DRILLDOWN
Difficulty: Medium
Last updated
Was this helpful?
Difficulty: Medium
Last updated
Was this helpful?
Scenario: Your organization doesn't use Amazon Web Services, so when a Threat Hunter starts seeing connections to multiple EC2 instances, it's time to start hunting to understand what happened, so the information can be passed to the incident response team, and indicators can be gather for intelligence sharing.
To start Splunk, open a terminal and run the command 'sudo systemctl start Splunkd' then open Firefox and navigate to 127.0.0.1:8000.
At the beginning of each search query, start it with "index=*". Also make sure you've set the timeframe to 'All Time'.
Tools: Splunk | VirusTotal
First question is giving us a hint to look for destination hostnames of EC2 instances in the sysmon logs. So, I have filtered for Sysmon source and EC2 to be included in the DestinationHostname field (index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" DestinationHostname="*ec2*"). This gave me 1640 events, but we are interested in the number of destination hostnames. Therefore, I looked at the top values for DestinationHotsname field:
We can answer Q2 by looking at the top values for DestinationHostname field from Q1.
Looking at the same logs as in Q1 and Q2, I have checked the top values of Image field to find the one with the lowest count. As there are only 5 values, I was able to identify the one with the lowest count this way:
For Q4, I further filtered for the image value found in Q3 (Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe"). This gave me 1 event where I was able to find the values for SourceHostname and SourceIp fields:
Looking at the same log as in Q4, I have found the value of SystemTime field:
Still looking at the same log as in Q4 and Q5, I have found the values for DestinationHostname and DestinationIp fields:
We know that the executable that is making the connection is 3791.exe. To find the SHA256 hash of this executable, I have further filtered for the process ID found in the log that was analyzed in last 3 questions and for the Sysmon event code 1 (process creation). Final search query was index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe" ProcessId=3880 EventCode=1. This gave me 1 event which is process creation for 3791.exe. There is Hashes field with SHA256 hash value for 3791.exe:
I have searched for the hash found in Q7 on VirusTotal and by following the instructions in Q8, I have found the IP addresses in Behavior -> Network Communication -> IP Traffic:
I have simply searched for the IP addresses from Q8 in all sources within the Splunk instance:
For this question, we need to find the event where previously identified malicious file is uploaded to the web server. I have filtered for the source type "stream:http", http method "POST", and for the malicious file we have identified in the first few questions, "3791.exe". Search query for this question was index=* sourcetype="stream:http" *3791.exe* http_method=POST. Search gave me 1 event and I have found the timestamp of the upload within the endtime field.
Looking at the same log as in Q10, I have found the http_user_agent field:
Looking at the same log as in Q10 and Q11, we can find the URI either in request field or http_refferer field:
Looking at the same log as in last 3 questions, we can find the source IP of the connection in c_ip field:
As there are logs from suricata (Network Intrusion Detection System) available to us, I have looked into suricata logs that contain the malicious filename, "3791.exe". This gave me only 1 hit and the timestamp of this event is the answer to the final question:
