DRILLDOWN

Scenario: Your organization doesn't use Amazon Web Services, so when a Threat Hunter starts seeing connections to multiple EC2 instances, it's time to start hunting to understand what happened, so the information can be passed to the incident response team, and indicators can be gather for intelligence sharing.

To start Splunk, open a terminal and run the command 'sudo systemctl start Splunkd' then open Firefox and navigate to 127.0.0.1:8000.

At the beginning of each search query, start it with "index=*". Also make sure you've set the timeframe to 'All Time'.

Tools: Splunk | VirusTotal

Q1) WayneCorpInc doesn't use Amazon Web Service for cloud hosting, so when a threat hunting discovered outbound connections to EC2 instances they immediately began to drilldown into this activity so they can provide as much context for the Incident Response Team as possible. Using Sysmon logs, how many destination hostnames are found? (Format: # Destination EC2s)

First question is giving us a hint to look for destination hostnames of EC2 instances in the sysmon logs. So, I have filtered for Sysmon source and EC2 to be included in the DestinationHostname field (index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" DestinationHostname="*ec2*"). This gave me 1640 events, but we are interested in the number of destination hostnames. Therefore, I looked at the top values for DestinationHotsname field:

Answer

Q2) Enter the hostnames (excluding '.compute-1.amazon.aws.com') in the order of event count, with the highest first (Format: Hostname1, Hostname2, ...)

We can answer Q2 by looking at the top values for DestinationHostname field from Q1.

Answer

Q3) Look at the Image 'interesting field' to see what files are initiating these connections. What is the Image value with the lowest count? (Format: Image Value)

Looking at the same logs as in Q1 and Q2, I have checked the top values of Image field to find the one with the lowest count. As there are only 5 values, I was able to identify the one with the lowest count this way:

Answer

Q4) What is the hostname and internal IP address of the system that initiated this connection? (Format: Hostname, X.X.X.X)

For Q4, I further filtered for the image value found in Q3 (Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe"). This gave me 1 event where I was able to find the values for SourceHostname and SourceIp fields:

Answer

Q5) What time was this connection event? Use TimeCreated SystemTime (Format: YYYY-MM-DDTHH:MM:SS)

Looking at the same log as in Q4, I have found the value of SystemTime field:

Answer

Q6) What is the destination hostname and IP address of the AWS EC2 instance? (Format: Hostname, X.X.X.X)

Still looking at the same log as in Q4 and Q5, I have found the values for DestinationHostname and DestinationIp fields:

Answer

Q7) Utilize Sysmon logs to find the SHA256 hash of the executable making this connection. What is the hash value? (Format: SHA256 Hash)

We know that the executable that is making the connection is 3791.exe. To find the SHA256 hash of this executable, I have further filtered for the process ID found in the log that was analyzed in last 3 questions and for the Sysmon event code 1 (process creation). Final search query was index=* source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\\inetpub\\wwwroot\\joomla\\3791.exe" ProcessId=3880 EventCode=1. This gave me 1 event which is process creation for 3791.exe. There is Hashes field with SHA256 hash value for 3791.exe:

Answer

Q8) Search this hash online to find more about its reputation. On the Behaviour tab look at the results for Microsoft Sysinternals. What two IPv4 addresses are listed, that begin with 23.216.? (Format: X.X.X.X, X.X.X.X)

I have searched for the hash found in Q7 on VirusTotal and by following the instructions in Q8, I have found the IP addresses in Behavior -> Network Communication -> IP Traffic:

Answer

Q9) Using these two gathered IPs, check to see if there is any activity from them in Splunk, which there might not be! What is the number of events per IP where the address is mentioned ANYWHERE in a log? (Format: IP1EventCount, IP2EventCount)

I have simply searched for the IP addresses from Q8 in all sources within the Splunk instance:

Answer

Q10) At what time was this file uploaded to the web server? (Use 'timestamp' value) (Format: YYYY-MM-DDTHH:MM:SS)

For this question, we need to find the event where previously identified malicious file is uploaded to the web server. I have filtered for the source type "stream:http", http method "POST", and for the malicious file we have identified in the first few questions, "3791.exe". Search query for this question was index=* sourcetype="stream:http" *3791.exe* http_method=POST. Search gave me 1 event and I have found the timestamp of the upload within the endtime field.

Answer

Q11) What user-agent was used to upload the file? (Format: Full User-Agent)

Looking at the same log as in Q10, I have found the http_user_agent field:

Answer

Q12) What URI received a POST request from the attacker, in order to upload the file? (Format: /path/to/something)

Looking at the same log as in Q10 and Q11, we can find the URI either in request field or http_refferer field:

Answer

Q13) What is the source IP responsible for the initial access activity? (Format: X.X.X.X)

Looking at the same log as in last 3 questions, we can find the source IP of the connection in c_ip field:

Answer

Q14) We need to understand if any of our network defenses have detected this activity, or if we're completely blind. Use one of the retrieved indicators to search the logs to see if anything has flagged this file as being malicious. Provide any timestamp retrieved from a relevant log to show evidence of some kind of alert or notification (Format: YYYY-MM-DD HH:MM:SS)

As there are logs from suricata (Network Intrusion Detection System) available to us, I have looked into suricata logs that contain the malicious filename, "3791.exe". This gave me only 1 hit and the timestamp of this event is the answer to the final question:

Answer