Introduction
We covered investigating an infected windows machine using Splunk. We investigated Windows event logs and specifically process execution events. This was part of TryHackMe Benign
We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.
One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.
About the Network Information
The network is divided into three logical segments. It will help in the investigation.
IT Department
- James
- Moin
- Katrina
HR department
- Haroon
- Chris
- Diana
Marketing department
- Bell
- Amelia
- Deepak
Initial Setup and Data Exploration
I started by getting into the Splunk instance and loading the relevant index, which was own event logs
. I made sure to set the time filter to “all time” so I could see every available log.
Identifying an Imposter Account
The first task was to find an imposter account. I knew how many legitimate users there should be. By looking at the username
field in Splunk, I noticed there were more usernames than expected. To pinpoint the imposter, I used a Splunk query to list all unique usernames. This quickly revealed an account named “Amelia” but with a “1” instead of an “i” (Amel1a
), which was indeed the imposter.
- Splunk Query Used:
index="own event logs" | dedup username | table username
Finding Scheduled Tasks
Next, I needed to figure out which user from the HR department was running scheduled tasks. I searched for events containing “scheduled tasks.” By examining the command_line
and username
fields, I discovered that “Chris Fort” had created a scheduled task related to an “Office Updater.” While the name sounded legitimate, the path it was running from seemed suspicious.
Investigating Payload Download
The core of my investigation was to find a user in the HR department who executed a system process to download a payload from a file-sharing site.
I began by filtering events for users in the HR department:
- Splunk Query Used:
index="own event logs" username=Haron OR username=Chris_Fort OR username=Diana_S
To find the specific process, I decided to go user by user. I started with “Haron” and listed all the unique processes they ran:
- Splunk Query Used:
index="own event logs" username=Haron | dedup process_name | table process_name
Looking through Haron’s process list, I found certutil.exe
. This is a legitimate Windows utility, but attackers can also abuse it to download files, it’s a classic example of a “living off the land binary” (LOLBin).
Uncovering the Malicious Activity Details
To find out exactly when certutil.exe
was executed by Haron, I used:
- Splunk Query Used:
index="own event logs" username=Haron certutil.exe | table _time
This gave me the precise date and time. To see the full command executed and identify the download source, I used:
- Splunk Query Used:
index="own event logs" username=Haron certutil.exe | table command_line
This command revealed the URL from which a payload was downloaded. The video mentioned that visiting this URL would provide a flag, which would answer the remaining questions in the challenge, including the third-party site, the payload name, and the flag itself.
Throughout the process, I focused on using Splunk’s search capabilities, filtering, and table displays to narrow down events and pinpoint suspicious activities. I also touched upon the concept of LOLBins and how attackers can leverage legitimate system tools for malicious purposes. It was a really good exercise in using Splunk for security analysis!
TryHackMe Benign Answers
Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
Which user from the HR department was observed to be running scheduled tasks?
Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?
What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)
Which third-party site was accessed to download the malicious payload?
What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{……….}; what is that pattern?
What is the URL that the infected host connected to?