We covered cyber incident analysis with ELK Kibana or Elastic Search. We covered http logs pulled from a compromised Windows machine communicating with C2 server. This was part of TryHackMe ItsyBitsy.
Challenge Description
During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs
index in Kibana.
Room Answers
How many events were returned for the month of March 2022?
The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
What is the full URL of the C2 to which the infected host is connected?
A file was accessed on the filesharing site. What is the name of the file accessed?
The file contains a secret code with the format THM{_____}.
Video Transcript
What’s going on YouTube today? We’re going to do TryHackMe Itsy bitsy challenge where you have to demonstrate your incident response skills by analyzing.
HTTP connection logs have been pulled to investigate. All right, so the analyst has pulled the packet capture of the traffic. The connection logs could be pulled out and are ingested into the connection logs index in Kibana so much like in Splunk, we need an index to analyze to store the data. We have a total we have 1,482 events. That’s the for the first question. What is the IP associated with the suspected user in the logs? We learned that the user Brown had their machine compromised and their machine is communicating with the C2 server. So obviously we need to find the IP address of the brown machine.
We have the fields that have been extracted by kibana. We have the source IP field and as you can see we have 99% of the events were generated by this IP address that ends with 52.
And 0.4% of the events have been generated by the IP that ends with 54. Okay. Now which one is the correct one now using the common sense? It’s obviously that the IP that is generating the communication with the C2 server.
Here to filter as you can see we have only two events from this IP address take a look at events. So the communication is happening over Port 80 and pastebin.com, which is a file sharing site
And this is the source IP address. This is the URL. Now if you are curious enough to find out what is this URL you’re going to take pastelin.com. And as you can see, we access a file named secret.txt. It has the flag. So just by doing that you have answered all the questions.
Additionally, there’s an agent is it’s very obvious that it doesn’t belong to a browser it belongs to an application. Right? Because if it belongs to a browser it would have been Chrome Mozilla Safari Opera, right? Obviously this user Asian is either manually chosen by the person who is downloading or it was by the application. So that is the answer.
The infected machine connected to the famous file sharing site in this period the file sharing site which also acts as a C2 server now, but basically guys you can answer the rest of the questions just by finding out these two.
Video Walkthrough