the WMIC indicates that the attacker got access through

	71
	00:08:56,770 --> 00:09:02,790
	powershell specifically evil winrm and the executed this command to add the

	72
	00:09:02,790 --> 00:09:09,190
	user A1 Berto. So A1 Berto is a backdoor user name that has been created with this command

	73
	00:09:09,830 --> 00:09:16,470
	starting from the first access or the first foothold account which was James. So that's

	74
	00:09:16,470 --> 00:09:22,050
	the command. How many times was the login attempt from the backdoor user observed

	75
	00:09:22,050 --> 00:09:29,800
	during the investigation? How many times was the login attempt from the backdoor user observed

	76
	00:09:29,800 --> 00:09:34,680
	through the investigation how many times they logged in with the back to the username back to

	77
	00:09:34,680 --> 00:09:45,410
	the username is a1berto we want to find out in the category here what are the events we're looking to

	78
	00:09:45,410 --> 00:09:54,660
	find if there is a log on so there is no log on means there is no log in or successful login with

	79
	00:09:54,660 --> 00:10:01,730
	this username taking a look at the event ids we have eight event ids and none of these event ids

	80
	00:10:01,730 --> 00:10:07,150
	match to a successful or failed login attempt which means we are left with 0

	81
	00:10:07,150 --> 00:10:12,730
	what's the name of the infected host on which suspicious partial commands were

	82
	00:10:12,730 --> 00:10:18,770
	executed so here we are trying to also to find out the host name of the

	83
	00:10:18,770 --> 00:10:24,250
	infected machine we already found that the username was James so if we go back

	84
	00:10:24,250 --> 00:10:31,920
	and type partial just type partial as you can see here it gives you all of the

	85
	00:10:31,920 --> 00:10:41,100
	partial commands that have been executed and the host happens to be james brown partial logging is

	86
	00:10:41,100 --> 00:10:46,460
	enabled on this device how many events were logged for the malicious partial execution

	87
	00:10:46,460 --> 00:10:53,260
	partially logging is a feature that lets you log all of the partial commands executed on a specific

	88
	00:10:53,260 --> 00:11:00,450
	host the catch is once you enable partial logging an event id is triggered in windows the event id

	89
	00:11:00,450 --> 00:11:08,050
	is 4103 so we want to find out how many events were generated as a result of partial logging

	90
	00:11:08,050 --> 00:11:25,940
	we have to filter for this event id so events 4103 exactly we have 79 events and encoded

	91
	00:11:25,940 --> 00:11:33,010
	partial script from the infected host initiated a web request what's the full url okay back to

	92
	00:11:33,010 --> 00:11:44,690
	powershell so here we want to decode the command that has been executed there is exactly one only

	93
	00:11:44,690 --> 00:11:53,650
	one command which is this one so we're looking to decode this command scrolling all the way down

	94
	00:11:57,620 --> 00:12:18,540
	let's copy all of that and we will go to cyber chef from page 64 again delete all of these

	95
	00:12:18,540 --> 00:12:28,200
	and down there okay so we have decoded the base 64 as you can see we need some

	96
	00:12:28,200 --> 00:12:32,420
	encoding some modifications on the output so we're going to use decode

	97
	00:12:32,420 --> 00:12:41,600
	decode text so this is text I'm going to need to decode this to us to formula

	98
	00:12:41,600 --> 00:12:45,910
	that we can understand so you tf8 exactly not good

	99
	00:12:45,910 --> 00:12:55,420
	UTF-6716 this one sounds good okay so now if we scroll down we see here the

	100
	00:12:55,420 --> 00:13:01,420
	user agents and we said user agent we see a base64 string right after the string we

	101
	00:13:01,420 --> 00:13:08,500
	have directory or path indicating that a page named news.php or a file

	102
	00:13:08,500 --> 00:13:14,020
	named news has been accessed so that's the path of the URL what about the URL

	103
	00:13:14,020 --> 00:13:23,420
	itself I'm going to duplicate this copy the page 64 probably this page 64 if we decode it we will

	104
	00:13:23,420 --> 00:13:34,540
	have the URL full URL as you can see it is the IP address now if we take that slash new so php

	105
	00:13:35,260 --> 00:13:40,110
	we have the full URL but we need to write the full URL in a specific formula

	106
	00:13:40,110 --> 00:13:56,620
	as you can see defend the URL so we go to let's see remove these and this is the final answer

	107
	00:13:56,620 --> 00:14:06,260
	that was an intermediate challenge with Splunk it didn't involve so many filters so many processing

	108
	00:14:06,260 --> 00:14:14,260
	search queries in Splunk it was just simple analysis of an incident it required us to

	109
	00:14:14,260 --> 00:14:19,300
	understand the event IDs and how to jump between different stages during a

	110
	00:14:19,300 --> 00:14:25,840
	compromise okay guys I hope you like that and I will definitely see you in

	111
	00:14:25,840 --> 00:14:28,640
	the next video