📖
writeupsifelix
  • About me
  • Monday Monitor - THM
  • TShark Challenge I: Teamwork - THM
  • Investigating with Splunk - THM
  • Unattended - THM
  • Eviction - THM
  • The Greenholt Phish - THM
  • Tags
    • Threat Intelligence
    • Network Security and Traffic Analysis
    • Endpoint Security Monitoring
    • Security Information and Event Management (SIEM)
    • Digital Forensics and Incident Response (DFIR)
    • Anti-Phishing
Powered by GitBook
On this page
  • Tags
  • Tools
  • Scenario
  • Tasks

Investigating with Splunk - THM

PreviousTShark Challenge I: Teamwork - THMNextUnattended - THM

Last updated 6 months ago

Tags

Security Information and Event Management (SIEM)

Tools

Splunk, CyberChef

Scenario

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor.

His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.

Tasks

1. How many events were collected and Ingested in the index main?

To determine the number of events collected and ingested in the index “main,” we begin by opening Splunk.

Once we have Splunk open, we enter index=main into the search bar. To ensure we capture all events, we adjust the date range to “all time.”

Upon executing the search, we observe the results displayed on the screen. From the image provided, we can see that there are a total of 12,256 events.

12256

2. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

According to Microsoft, Event ID 4720 is logged whenever a user account is created. We use this information to search for the relevant event.

By entering index="main" EventID="4720" into the search bar, we narrow down our results. From the search results, we find one event that matches our criteria.

By scrolling through the event’s details, we discover that the new username is A1berto.

A1berto

3. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

Sysmon event ID 13 logs modifications of a registry value. This event ID is crucial for tracking changes in the registry, which can indicate malicious activity or system configuration changes.

We apply this knowledge to our search by using the identified new user, A1berto, in the search bar with the query index="main" EventID=13 A1berto.

From this search, we obtain one event. This event provides us with detailed information about the registry modification.

By examining the target object, we can determine the exact path of the registry key that was modified. In this case, the path is HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto.

HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

4. Examine the logs and identify the user that the adversary was trying to impersonate.

We focus on the "User" field to identify the names of users involved.

Previously we found out that he newly created user is "A1berto." This name is similar to, but not the same as, an existing user named "Alberto."

Given this discrepancy, we determine that the adversary is attempting to impersonate "Alberto" by creating a user with a slightly altered name.

Alberto

5. What is the command used to add a backdoor user from a remote computer?

To determine the command used to add a backdoor user from a remote computer, we start by searching with the keywords index="main" EventID=1 A1berto.

This keyword filter is designed to narrow down our search to specific events logged in the main index, particularly those with an Event ID of 1, which typically signifies a process creation event. The inclusion of “A1berto” helps us pinpoint events related to this specific user.

Our search yields four events. By examining the command line fields within these events, we identify a command that was used to add a backdoor user from a remote computer. The command is:

C:\windows\System32\Wbem\WMIC.exe /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1"

This command utilizes the Windows Management Instrumentation Command-line (WMIC) tool to execute a process on a remote computer, specified by /node:WORKSTATION6. The process call create part of the command instructs the remote computer to create a new process. The process being created is the net user /add A1berto paw0rd1 command, which adds a new user named “A1berto” with the password “paw0rd1” to the system.

C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1

6. How many times was the login attempt from the backdoor user observed during the investigation?

To find out, we utilize specific event IDs: 4624 for successful login attempts and 4625 for failed login attempts.

We input the search query index="main" EventID="4625" OR EventID="4624" A1berto into the search bar to filter events related to these login attempts.

Upon executing this search, we observe that there are no events returned, indicating that there were no login attempts made by the backdoor user, A1berto.

0

7. What is the name of the infected host on which suspicious Powershell commands were executed?

To identify the infected host where suspicious PowerShell commands were executed, we start by inputting the keywords “powershell” and the backdoor user “A1berto” into the search bar with the query: index=main A1berto powershell.

This search yields four events. By examining the details of these events, we discover that the hostname of the infected machine is “James.browne”.

James.browne

8. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

According to this source, PowerShell logging is managed using Event IDs 4103 and 4104. To identify the number of events logged for the malicious PowerShell execution, we input the query index="main" EventID="4104" OR EventID="4103" into the search bar.

From the results, we observe that there are 79 PowerShell execution events logged,

79

9. An encoded Powershell script from the infected host initiated a web request. What is the full URL?

First, we use the previous search filter to identify the encoded text within the Powershell script.

Next, we head to CyberChef. We use the “From Base64” operation to decode the text, followed by the “Remove null bytes” operation to clean up the output.

The output reveals an additional base64-encoded value that appears to refer to a domain name or an IP address, especially since it includes “/news.php,” which suggests a URL or subdirectory.

We then copy the base64 string, decode it, and defang the output to ensure it is safe to analyze. The decoded string reveals an IP address, specifically hxxp[://]10[.]10[.]10[.]5.

Finally, by appending the identified subdirectory to this address, we determine that the full URL is hxxp[://]10[.]10[.]10[.]5/news[.]php.

hxxp[://]10[.]10[.]10[.]5/news[.]php