ItsyBitsy
Scenario
During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs index in Kibana.
Our task in this room will be to examine the network connection logs of this user, find the link and the content of the file, and answer the questions.
Questions
How many events were returned for the month of March 2022?
What is the IP associated with the suspected user in the logs?
The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
What is the full URL of the C2 to which the infected host is connected?
A file was accessed on the filesharing site. What is the name of the file accessed?
The file contains a secret code with the format THM{_____}. What is the code?
Answers and Solutions
Below is each question that needs to be answered in order to complete the room with the steps taken to answer each question.
Question 1: How many events were returned for the month of March 2022?
Step 1: The first step we need to do once you are logged into the Kibana dashboard in the
discoversection is to make sure that the correct index is set. Spoilers - There is only the single index but in real life you would need to make sure you are searching in the correct index. This is especially true in other log search head software such as Splunk or Datadog.Step 2: Now that we have the correct index now, we can finally select some search dates to answer the first question.
Step 3: Check the results. So hard I know but really that's it. We are done with question 1.
Step 4: Submit the answer of 1482.
Question 2: What is the IP associated with the suspected user in the logs?
Step 1: This can be broken down into two parts. Part 1 is to click on the field column containing the source IP information to check the top talkers.
If we look at the logs of the IP address that makes up 99.6% we can for now say that it looks like legitimate traffic as it's not really visiting any hosts or URIs that contain malicious content. You can double check these by entering some of the host+uri fields into https://virustotal.com and notice that they will be identified as safe.
Step 2: However, once we look at the second IP address, the 0.4% we only see two URIs, one is a HEAD request (used to see if the website URI exists) and the second was a GET request to obtain the webpage that hosted a text file.
The two hosts with URIs point to a known website that hosts pictures, forums, files, etc. one of which could be malicious so more than likely this IP address is our guy.
Step 3: Submit the answer 192.168.65.54
Question 3: The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
Step 1: Well we only have the information of the connection requests so in order to find out the potential binary used on the host machine, the only place to look out the available fields is the user_agent field as when certain pieces of software as well as other programming languages will send the request with a signature of where it is coming from. For more information about user agents please visit the following website. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
We can do a bit of research on the interwebs and find that 'Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress.'
Step 2: Submit the answer bitsadmin
Question 4: The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
Step 1: Well in real life this could be a possibility so for fun we can pretend that the host connected to the logs is inherintly malicious. There isn't much to this step. We know the IP address and the user-agent is correct in the logs and there is only one shared host location.
Step 2: Submit answer
pastebin.com
Question 5: What is the full URL of the C2 to which the infected host is connected?
Step 1: Here we just need to take the host column value and concat the uri column value and we can get the full URI visited by the user that infected the host with C2 malware.
pastebin.com + yTg0Ah6a = pastebin.com/yTg0Ah6a
Step 2: Submit answer
pastebin.com/yTg0Ah6a
Question 6: A file was accessed on the filesharing site. What is the name of the file accessed?
Step 1: Finally we get to use the information we have retrieved from the logs so far and apply previous knowledge in other rooms such as
VirusTotalto obtain information about the file that we wish to find.Step 2: Submit the full URI
pastebin.com/yTg0Ah6ato https://virustotal.com/Step 3: Review the Details page to find the answer. If we scroll down the page down to the
HTML infosection, we can see the title of the html page which is in our case the "file" that we are looking for.Step 4: Submit answer secret.txt
Question 7: The file contains a secret code with the format THM{_____}. What is the code?
Step 1: Since the detections page pulls a 0/90 results we can safely assume that the page is safe to visit however if you're feeling too paranoid then submit the same URI to https://urlscan.io and it will screenscrap the webpage for you.
Step 2: Once at the web page we can see it looks like a forum page containing the "file contents"
Step 3: Submit answer THM{SECRET__CODE}
Thats a wrap future or current Cyber Security analysts. This room is quick and clean but enforces very well done base skills to be a great analyst.
Happy hunting!
Last updated