You are currently viewing Drilldown (Retired Investigation)

Drilldown (Retired Investigation)

Scenario –

Your organization doesn’t use Amazon Web Services, so when a Threat Hunter starts seeing connections to multiple EC2 instances, it’s time to start hunting to understand what happened, so the information can be passed to the incident response team, and indicators can be gather for intelligence sharing.

To start Splunk, open a terminal and run the command ‘sudo systemctl start Splunkd’ then open Firefox and navigate to 127.0.0.1:8000.

At the beginning of each search query, start it with “index=*”. Also make sure you’ve set the timeframe to ‘All Time’.

1-  WayneCorpInc doesn’t use Amazon Web Service for cloud hosting, so when a threat hunting discovered outbound connections to EC2 instances they immediately began to drilldown into this activity so they can provide as much context for the Incident Response Team as possible. Using Sysmon logs, how many destination hostnames are found? (Format: # Destination EC2s)

3 index= sourcetype=xmlwineventlog DestinationHostname=”.compute”

  • hostname format obtained by looking at the destination hostname results at the beginning of the search*

2- Enter the hostnames (excluding ‘.compute-1.amazon.aws.com’) in the order of event count, with the highest first (Format: Hostname1, Hostname2, …)

ec2-23-22-63-114, ec2-184-72-234-184, ec2-52-70-175-181

using previous answer

3- Look at the Image ‘interesting field’ to see what files are initiating these connections. What is the Image value with the lowest count? (Format: Image Value)

C:\inetpub\wwwroot\joomla\3791.exe

4- What is the hostname and internal IP address of the system that initiated this connection? (Format: Hostname, X.X.X.X)

we1149srv.waynecorpinc.local, 192.168.250.70

just look at the interesting field

5- What time was this connection event? Use TimeCreated SystemTime (Format: YYYY-MM-DDTHH:MM:SS)

2016-08-10T21:56:19

** be aware when they ask for TimeCreated System, this is actually SPLUNK INTERESTING FIELD*

6- What is the destination hostname and IP address of the AWS EC2 instance? (Format: Hostname, X.X.X.X)

ec2-23-22-63-114.compute-1.amazonaws.com, 23.22.63.114

7- Utilize Sysmon logs to find the SHA256 hash of the executable making this connection. What is the hash value? (Format: SHA256 Hash)

EC78C938D8453739CA2A370B9C275971EC46CAF6E479DE2B2D04E97CC47FA45D

** There were 64 events, but by looking at EventCode there were 3 events that happened only once which refers to a process creation event logged by the Sysmon or use imageloaded interesting field*

8- Search this hash online to find more about its reputation. On the Behaviour tab look at the results for Microsoft Sysinternals. What two IPv4 addresses are listed, that begin with 23.216.? (Format: X.X.X.X, X.X.X.X) 23.216.147.64, 23.216.147.76

  • just follow question instructions

9-Using these two gathered IPs, check to see if there is any activity from them in Splunk, which there might not be! What is the number of events per IP where the address is mentioned ANYWHERE in a log? (Format: IP1EventCount, IP2EventCount)

0, 0

  • search query, index=* X.X.X.X

10- At what time was this file uploaded to the web server? (Use ‘timestamp’ value) (Format: YYYY-MM-DDTHH:MM:SS)

2016-08-10T21:52:45

** search query (index=* http_method=POST 3791.exe) Then ctrl+F for “upload” and then make sure you get the timestamp time!*

11- What user-agent was used to upload the file? (Format: Full User-Agent)

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

just look for interesting field “ http_user_agent”

12- What URI received a POST request from the attacker, in order to upload the file? (Format: /path/to/something)

/joomla/administrator/index.php

URL interesting field

13- What is the source IP responsible for the initial access activity? (Format: X.X.X.X)

40.80.148.42

same approach as last question

14- We need to understand if any of our network defenses have detected this activity, or if we’re completely blind. Use one of the retrieved indicators to search the logs to see if anything has flagged this file as being malicious. Provide any timestamp retrieved from a relevant log to show evidence of some kind of alert or notification (Format: YYYY-MM-DD HH:MM:SS)

2016-08-10 15:52:45

  • Using search query index=* 3791.exe and then choosing sourcetype sourcetype=fortigate_utm