Introduction

We covered investigating an infected windows machine using Splunk. We investigated Windows event logs and specifically process execution events. This was part of TryHackMe Benign

We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

About the Network Information

The network is divided into three logical segments. It will help in the investigation.

IT Department

  • James
  • Moin
  • Katrina

HR department

  • Haroon
  • Chris
  • Diana

Marketing department

  • Bell
  • Amelia
  • Deepak

 

Splunk SIEM Field Notes

 

Challenge Answers

How many logs are ingested from the month of March?

Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

Which user from the HR department was observed to be running scheduled tasks?

Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.

To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

Which third-party site was accessed to download the malicious payload?

What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{……….}; what is that pattern?

What is the URL that the infected host connected to?

Video Walkthrough