Cyber Incident Response with Splunk | TryHackMe Incident Handling with Splunk

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on guys welcome back today we're doing incident handling with Splunk uh the room is from as you can see try a dry hack me site and we're going as you can see it's pretty long challenge a room I'm gonna be I'm gonna be I'm gonna try to be as quick as possible so basically deploy the machine and here we're investigating a hacked website so you can see the scenario in here there's a hacked website the website is emery I'm really not a bad man of course this is a dummy data uh the upside represents an Enterprise called wine Enterprises so basically we we are required to investigate why the Hacked happened in the first place so we are going through the instant response phases okay basically the data is prepared and is pulled from the right sources so as you can see these are the sources from which the data has been pulled Windows event logs the registry 40 gig firewall logs web server logs the vulnerability scanner logs the IDS logs and couple other logs so all of these logs have been pulled from the right sources and we're given the data to analyze so basically let's Jump Right In okay and analyze the data okay so here is the Splunk we have here we're going to go to search and Reporting okay and from here we start the investigation all right so if you remember in the previous videos we learned how to upload the data to Splunk so basically the first thing you have to do when uploading the data is to define or the index in our case the index here is bot sv1 so that's how we call our search data we use the name of the index but sv1 all right okay so as you can see we have still counting 80 000 Still Counting it's not finished yet we have to wait until the event count is settled to be able to analyze pretty much we have a huge number of locks or events if we take a look at the left we can see the interesting fields we can work with and these fields change depending on the lock source so up until now we have 16 Source type if we click on Source type you can see we can receive representation of the top 10 sources according to the number of logs so at the top we have event logs Windows Event log SMB here we have the IDS logs for the cats and IDs so on and so forth here is what you get firewall take a look at the sources okay and the host we have a couple hosts on this network okay so the domain name is I'm really not Batman if we try to access the site I don't know if it's live it's not okay so basically that's the side I'm investigating here and the incident started when the website got defaced upside defacement is when an attacker gets access to a web server and then takes over the entire server and after that they upload an image and place the image on the main page of the site so they you can see you will see like something different from the what the original site offers it's like website defacement so I want to know how the attackers um found the site what kind of tools they did so typically here we're going through the Cyber kill chain first we want to understand how the attackers uh got into the evob server when I find out how they scan the website with the vulnerabilities they uncovered so we can click on search here okay so we have around 78 000 events related to the I'm really not a Batman but still we need to filter more the traffic here could be any type of traffic since we are ingesting the logs from Verizon sources we need to Define what kind of what kind of what what is the protocol we're um uh interested in so basically we can go down and choose Source type in the source type we can select stream hey http why because we are investigating a hacked website okay so we have 22 000 events okay now basically all the events here represent the traffic that um Traverse the web and went to the I'm really not a Batman the website that got hacked okay now on the left you can see the interesting fields okay now basically if we scroll down we can see also the source this Source IP as well take a look here we have two IP addresses as you can see we have one that contains 17 000 events and one with only 1 000 events so since we are investigating the Hacked website we're really interested to understand the why the difference is so huge between these two IPS so let's look click on the first one and we have again yeah 17 000 events these events represent the traffic that originated from this IP address okay to the website okay now if we scroll up scroll up take a look at the source types so we have one it is the http let's see here the if there is a clue on the URL requests that have been made from this IP address URL path URL okay as you can see these are the top 10 URLs that have been accessed from this IB address as you can see uh we can we can take the hints from here that the website I'm not really a Batman the victim website is using Joomla right if you take a look at the URL path as you can see this is Administrative administrator page of the website Joomla all of these urls have been accessed by The Source IP address I have shown you so basically most probably this is the IP address of the attacker so that IP address okay was used by the attacker to enumerate the website I'm not really Batman so right now we have uncovered a clue about the source of the attack this is the IP address okay now Now understand the source IP address and what is the website infrastructure or the technology CMS has been used on this side and also we understand what RDU wires that have been accessed now let's see if we remove the source type HTTP we want to see if there are any IDs alerts that have been raised from this Source IP address okay if we click on Source type we have two more Source steps you can investigate beside HTTP we have surikata IDs we have the firewall let's click on the solicit IDs and see what kind of alerts that have been raised from this Source IP address so you have 17 000 events if we scroll down we want to we're looking for alerts if we don't have the field we can add it from 19 more Fields if you click on the 19 more Fields here you can see the alert action alert category alert signature let's take a look scrolling up alert action category okay so these are the alerts that have been raised by surikata when this IB plows to the site against the activity of this IP address as you can see on the top we have the category web application attack we have 214 events 48. Network Trojan was detected attempted administrator privileged gain so it's safe to say that the attacker launched the attacks against the website using this IP address if we click on the application attack we can edit these events down to 248 and from here we can find out we can gain more insights on the alerts that have been raised let's say let's take this one so this one is categorized or bus categorize the SQL injection attempt against the site okay if we remove this one and take a look at the other categories attempted administrator privilege game that's it soon and here you have cves as you can see 2014 6271 let's take a look at this one cve 2014 6721 most probably this is the CV that attacker used to gain access to the server oh no it is not it is two seven two seven one let's see here J new bash through 4.3 processes three link strings after function definitions in the values of environment variables which allows attackers to execute arbitrary code via crafted environments as demonstrated by vectors evolving Force command feature in open SSH the mode CGI and mode cgid modules in the Apache server okay so now we understand more what happened so the website I'm not really Batman is vulnerable to this cve and outside how the attacker got access to the web server now actually here but how they uncover the vulnerability if we scroll down we can take a look at the user agent if not the user agent we can see we have two fields for user agents okay you want to see what kind of scanner they used URL yeah indeed as you can see all of the requests have uh targeted the CGI directory which means this is the main vulnerability that caused the incidence httprl the same all right okay so now we have uncovered some of the facts about the attack now let's answer a couple of questions found in the tasks so first also the cut alert highlighted the cve associated with the attack attempt with the CV value already answered was the CMS or web server is using it's Joomla we answered this what's the op scanner the attack used to perform the scanning attempts let's type the address of the server I am really not a Batman so we want to find out the Source IP address of the Hacked website how I find out this yes and what's the name of the scan it was iqnetics but how I found this let me show you here okay so if we remove the alert from here so why I'm choosing the IDS as a source type here here we are investigating the how the attack happened from the perspective of the technicality of the exploitation and the vulnerability scanning okay so the only thing that can shed insights on these or have visibility on this uh the traffic it is the ideas it's not the fire maybe the firewall sometimes but it's not definitely not the windows event logs it is actually the network centering logs and so rikata has visibility on network Centric logs that's why we're reviewing these regards IDs logs so basically let's see here if we scroll down if we click on the user agent as you can see we can see a signature that indicates accuratics and accuratex is a very well known vulnerability scanner that would lead you guys to uh conclude that the op scanner that has been used to scan the site is accuratex now the source IP or the IP address of the I'm not really Batman let's see if we have destination IP field here we have source destination we have two as you can see we have two IP addresses but it's very obvious that the first one is the destination IP address of or the IP address of the victim site because it has the most event counts right so that is the IP address of the site so right now we have uncovered the attacker's IP address we uncovered how the vulnerability has been uncovered and also we found out what was the vulnerability that attacker leveraged to access the web server so right now the next thing we want to move on from different from the scanning phase into the exploitation phase what happened after the attacker got access to the server so these are the questions that cover the next task the first question was what IP address likely attempting a Brute Force password attack against I am not really Batman so again here is another thing happened during the attack it was a Brute Force attempt on this side so before moving on to the exploitation phase and what happened after gaining access let's first uncover this okay let's find out how the attackers um Brute Force the site and from which IP address okay so previously we found out that the site of I'm not really Batman is using Joomla as a CMS and also we uncovered the administrator page of Joomla so if a Brute Force attack happened most probably it targeted the admin page so if we use a filter okay so let's remove these and go back to zero we select the source type to be of course hey http okay and the next thing next thing we want let's take a look at the fields here so destination IP let's use the IP address of the Target server I want to filter the HTTP requests that were targeted against the administrator page in Joomla so if we scroll down we use the URL field here and we click on Joomla slash administrator Index this will filter all of the events all the traffic that went against this page so from here we can uncover more facts about how the Brute Force stack happened let's take a look at an example so this one let's see this one is a normal request okay let's take a look at the left okay so we have here form data if we click on form data okay we can see all of the attempts okay so we have plus 100 form data so let's do this if we scroll up we want to see all of these sorted in a table so if we sort it use it table time a table sorted by time that includes the source IP address okay we take these uh we are I'm writing these filters from the fields here okay The Source IP address that initiated the request and then we put the destination IP address the um you know the web server and form data so as you can see this is the source IP address that was initiating The Brute Force attack take a look at the form that I have a username admin task equal login return and password equals scorpion these are all of the Brute Force attempts that were made against the server by this IP address so here's another IP address that was involved in the attack the first IP address was involved in uncovering the vulnerability this IP address attack used to launch The Brute Force so we have two IP addresses the attacker has used and here we see all of the attempts against the server now if we want to extract or we want to do some filtering and tweak on the data say we want to isolate the username only and the password because we have many other fields okay so what we can do here we can use this Planck processing language to do that so form data equal username well I'm not sure let me see the notes here if we I have something about filtering let's type http parsing hdb traffic investigating logs Post requests regular expression to display username and password HTTP request yeah so we can isolate them using this formula the star or asterisk username asterisk password of course depending on the field name here we have the field name username and the password that presents the password so pass WD let's see zero events rates about this um not perfect but we got we eliminated some of the extra Fields now I think we must use the regular Expressions let's see so we can use regular expression to isolate maybe the username or the password so let's use this one let's isolate the username oh the username was clear actually it was only admin okay so let's isolate the password we have to put here using pipe and paste in the regular expression from data password user passwords okay so here's this name is actually optional you can use whatever name you want enter still we are not successful let's take a look at the field so bot sv1 not really bad man the source is http destination IP okay so maybe we have to go back let's copy this one here we have to filter according to the his interview requests so we have to specify what kind of request we are interested in so we are interested in post requests so here we have one post request yeah it's only one okay 413 events okay let's paste these and let's use this one okay so let's move form data from here and here as you can see guys we can see all of the passwords that we attempted against the Joomla panel right now if you want to find out the exact password okay so basically all of these passwords not all of them are right like they're right so there is only one single password that worked with the attacker maybe you have to find out this password what up until now it's good let's answer some questions so this is the IP address that initiated the Brute Force what was the URL which got multiple Brute Force attempts we answered this one again switch username was The Brute Force attempt made we showed that it was admin what was the correct password for admin access to the content management system running I'm not really Batman okay so here we are back one step foreign to find the correct password we have to take a look again at the other interesting Fields here so specifically if we look at the Maybe the response code or let's see what do we have response time request content to test the content in the request Source IP we have two so in the source IP as you can see we have 412 for the IP that initiated the input force attempts and we have one attempt from this IP address if you remember this IP address was used to launch the attack and exploded the vulnerability CGI vulnerability so if you click on this IP address see why it has only one request post request let's take a look at this one orphan request these are the headers so it navigated to the admin page and here we see the data Source content admin and password equal Batman and as you can see the response was scroll down the status was 303. which means that this is the correct password guys Batman so the attacker launched the attacks from a different IP address and locked and using another different IP address okay back here so the password is Batman how many unique passwords were attempted in The Brute Force attempt well this is self-explanatory guys if you go back and check out field removed us so in total we have 413 events right so one attempt with the correct password and another 400 wealth for the non-correct passwords so you can calculate the difference after finding the correct password which IB did the attacker use to log into the admin panel rehab already covered this okay so right now we covered The Brute Force attack and we covered the vulnerability exploitation so right now let's proceed guys and find out what the attacker did after they got access to the server okay normally after the attacker gets access to a server they try to maintain their access so they would plant a back door so let's go back a bit in the source and see if they have uploaded something to the server so we can keep the HTTP as is we can keep the destination IPS as we can remove these so you want to see if there is something that was uploaded specifically we're looking for files so let's see here on the fields form data well this is too generic we have to specify if we type an extension like EXE we have 17 events okay scrolling down and all the way down guys packets in packets out we have 12 more fields we want to uncover more artifacts related to the file that has been uploaded and has the extension if we can find something about the path name so nothing in here scroll back up URL path so we have this file we have this file as well and we have other files so there was not only single file you cannot find the file this way let's go back to 12 more fields and see if we can find something about the path so we can sort the data according to the path of the file packets in part finally so we have two we have one agent with PHP and one three seven nine one executable file so let's take a look at this one so indeed we have one event and this executable seems to have been originated from which IP address let's take a look if we have Source IP here Source States okay okay so we have one file here as you can see upload successful this file has been uploaded but we want to find out who uploaded the file which IP address right is it IP address that initiated the Brute Force attack or it is the IP address that initiative different ability exploitation of the CV so we can remove all of these and take a look at um what are the source types that got visibility on this file 76 events well so it seems like more than one event regarding this file it wasn't only uploaded there were other things uh done with this file so let's take a look at the source types we have event logs the also a system on logs he's a small and he will event logs HTTP 40 git and surikata okay great so if we filter if we take a look at the sys monitor events you can see we have 69 events now since monitor is a very useful tool you can install on any Windows station where you have to monitor for specific actions taken against the registry or the uh you know the other files of the system regarding the directory system devices and directory and the process creation if you take a look at the event IDs we have these event IDs okay so you want to see if this file has been executed so we're going to use the event code one or event id1 we have event code here 7135 for one one it means process creation if we click on this one so we have five events it means that this executable after it was uploaded the attacker executed this executable and here we have the new according to the source type it is this monitor we can see the command line as well so we have five commands the CMD and as you can see the execution of this file if you click on this okay so this file indeed got executed on the host let's ask a couple questions here since mon also collects the hash value of the processes being created what's the md5 hash of the program 3791 we will find this looking at the logs which user executed the program and search the hash on the virus total what other username or what other name is associated with the file okay let's find the hash first so probably we can find the hash from here yeah this is it as you can see it starts from your md5 start with a A I'm going to highlight this so it starts from here md5 this is the nd5 of the file now we want to find out the user who executed it so if we scroll down we can see it in the event details the username as you can see is net Authority user and now we will search the hash on virus total so let's copy that so by searching the hash on virus order we get more insights on the nature of the file that the attacker uploaded and executed on the server foreign bicycles I don't see any bicycles skip the Glides I think it's because of the VPN I'm going to close the VPN okay so it's indeed a malicious file in the details we can see other names given it a file and these are the other properties the hashes of the file you can see what the community has to say what are the contributions so indeed it is a trojan horse uploaded to the machine okay all right so now as you can see guys we uncovered what the attacker planted on the server to maintain their access okay now I want to find out what are the things the attacker did okay after they maintained their access so normally the attacker exploits the website of first they do the reconnaissance they exploit the vulnerability if they found any and they get access to the server they upload a backdoor which was this executable in our case and then they start to um implement the strategy or implement the goal okay uh for which they come after the victim so basically we're looking to see if there is a battle of pattern of data transfer or that exfiltration so to do that we want to change the source from here so remove all of these okay so we're not gonna wait for this one we're going to choose the source tab to be the IDS so why the IDS because normally that exfiltration events or logs uh you get alerts on these type of events by the IDS or the firewall for now I'm going to choose the IDS and if that exfiltration happened on a victim machine we're going to need to filter by The Source IP The Source IP will be the machine itself because the machine will send the request to the attacker so it's going to be the reverse the machine will be the source IP and the destination IP will be the attacker server which are which is receiving the data so we're looking to find if there is a field for Source i p here we have one so we're looking for the IP address of the I am really bad man which was this one okay now let's take a look at the destination IP addresses up until now I have confirm we have confirmed two IP addresses with logging to the attacker if you click on destination we have indeed two the first one which initiated the vulnerability exploitation and the first one at the the second one which initiated the Brute Force okay so we can have an Insight on both of these let's take a look at the first one so we have ten thousand thirteen hundred events let's take a look at what kind of requests have we initiated take a look at the fields here so we have HTTP URL okay so these are the Joomla let's see if we have URL URL we have and again these are requests against the Joomla so if we scroll up okay let's now select the other API there's probably nothing nothing clear from here we're looking for a pattern okay where data would originate from this IP address the victim IP to the destination IP and having some sort of data exfiltration patterns right so we're looking for URLs um DNS requests whatever so let's select other IP address so we have 1294 events if we scroll down we take a look at URL we have three again against the administrator page and we have one poison l i v y is coming for you this is interesting if you click on this one we have three events related to this one so it's originating from the victim web server to the attacker IP address let's take a look at these yeah as you can see this is a domain associated with the attacker chose the DNS resolution of this IP address so by now guys you also uncovered the domain name associated with the IP address so we have a request from the victim Observer the attacker server to download an image and probably this is the image okay that was uploaded to the site after the defacement so we have uncovered the image name and we haven't covered also the domain name associated with the attacker um server okay so that's how as you can see that's how the website got defaced in the first place but still we're looking for if we have other it doesn't seem like we have other indications of data had got exfilterated we're gonna see if we have this later so now this is the image okay now let's take a look at the questions here so if we have something to answer what's the name of the file that the faced the Omni that Batman this is the image for Ticket firewall 40 gate UTM Source detected SQL attempt from the attackers IP what's the name of the rule that was triggered during the SQL injection attempt okay we get back one step behind let's go back remove the source type or change the source type let's remove these and um we want to change the source tab to be the 40 git firewall there are four to get traffic we want the 40 Gates underscore UTM so we're going to specify this here okay search and we want to filter for the traffic that originated from the IP address of the attacker Source IP this one we have 12 000 events so we have here a field called attack click on this one you can see this is the rule name that is triggered when the attacker attempted SQL injection so that answers your question the last question okay great now this is another question in the next task the attack use Dynamic DNS to resolve to the malicious IP what fully qualified domain name is associated with this attack we answered already answered this question open position phase here we do some Intel guys on the IP address that is associated with the attack and delivery phase again we do some Intel on the file so I will leave the last two tasks for you guys they are really easy I have uh tried my best to make this video as possible to explain all of the steps that are related to Splunk now in the task 9 and task then you just have the information here everything is explained you just have to make some oh synth on the attacker's identity regarding the just take the values you got from the Splunk outcome so it's the IP address make a lookup you will find the associated domains and you also you will find the other domain names emails okay then so I hope you guys hear also a nice conclusion you can see about the outcome of this investigation the findings it's very useful if you read through the findings so I hope you guys find this enjoyable and helpful and I will see you in the next video

Info

Channel: Motasem Hamdan

Views: 16,800

Rating: undefined out of 5

Keywords:

Id: -zA6np2MDNU

Channel Id: undefined

Length: 44min 44sec (2684 seconds)

Published: Fri Nov 11 2022