Investigating Cerber Ransomware with Splunk | TryHackMe Boss of the SOC V1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on today we will be doing the second part of splunk the room is the room name is splunk and you know we in the last video we did advanced persistent threats or task five in this video we will do task 6 and we'll answer these questions of course as you know the objective is not to just get the answers we are more interested in working through the procedure and how to use splunk to investigate events and construct chain of events or construct timeline of how the attack has happened so basically in the last video we did that for apts now in this video we're gonna take a ransomware as an example specifically server ransomware so if you open the virtual machine after you deploy the machine you will be able to see the scenario here of course get back to the last video if you want to know how to start with the machine now basically uh given we're given a machine that is infected okay with ransomware and this is screenshot taken from the machine showing or displaying how what is the message that has been displayed on the desktop uh when the machine was affected as you can see it is a message directing the user to pay a ransom in order to get their files back so our aim here is not to recover the files our aim here is to investigate the event or the incident with a splunk to build or construct a timeline of events in order to know how the attack has happened what are the uh files and what are the the malicious files that infected the machine how the user was infected and what are some of the artifacts attributed to the attackers so we can start with the walkthrough here so basically let's go over the first question the first question is finding the ip address of uh most technically most probably this is the uh host name of the infected machine on 24 august so if you open up a search instance here now we will define what we will do here we define a timeline or we define the date of the search so it is 24 august 2016 which is uh the date where the infection has happened and in this query here we define the source that we are looking [Music] through and we define also the hostname this is the hostname of the infected machine now how do you find out the ip address of the infinite machine so basically we put the basic search query here and then we use the interesting fields to find out how we can move further so we're interested in as you can see here the host name and back to the question we're given the date and we're given the host name we're required to find the ip address what was the most likely ip address of okay so let's drill down on the fields and find out if something can be found about ip addresses so we have here source ip as you can see we got 94 on this ip address accounts source host here we got the host name and we have source as well the source is a mix of the ip address and the hostname so if we correlate the results as you can see the first one we have 24 on this ip address and if we click on source host as you can see the same 99 percent is attributed to the host naming queue in the question and if we click also on the source we see the same host name with 94 count which leads us to the safe conclusion that the ip address of the source host or the host name is this one now basically you take to note that this ip address is the ip address of the machine that has been infected so we can take a look at this ip address because you will need this id address in order to find answers for the next questions so what is the name of the usb key inserted by popsmith let's go back so if we click on next here so identifying the removable media and you can also see how they arrived the final query that answered the question but let's let me walk you through the query how how it how it has been constructed from the first place so basically we start with a query where the source type is windows registry and we have friendly name so basically first why we why we search in the win registry or why do we set the source type here as win registry since registry contains information about the flash disk or the usb usbs that have been plugged into the targeted computer so that's why we search in windows registry and the question is asking what is the name of the usb key we search through window registry friendly name so friendly name here this is a screenshot okay so this is a screenshot from wind registry as you can see when a usb is plugged into your pc there is a as you can see key here called friendly name so whenever you know actually it is constant field you will see it every time you plug in a usb hard drive so friendly name in this case is super mods in our case in order to find the name we plug in friendly name as a keyword and we search of course as you can see we got two events which is good it means that we can narrow down the results easily so if we look at the interesting fields we got a registry key name right and we got registered type we got registry path events it means that the only thing the only thing we need to do here is to just reformulate the results so i'm going to use the pipe and hit type table so we can sort the results in a table for easy visibility and we type host to display the host in this case it's here and we type also object the object is from the interesting fields if you click on the object here you see the friendly name we are talking about and we type data to display the data so data here is also in the interesting fields if you click on the data you will see the name of the usb right but it's recommended you use a table in order to reformulate the results so you can easily extract the answer click on search you see now the result set has been formatted in a very friendly manner in friendly way we have the host which is the affected machine we have the object which is friendly name in our keyword and we have the data that's contained in the friendly name or the value of the registry key friendly name which is miranda pri and that's the answer okay third one after the usb insertion a file execution occurs that is the initial server infection this file execution creates two additional processes what is the name of the file so asp has been plugged and a file has been executed what is the name of that file okay but actually the owners of the challenge they give you a hint this file execution creates two additional processes which means that you may need to search through the executed processes right to find the answer let's get back here so if we leave everything as is but we're gonna reconstruct the query and define windows system monitor as a source type since we're looking to find information about the processes so we're gonna click on source type define cis moon and then you can define the host in this case the host is affected machine click on that as you can see the query is being uploaded every time we click on fields here and then we come demand we come to the manual work so since we are looking for files not in the uh infected system uh drives right we look in the usb so we define double quotes and type here d and we type double backslashes so basically why do we why do we type d because d is the most probably d is the drive letter for the usb to backslashes because we want to because one backslash is an escape character two backslashes make sure that the query is executed correctly so here as you can see we look in the system other logs for the host and everything with the uh drive letter d and then we sort result by the oldest so we want to see what was the first file that has been executed search so we got eight events if we pipe this to table and we take a look at for example let's take a look at uh parent process and we also like to see a process we also got process current directory also host or let's put the host here let's see if we can put a field for there's something about drive letter this is a computer click on that no current directory yeah you can also add current directory here host current so this is the host the parent process the process itself and we got the process current directory and the current directory let's go back to the question after the usb insertion a file execution occurs what is the file name it has been executed so basically i'm going to remove this one and then yeah actually we should have kept this keep it reverse so reverse so as you can see here the first event was the parent process was explorer.dxe launched as you can see here microsoft word has been launched from or invoked by a file for in the uh flash disk or the usb right the current directory was d and the current reverse d if you go down after the uh the word file has been launched as you can see it becomes the parent process and then we got another child processor under it and the chart process becomes the parent process another child process under that which is visual basic script and then we got chain of child and parent process but the first one was a word file with the extension.tm right that originated from the flash disk drive so that's safely we can safely conclude that this is the file name that has been executed when the usb has been inserted there is other way to find the answer actually if we use the parent command line and command line in the in our query so if we're back search so we have here something to do with command line let me see yeah we don't have but we can build equity ourselves yeah we have command line so the command line shows the the comment right that that has been executed by the process itself so we see here all of the command line so we can use that to find out the file name so basically what we can do here we can remove d and type command line equal okay white card for the drive letter which is the double back slashes okay and or we can either use the command line or parent command line one of them let's see if we have parent command line here yeah we have one i guess parent command line so parents command line equal to same so here we look for the in the host here we look for a reference to the the drive letter d where the command line starts with something in it that is reference to drive letter d right so we can find out what was the command has that has been launched and by which file which process and then we finish this table to format the output time to show the oldest event and we also add the command line sort by oldest or by results oldest let's check out the results so this query returned actually more neat output as you can see here so we have two results the first one sorted by time as you can see so the oldest one originated by windows explorer and the command line was as you can see word file triggered by actually microsoft word triggered by the word file so that that was the first file executed from the flash disk or the usb during the initial server infection a visual basic script is run the entire script from this execution prepended by the name of the launching exe can be found in a field in splunk what is the length and characters of this field so here it's saying that we got a visual basic script that has been launched and this visual basic script has been launched by a file or executable file we need to find out the field that indicates these values and we also need to find the length of this field so we're given here the exe that we need to look for executable files and we need to see what are the uh subsequent actions taken by executable files so we're back with the same command here what we will do here we modify the command keep this monitor as is let's see here and search for dot exe everything that starts with or ends with dot exe okay so we got 42 000 more and it is loading so we got to shrink the results a bit so we're going to add more to the query here but we will do actually uh i'm thinking of we add command line so leave it here to put or display all of the fields that has command line in it all of the fields and we define the host which is no problem okay let's see where is the command line okay we have to wait for the results to fully display so we got 100 1658 events if we take a look at the interesting fields what we can use to further narrow down the results query uh there is no command line but we can put it ourselves actually so let me remove the hosts or keep it command line equal star so i want all of the fields to be displayed that contain the command line and here i'm going to put event code let's see the event code here we have event code okay so what are the values seven three two one five since this is a process creation we're looking for one so put here events or click on that actually you don't need to type it manually one so even code one now and here as you can see the command line has appeared let me click on that see what we got okay i'm going to add it myself command line equal star so the query became like this so we're searching in the system monitor logs where the host is the infected machine for executable files and also where the for events that reference um process creation and all the fields that contain command line errors and that's the result now comes to the format so we use the eval command since we're interested in finding the length of the field or the list of the characters contained in the field so we will use the eval that contains mathematical functions length yeah it's here command line let's see here oh it's a table so table display command line now we display also the length and let's sort by length okay still not finished yet finished all right so we don't have anything here right length equal length table command line next short length so i have no idea why there is no there are no numbers here okay so the first one was task scheduler i'm not sure that we are looking at the right place because here we don't have um yeah there are no numbers nothing so index source type windows event logs operational looking for executable advice okay what about if we search so here come with an equal start event code one all right let me click on that see what we can find here guideline okay event code one parent process yvonne let's calculate the length first and display say display table length so we got the numbers now okay length and here put command line okay we finally got the numbers now we need to sort them actually so sort length all right so actually we started to get some results now as you can see here back to the question during the initial server infection a vp script is run the entire script from execution prepended by the name of the launching ese can be found in the field in splunk so you will have to look at the command line and see if there is reference to visual basic script so cmd dot dxe and as you can see this the seems to be the script actually vbs and the field length is 4490 next pop smith workstation was connected to a file server during the ransomware outbreak what is the ip address of the file server so technically the infected machine here was connected to a file server and the file server might have been also infected with the ransomware that's why they're asking you or they started they actually ask you to find the ip address because you will use that to find out the what has happened on that host back so what is the ib address of the file server so let's remove all of this and we are back to the system events this is small events why we keep this small events because in this model we can see the process executed we can also see the network activity which is the point of interest in this question that's why we keep the system as a source type now hit search one more time and we will reconstruct the query from or starting from this point i'm going to add the host so the host is yeah this is the host and then uh delete the razer outbreak what is the ip address okay let's see what we got here so if we search with this we're back to first query if we take a look at destinations ips many destinations okay here so we get we get this hostname right as you can see is among the destinations that has that have received traffic from the infected host if you scroll down to source host we see one source host which is the host name of the infrared machine now normally in windows event logs or with or when in in sysmoto logs it's better to use names instead of ip addresses but we try both in order to find out in order to be consistent with the search so since we're looking at we then if we want to find the ibm this with the file server we want to search for uh want to look at the network connections logs where the source was the input machine so we look at the sources here and it is better to search with the host asset click on the source okay now we see all of the logs all of the events that reference all of the network connections originated from the infected hosts here using it as a source so we can find out other destinations if you click on the destinations here ips click on destination to display the host we can see the host name here but we're not sure yet that this is the host name of the file server that's why we will use mathematical capabilities in splunk so pipe stats count by destination ip stars not stars and stats so what we're doing here we're trying to count the number of network connections okay using count initiated by the infected machine and grouped by the station ip to see which is the uh the ip address that received the most hits from the affected machine we can take we can make a conclusion actually or inference about the validity of the result based on that now we sort descending okay unbalanced coats where is this oh here okay okay so we have or we got two ip addresses with high number of counts so most likely we're looking here at two possible results for the file server we got the first one we got the second entry but we we need to make sure so one way to make sure our own way to make your results [Music] accurate we have to look more than or use more than one way to find the answers so we take a note at these ip addresses all right and then we construct a new query to find answers right using different ways actually so basically here i'm gonna remove the query here and use different source type go back to events here no events okay so here remove this one and type windows registry when search add the host name so we will log in the win registry for the keyword file server because when you connect to a file share this is locked in the windows registry so you click on search okay how many events we have 818 okay let's see the interesting fields here what do we got destination one okay let's look at the source there is no source yeah this is the registry actually okay seems like as you can see here in the events we have one entry for this ip address and we have on the right we have file share so i have repeated events here as you can see mentioning or referencing files here or an attempt to access a file share on this ip address and previously we have seen that this ip address has high number of accounts as far as the number of connections that are received from the effected host is are concerned so we can conclude that this is the ip address of the file server but still still we can also use explorer as a keyword why explorer because when you browse a file share you are using the windows explorer let's use stats account by let's see by what look at the fields here process image register key name okay so this is the key name so basically type registry key name sort accounts no results i think this is wrong let me correct this so so we have 818 count for the attempts here attempt i guess the files here if we use here instead of exploring use fileshare you may get the same results yeah the same so 1818 but using explorer you see also other entries right give you the ability to compare results and correlate events so as you can see this one is the right answer so the ip is 192 68 250 20. next one what was this first suspicious domain visited by okay so here the the question is what are the domain names that have been visited by the uh the affected host so it is asking here specifically the first suspicious domain uh so let's go back and here we need to change the query a bit so remove all of that and we will change the source so the source will be now instead of window registry we're looking at domain names so we need to find that by looking at the stream dns source site so stream dns and then search from that point on we can label the query so the source here in this case is the host or the infected host look at the source here so if we can find something about the source or source okay add this to your query and also add since we want to find the domain name we want to find the record type so record there in this case is a record okay still need some refinement okay let's see here what was the first domain let's do some table here all right let's add destination installation ip port query yeah the query so add query also add the source add query so here we see all of the queries made by the source the source in this case is the ip address of the infected machine but still we cannot we can't go through all of these queries right there are some logic and uh legit domains actually that cannot be created by a typical male or ransomware although it's possible but it is rare so we need to get rid of this of these white lists so we'll use uh conditions or conditional statements to hone and refine our query so we're going to leave this one and type here use not so not we'll do some exclusion query equal or yeah query equal say everything that ends with microsoft and since splunk has implicit and you don't need to type and so just type or query so we got microsoft here we go also um bad they would be bad or this one as well or let's filter through these and then see what will happen so close this one and type table source query here in search we are able to parse the search comparator equal the third job has failed due to an error remember compressor equal is missing a term on the rights on the right hand side oh okay this one let's see now so we still got microsoft here try now there is still some instances of microsoft we have ping so i have so much to white list so type or and in this case query will be or will execute also pink pink.com we have dots or query let's see here ip info okay let's see now so there's no pink but still we got microsoft apricot.com actually yeah so we got rid of microsoft now and also here.com dots also add dots here okay let's move the dots okay so right now we have reasonable number of results we can uh look through so table source query so we display the source we display the query but still we need to use time because we want the first connection attempt time source query and also put the destination and reverse display the oldest event so the oldest event was in 2016 24 8 it was from the infected host to wine corp local this is actually a white list the second one is also white list the third one is solidarity something whatsoever and this is the answer for your question so that was the first domain name that has been uh visited or queried by the affected host after the infection happened next question the malware downloads a file that contains a server ransomware cryptocode what is the name of that file so after the defection happened the infected machine has downloaded the file which in turn downloaded the ransomware so you have to find out the file name okay so now we're looking at downloads so which means we have to use http as a source in the logs search let's define the source as the infected machine source yeah this one okay let's use now some output refinement tools stats count values i want to see the urls actually how many times every url is or was visited so use url and sort by destination so we see it how many times every url is visited okay and we also see the destination but we need to sort this more so what we will do here actually it is sorted but let's click on this microsoft shell so we have here url as you can see and this is the image file and this is the model that we know it was queried when the machine got infected and there's a file name or an image that seems to be uh or seem to have been downloaded so actually this would possibly be the answer but of course we need to make sure that this is uh definitely the answer so we use another source type which is in this case will be suricata the ids logs so remove this one add here you just want to make sure that actually this was the correct file that has been downloaded source is the ip address of the affected machine urls okay let's tab it ourselves we want to put all of the fields that reference urls so we have url equal star now we sort by stats counts same as value url by destination so what studicate has to do has to say so we see some correlation between the results as you can see the same file name has popped up here you scroll down also the same file name has appeared in the ids logs and this was a domain name that has been queried when the first infection happened so safely now we can conclude that this is the filing that has been downloaded which in turn downloaded the server ransomware next what is the parent process id of temp so the question seems to be originating from a different perspective what temp has to do with everything that we have done so far so let's get back and see here so since we're taking a look at the processes we're gonna get back to our old friends microsoft event microsoft system out of logs first type and simply we will take the file name and use it as a keyword in our search okay so we've seen all of the events where the temp file has been mentioned but we still have to answer the question what is the parent process rpid so we have to use some old friends help which is the command line okay and then use the table to formulate results so we're interested in finding the process id parents process id so process id here parent process id and parent command line um okay i think we have just to make sure that our command is correct first then we formulate the results let's see here so we've got seven events where the temp has appeared with command line in the fields let's see the the uh interesting fields so we can now start to sort the results so table so we want to display the id process see if this process id here okay press id yeah so process id let's also display the parent process id we're also interested in that so parent process id and the command line command line command line parent command line okay sort reverse display the oldest first now here we can't we can look at the events where the temp file has been referenced where the command line is in the fields and we display the process id the parent quest id and the parent command line sorted by the oldest of the oldest the oldest event right the oldest event is one that contains a visual basic script or the command line is executing a visual basic script by this file back to the question of temp file let's look at the temp so here's a process or command that involved the temp file executed by or invoked by the cmd the process p id is 2 9 48 and the parent one is 1 4 7 6. the answer is kind of different right let's see the oldest what is the parent process of ah okay so here is another one so actually what invoked the question is the parent process of temp so this is the pid process of temp right and the parent is 3968 because the first infection is the vps that's how the answer came all right amongst the surikata signatures that detected the server malware which signature id alerted the fewest number of times so we're back to the suricato logs so again we define sorry kata and search okay so we're looking at signatures so you have to find out signatures and signature id in the interesting fields no okay click on 247 more field and search for alerts okay signature nope so we don't have if you don't have them oh let's look one more time seems to be silly but let me try one more time everything about signature group alert detect alert stats detect alerts amongst these ricata signatures that detected the server ransomware which signature id alerted the fewest number of lines but we don't have the signature id as a field here so how come how can we how can we search with it signature or alert that's signature no results okay let me try to type alerts that signature equal so among the surycata signatures that detected the serial malware so it's saying that this urikata ids logs have detected the malware right so there must be a mention or a reference for the word server in the logs so we'll use the white card server see if we get any fruits okay search and there is there are five events let's look at the events alert destination source ips or sports okay now we find we want to find the signature id actually so surikata's signature id here okay that is good so the question is finding the signature id that alerted the fewest number of times so all of these signatures have alerted for the presence of the ransomware we want to find out the one or the id of the one that has alerted the fewest number of times so we will use the stats command count by alert signature which is here and also alert signature id okay so we count these occurrences of these of the signature id and the signature and we sort the first number was this one okay the server ransomware encrypts files located in pop smith windows profile how many text files does it encrypt so you have to find out statistical information about the damage the uh ransomware inflicted on the machine so again if you're back to the question you see we're looking at windows locks so back to sys monitor events which is monitored as the source type source type okay host okay now back the serverizable encrypts files located in bob smith so you're looking at even codes or even ids that are related to files so let's see the event codes here three seven two one five six so knowing the description of every event code okay two means file time create or file create or find modify let's click on that even code 2 and let's look at the fields so there's something that has to do with the type of file that has been touched or has been modified created whatsoever target file name so we can see we have photos xml files whatever so we use the target file name in the filter so target file name but we have to uh use more filtering in order to narrow the results for file names or files that have been encrypted in bobsmith windows profile which happens to be in the c directory so equal to c and don't forget to double backslash okay bob smith profile let's see if there is some reference about how this can be written back to target file name so users bob smith this white an example we can take it actually the modifier let's click on this okay we can copy that double quotes i'm going to remove um yeah so look at the brain think let's put one more backslash more backslash here so users popsmith y corp and then we don't care about anything that comes after we just care about its extension okay so add another backslash and type.txt okay see how many events we have got with this search criteria still searching so i've got some connection problem i guess let's check out the machine is the machine still alive nope it has died start the machine up okay unable to connect one more time okay this is not good yeah so [Music] i don't know why this happens let me check my network connection so my number connection is alive but the machine is dead give it a couple of seconds to make sure it has started properly close this one okay finally so fortunately the commands we don't need to type the commands from scratch i have them locked on my machine so i'm going to just paste the last command or the latest command we have just worked on click on reviewing all data available and we need to go through this let's go to directly to search search so this is the latest command run and select 24 august [Music] do not remember the date actually so i'm going to go to ransomware here see how many events we have got with this we have four zero six events since we're required to find out how many text files that have been encrypted by the ransomware we have now to pipe this to a stats command and use distinct count not count because we don't want we want to ignore the repeated entries dc and this will apply on the target file name field search so 406 406 files have been encrypted how many distinct pdfs did the ransomware encrypt yeah on the remote server so remember the ransomware has communicated with the remote server and performed some stuff there so here we are task to find out how many the pdf files has the ransomware encrypted on the remote file server so we're back again with dns as the source dns and we will define the source as the infected machine also define the record type to be a where is record type a uh no this is not good no no i've actually i mixed this with the uh yeah so here how are you looking for a domain name right now that's domain action as pdf files i mixed this with the last question so how many distinct pdfs did ransomware encrypt on the remote file server so here we need to define not dns and the so as a source type it could be windows event logs when and here we defined white cards i'm going to type pdf see what we can get with this okay so we got some events we have now to refine the results so use the destination field here to mention that alt reference of the remote file server so in this case the remote file server is this one b904 one yeah so this one could be the solution or should be the station and the source is uh no here the source ip or resource address if we got anything with that source address is the infected machine here we look at the events where the destination or the source of effective machine the solution is the remote file server and where a pdf file is referenced the source is windows event logs so we got like 4 525 entries now the question is how many distinct pdfs so all you have to do now is to use the stats that's dc dc on what this one relative file name because it is the field referencing the finance and the zero so good nobody files how many just take pdfs ah two five seven why we got zero here i answered with two five seven and here i got zero let me move c here or distinct again zero but we saw more let me um okay search so you got many events referencing file names in pdf as you can see but for some reason i get zero because it's only one file no it is more than one file let's use this one stats dc write a file name relative target name uh i think i used the wrong name so i should take it from here relative target name with underscores search and two five eights here we go two five seven so i think it is the source address that we removed two five seven yeah last one what fully qualified domain name does the server ransomware attempt to direct the user to at the end of its encryption phase of course to pay the ransom now here we back to our old friend stream dns because we're looking at domain names so we have to look through dns of course we type the source address so source as the effected machine also we want to put record type as a okay now now this query will give us all of the domain names or of the dns queries originated from our effected machine and if you remember we uh implemented this comment or executed this command before when we were trying to answer uh which question yeah this question to find out the first suspicious domain visited by our dependent machine and we found many white lists or many uh false positive domain names so we eliminated them using not and conditional statements we can use the same list here we use previously don't panic the same list just to white list the ip addresses and what is the yeah i'm trying to speak and demonstrate and i removed some stuff try to remove just the false positives and we pipe this to table time and then the query itself source destination so as you can see we got this one that was first visited and the last one was this one technically this is uh this makes sense actually because the first time the machine is encrypted uh there is an inquiry to the uh command control center of the attacker to download further attacks further malwares but the last domain that could be visited by the victim is the domain actually to which the victim needs to pay the ransom so this one is the answer so that was the last question for this challenge actually i like this room two practical scenarios uh would give you the chance to get your hands dirty with splunk and increase your level of knowledge or practical knowledge in splunk so we will do more splunk of course this is not the last rule so stay tuned and thank you for watching

Info

Channel: Motasem Hamdan

Views: 18,610

Rating: undefined out of 5

Keywords: splunk, ransomware

Id: 4Jau-Wj-mkE

Channel Id: undefined

Length: 73min 52sec (4432 seconds)

Published: Sat Jun 12 2021