📝
Write-ups
Guideswhoami
  • The Hub
  • Blue Team Labs Online
    • Investigations
      • SOC ALPHA 1
      • SOC ALPHA 2
      • DRILLDOWN
    • Challenges
  • CyberDefenders
    • Blue Team Labs
      • MrRobot Lab
Powered by GitBook
On this page
  • Q1) WayneCorpInc doesn't use Amazon Web Service for cloud hosting, so when a threat hunting discovered outbound connections to EC2 instances they immediately began to drilldown into this activity so they can provide as much context for the Incident Response Team as possible. Using Sysmon logs, how many destination hostnames are found? (Format: # Destination EC2s)
  • Answer
  • Q2) Enter the hostnames (excluding '.compute-1.amazon.aws.com') in the order of event count, with the highest first (Format: Hostname1, Hostname2, ...)
  • Answer
  • Q3) Look at the Image 'interesting field' to see what files are initiating these connections. What is the Image value with the lowest count? (Format: Image Value)
  • Answer
  • Q4) What is the hostname and internal IP address of the system that initiated this connection? (Format: Hostname, X.X.X.X)
  • Answer
  • Q5) What time was this connection event? Use TimeCreated SystemTime (Format: YYYY-MM-DDTHH:MM:SS)
  • Answer
  • Q6) What is the destination hostname and IP address of the AWS EC2 instance? (Format: Hostname, X.X.X.X)
  • Answer
  • Q7) Utilize Sysmon logs to find the SHA256 hash of the executable making this connection. What is the hash value? (Format: SHA256 Hash)
  • Answer
  • Q8) Search this hash online to find more about its reputation. On the Behaviour tab look at the results for Microsoft Sysinternals. What two IPv4 addresses are listed, that begin with 23.216.? (Format: X.X.X.X, X.X.X.X)
  • Answer
  • Q9) Using these two gathered IPs, check to see if there is any activity from them in Splunk, which there might not be! What is the number of events per IP where the address is mentioned ANYWHERE in a log? (Format: IP1EventCount, IP2EventCount)
  • Answer
  • Q10) At what time was this file uploaded to the web server? (Use 'timestamp' value) (Format: YYYY-MM-DDTHH:MM:SS)
  • Answer
  • Q11) What user-agent was used to upload the file? (Format: Full User-Agent)
  • Answer
  • Q12) What URI received a POST request from the attacker, in order to upload the file? (Format: /path/to/something)
  • Answer
  • Q13) What is the source IP responsible for the initial access activity? (Format: X.X.X.X)
  • Answer
  • Q14) We need to understand if any of our network defenses have detected this activity, or if we're completely blind. Use one of the retrieved indicators to search the logs to see if anything has flagged this file as being malicious. Provide any timestamp retrieved from a relevant log to show evidence of some kind of alert or notification (Format: YYYY-MM-DD HH:MM:SS)
  • Answer

Was this helpful?

  1. Blue Team Labs Online
  2. Investigations

DRILLDOWN

Difficulty: Medium

PreviousSOC ALPHA 2NextChallenges

Last updated 2 months ago

Was this helpful?

Scenario: Your organization doesn't use Amazon Web Services, so when a Threat Hunter starts seeing connections to multiple EC2 instances, it's time to start hunting to understand what happened, so the information can be passed to the incident response team, and indicators can be gather for intelligence sharing.

To start Splunk, open a terminal and run the command 'sudo systemctl start Splunkd' then open Firefox and navigate to 127.0.0.1:8000.

At the beginning of each search query, start it with "index=*". Also make sure you've set the timeframe to 'All Time'.

Tools: Splunk | VirusTotal

Q1) WayneCorpInc doesn't use Amazon Web Service for cloud hosting, so when a threat hunting discovered outbound connections to EC2 instances they immediately began to drilldown into this activity so they can provide as much context for the Incident Response Team as possible. Using Sysmon logs, how many destination hostnames are found? (Format: # Destination EC2s)

First question is giving us a hint to look for destination hostnames of EC2 instances in the sysmon logs. So, I have filtered for Sysmon source and EC2 to be included in the DestinationHostname field (index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" DestinationHostname="*ec2*"). This gave me 1640 events, but we are interested in the number of destination hostnames. Therefore, I looked at the top values for DestinationHotsname field:

Answer

Q2) Enter the hostnames (excluding '.compute-1.amazon.aws.com') in the order of event count, with the highest first (Format: Hostname1, Hostname2, ...)

We can answer Q2 by looking at the top values for DestinationHostname field from Q1.

Answer

Q3) Look at the Image 'interesting field' to see what files are initiating these connections. What is the Image value with the lowest count? (Format: Image Value)

Looking at the same logs as in Q1 and Q2, I have checked the top values of Image field to find the one with the lowest count. As there are only 5 values, I was able to identify the one with the lowest count this way:

Answer

Q4) What is the hostname and internal IP address of the system that initiated this connection? (Format: Hostname, X.X.X.X)

For Q4, I further filtered for the image value found in Q3 (Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe"). This gave me 1 event where I was able to find the values for SourceHostname and SourceIp fields:

Answer

Q5) What time was this connection event? Use TimeCreated SystemTime (Format: YYYY-MM-DDTHH:MM:SS)

Looking at the same log as in Q4, I have found the value of SystemTime field:

Answer

Q6) What is the destination hostname and IP address of the AWS EC2 instance? (Format: Hostname, X.X.X.X)

Still looking at the same log as in Q4 and Q5, I have found the values for DestinationHostname and DestinationIp fields:

Answer

Q7) Utilize Sysmon logs to find the SHA256 hash of the executable making this connection. What is the hash value? (Format: SHA256 Hash)

We know that the executable that is making the connection is 3791.exe. To find the SHA256 hash of this executable, I have further filtered for the process ID found in the log that was analyzed in last 3 questions and for the Sysmon event code 1 (process creation). Final search query was index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe" ProcessId=3880 EventCode=1. This gave me 1 event which is process creation for 3791.exe. There is Hashes field with SHA256 hash value for 3791.exe:

Answer

Q8) Search this hash online to find more about its reputation. On the Behaviour tab look at the results for Microsoft Sysinternals. What two IPv4 addresses are listed, that begin with 23.216.? (Format: X.X.X.X, X.X.X.X)

I have searched for the hash found in Q7 on VirusTotal and by following the instructions in Q8, I have found the IP addresses in Behavior -> Network Communication -> IP Traffic:

Answer

Q9) Using these two gathered IPs, check to see if there is any activity from them in Splunk, which there might not be! What is the number of events per IP where the address is mentioned ANYWHERE in a log? (Format: IP1EventCount, IP2EventCount)

I have simply searched for the IP addresses from Q8 in all sources within the Splunk instance:

Answer

Q10) At what time was this file uploaded to the web server? (Use 'timestamp' value) (Format: YYYY-MM-DDTHH:MM:SS)

For this question, we need to find the event where previously identified malicious file is uploaded to the web server. I have filtered for the source type "stream:http", http method "POST", and for the malicious file we have identified in the first few questions, "3791.exe". Search query for this question was index=* sourcetype="stream:http" *3791.exe* http_method=POST. Search gave me 1 event and I have found the timestamp of the upload within the endtime field.

Answer

Q11) What user-agent was used to upload the file? (Format: Full User-Agent)

Looking at the same log as in Q10, I have found the http_user_agent field:

Answer

Q12) What URI received a POST request from the attacker, in order to upload the file? (Format: /path/to/something)

Looking at the same log as in Q10 and Q11, we can find the URI either in request field or http_refferer field:

Answer

Q13) What is the source IP responsible for the initial access activity? (Format: X.X.X.X)

Looking at the same log as in last 3 questions, we can find the source IP of the connection in c_ip field:

Answer

Q14) We need to understand if any of our network defenses have detected this activity, or if we're completely blind. Use one of the retrieved indicators to search the logs to see if anything has flagged this file as being malicious. Provide any timestamp retrieved from a relevant log to show evidence of some kind of alert or notification (Format: YYYY-MM-DD HH:MM:SS)

As there are logs from suricata (Network Intrusion Detection System) available to us, I have looked into suricata logs that contain the malicious filename, "3791.exe". This gave me only 1 hit and the timestamp of this event is the answer to the final question:

Answer

Destination hostnames of EC2 instances found in Sysmon logs
Q&A 1
Q&A 2
Top values for the Image field
Q&A 3
Expanding the filter with the Image value found in Q3
Q&A 4
SystemTime value of the connection event
Q&A 5
DestinationHostname and DestinationIp values of the connection event
Q&A 6
Process creation event for 3791.exe containing SHA256 hash value of the executable
Q&A 7
IPv4 addresses found on VIrusTotal
Q&A 8
Searching for the IPs found in Q8
Q&A 9
Searching for the upload of 3791.exe to the web server
Q&A 10
User-agent for the upload of malicious file to the web server
Q&A 11
URI for the POST request (file upload)
Q&A 12
Source IP for the connection to the web server
Q&A 13
Searching for the malicious filename within the suricata logs
Q&A 14