SOC ALPHA 2

Scenario: You are provided with use-cases to conduct some proactive searches in ELK. Answer the following questions by using the information provided in README.txt.

ELK should start within 5 mins, if not please start the services - elasticsearch,kibana and logstash in terminal

Tools: ELK | LogAnalysis | Network Analysis

Q1) Hunt 1 (1/3) - What is the IP address from which the suspicious brute force traffic is seen? (Format: X.X.X.X)

README.txt shows us that the logs associated with the first hunt (Brute Force Detected) can be found in winevent-security index pattern. To investigate brute force traffic, we can look for failed logins by filtering for Event_System_EventID: 4625. We can identify the attacker's IP address by looking at the values within Event_EventData_IpAddress field. We can see that for the filtered logs there is only one IP address:

Answer

Q2) Hunt 1 (2/3) - What is the observed logon type? (Format: Logon Type Name)

Looking at the same logs as in Q1, we can find the logon type of the login attempts by looking at the top values for Event_EventData_LogonType field. By doing so, we can see that 100% of logs are of the value 3 which is Network logon type:

Answer

Q3) Hunt 1 (3/3) - What is the time of the first successful logon after the brute force? (Format: Format:DD-MM-YYYY hh:mm:ss)

To find the first successful logon of the attacker, we need to filter for successfull logins originating from the attacker's IP address - Event_EventData_IpAddress: 192.18.1.20 AND Event_System_EventID: 4624. This filter will give us only one hit which is the successful logon:

Answer

Q4) Hunt 2 (1/2) - What is the full command used for bypassing the defender scan on the malicious file? (Format: powershell.exe ... Full Command (Do not include the file path))

Logs associated with the second hunt (Windows Defender Bypass) can be found in winevent-powershell index pattern. To find the command used for bypassing the Defender scan, I have searched for couple of keywords. First was "*bypass*", for which there are multiple hits for logs containing the full command that tries to bypass the execution policy in PowerShell. While it is still interesting finding, this is not what the question is asking for.

Second keyword I searched for was "*exclusion*" and this gave me the answer to this question - command that attempts to exclude the path of the malicious file from being scanned by Defender:

Answer

NOTE: Question is asking for the full command EXCLUDING THE FILE PATH

Q5) Hunt 2 (2/2) - What is the filename of the malicious application? (Format: filename.extension)

Looking at the same log as in Q4, we can find the malicious filename at the very end of the command:

Answer

Q6) Hunt 3 (1/2) - What is the domain name? (Format: domain.tld)

Logs associated with the third hunt (WannaCry KillSwitch Domain) can be found in sysmon index pattern. To find the kill switch domain, I have filtered for the Sysmon Event ID 22 which records DNS events - Event_System_EventID: 22. Then, I have checked the top values for Event_EventData_QueryName field and second value is long URL that looks suspicious:

Answer

Q7) Hunt 3 (2/2) - What is the Execution ProcessID and ThreadID? (Format: pid, tid)

If we filter for the above domain, we can find the Exection Process ID and Thread ID in Event_System_Execution_#attributes_ProcessID and Event_System_Execution_#attributes_ThreadID fields:

Answer

Q8) Hunt 4 (1/1) - What is the full path of the exe used for dumping password? (Format: C:\path\to\file.extension)

For fourth hunt (Passord Dumping), we are staying in sysmon index pattern. To find the .exe file used for dumping password, I have tried to filter for "mimikatz" as it is well-known password extracting software/exploit:

Answer