search

ItsyBitsy

hashtag
Scenario

During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs index in Kibana.

Our task in this room will be to examine the network connection logs of this user, find the link and the content of the file, and answer the questions.

hashtag
Questions

  1. How many events were returned for the month of March 2022?

  2. What is the IP associated with the suspected user in the logs?

  3. The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?

  4. The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?

  5. What is the full URL of the C2 to which the infected host is connected?

  6. A file was accessed on the filesharing site. What is the name of the file accessed?

  7. The file contains a secret code with the format THM{_____}. What is the code?

hashtag
Answers and Solutions

Below is each question that needs to be answered in order to complete the room with the steps taken to answer each question.

hashtag
Question 1: How many events were returned for the month of March 2022?

  • Step 1: The first step we need to do once you are logged into the Kibana dashboard in the discover section is to make sure that the correct index is set. Spoilers - There is only the single index but in real life you would need to make sure you are searching in the correct index. This is especially true in other log search head software such as Splunk or Datadog.

  • Step 2: Now that we have the correct index now, we can finally select some search dates to answer the first question.

  • Step 3: Check the results. So hard I know but really that's it. We are done with question 1.

  • Step 4: Submit the answer of 1482.

hashtag
Question 2: What is the IP associated with the suspected user in the logs?

  • Step 1: This can be broken down into two parts. Part 1 is to click on the field column containing the source IP information to check the top talkers.

  • If we look at the logs of the IP address that makes up 99.6% we can for now say that it looks like legitimate traffic as it's not really visiting any hosts or URIs that contain malicious content. You can double check these by entering some of the host+uri fields into https://virustotal.com and notice that they will be identified as safe.

  • Step 2: However, once we look at the second IP address, the 0.4% we only see two URIs, one is a HEAD request (used to see if the website URI exists) and the second was a GET request to obtain the webpage that hosted a text file.

    • The two hosts with URIs point to a known website that hosts pictures, forums, files, etc. one of which could be malicious so more than likely this IP address is our guy.

  • Step 3: Submit the answer 192.168.65.54

hashtag
Question 3: The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?

hashtag
Question 4: The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?

  • Step 1: Well in real life this could be a possibility so for fun we can pretend that the host connected to the logs is inherintly malicious. There isn't much to this step. We know the IP address and the user-agent is correct in the logs and there is only one shared host location.

  • Step 2: Submit answer pastebin.com

hashtag
Question 5: What is the full URL of the C2 to which the infected host is connected?

  • Step 1: Here we just need to take the host column value and concat the uri column value and we can get the full URI visited by the user that infected the host with C2 malware.

    • pastebin.com + yTg0Ah6a = pastebin.com/yTg0Ah6a

  • Step 2: Submit answer pastebin.com/yTg0Ah6a

hashtag
Question 6: A file was accessed on the filesharing site. What is the name of the file accessed?

  • Step 1: Finally we get to use the information we have retrieved from the logs so far and apply previous knowledge in other rooms such as VirusTotal to obtain information about the file that we wish to find.

  • Step 2: Submit the full URI pastebin.com/yTg0Ah6a to https://virustotal.com/

  • Step 3: Review the Details page to find the answer. If we scroll down the page down to the HTML info section, we can see the title of the html page which is in our case the "file" that we are looking for.

  • Step 4: Submit answer secret.txt

hashtag
Question 7: The file contains a secret code with the format THM{_____}. What is the code?

  • Step 1: Since the detections page pulls a 0/90 results we can safely assume that the page is safe to visit however if you're feeling too paranoid then submit the same URI to https://urlscan.io and it will screenscrap the webpage for you.

  • Step 2: Once at the web page we can see it looks like a forum page containing the "file contents"

  • Step 3: Submit answer THM{SECRET__CODE}

Thats a wrap future or current Cyber Security analysts. This room is quick and clean but enforces very well done base skills to be a great analyst.

Happy hunting!

PreviousIdentify the AWS Account ID from a Public S3 BucketNextIncident Handling with Splunk

Last updated