We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.

Room Machine

Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room via the AttackBox, or via the VPN at MACHINE_IP. The machine will take up to 3-5 minutes to start. ll the required logs are ingested in the index win_eventlogs.

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

About the Network Information

The network is divided into three logical segments. It will help in the investigation.

IT Department

• James
• Moin
• Katrina

HR department

• Haroon
• Chris
• Diana

Marketing department

• Bell
• Amelia
• Deepak

How many logs are ingested from the month of March, 2022?

Answer: 13959

add index=”win_eventlogs” to search bar to see number of events. Remember to adjust timeframe

Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

Answer: Amel1a

Was hoping to be able to click username down the lefthandside but that only displays 10 results and seems we are chasing number 11. Well played THM.

Lets expand the limit and check the stats section

There’s our imposter account.

Which user from the HR department was observed to be running scheduled tasks?

Answer: Chris.fort

Lets try this via EventID 4698 (Scheduled task created)

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698

Whoops forgot data is only for event ID 4688. Scrap that plan. So if we look at HR department we see there are 3 users so lets try filtering for them and schtasks.exe.

1 event and it was Chris.

Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.

Answer: haroon

Let’s do similar process but as we don’t know the process they utilised lets filter by commandline without duplicates.

Certutil is of interest

 

If we run a new search on that result we get 1 result, username is listed

To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

Answer: certutil.exe

We discovered this answer whilst researching the last question.

What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

Answer: 2022-03-04

Also listed in above result.

Which third-party site was accessed to download the malicious payload?

Answer: controlc.com

Once again answer is in above results.

What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

Answer: benign.exe

 

The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{……….}; what is that pattern?

Answer: THM{KJ&*H^B0}

Head to the site

 

What is the URL that the infected host connected to?

Answer: https://controlc.com/e4d11035

See above.

Scored alot of answers from the same place so was a nice and speedy room. Thanks for reading.