In this article, we solve the room named: “TryHackMe Log Universe“. Its very important that you open the VM in the room to be able to follow with the answers given in this post.
If you don’t have access to TryHackMe, then watch the video below for more context.
- Learn how to identify and use different log sources.
- Understand what to expect from different log types.
- Gain hands-on experience in data carving from the log files.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
Definition of Logs in Cybersecurity & IT
Following security best practices, it is typical for a modern environment to employ log forwarding. Log forwarding means that the SOC will move or “forward” logs from the host machine to a central server or indexer. Even if an attacker can delete logs from the host machine, they could already be off of the device and secured.
Log entries are often given a severity level to categorize and communicate their relative importance or impact. These severity levels help prioritize responses, investigations, and actions based on the criticality of the events. Different systems might use slightly different severity levels, but commonly, you can expect to find the following increasing severity levels: Informational, Warning, Error, and Critical.
What are Log Files?
Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:
- Timestamp –the time of the event.
- Log level – how severe or important the event is.
- Username– who caused the event.
- Service or application – what caused the event.
- Event description – what has happened.
Log Management
Log management includes securely storing logs, providing storage capacity and ensuring swift and quick retrieval of logs when needed. Also make sure to conform to the retention period, backup your logs regularly and conduct a periodic review.
Log Retention & Archival
Define log retention policies and implement them. Don’t forget to create backups of stored log data as well.
Definition of Log Analysis in IT & Cybersecurity
Log analysis examines and interprets log event data generated by various data sources (devices, applications, and systems) to monitor metrics and identify security incidents.
Log analysis involves several steps that starts with collecting, parsing, and processing log files to turn data into actionable objectives. Then analysts would correlate log data to find links and connections between events to paint a story of what happened.
Windows Event Logs
Windows event logs provide in-depth footprint information on the system, security, and applications installed on a Windows operating system. Windows provides a generous amount of logs, and you will need to activate them according to your visibility needs and capacity. Remember, the logging scope is fully configurable, and the default settings are not enough for the current state of the threats. Being comfortable with logs is a vital skill, but it is also important to have the general characteristics before deep diving into each log source’s details.
Windows Categorization of Event Messages
- Information: Describes the successful operation of a driver, application or service. Basically, a service is calling home.
- Warning: Describes an event that may not be a present issue but can cause problems in the future.
- Error: Describes a significant problem with a service or application.
- Success Audit: Outlines that an audited security access operation was successful. For example, a user’s successful login to the system.
- Failure Audit: Outlines that an audited security access operation failed. For example, a failed access to a network drive by a user.
Linux Logs
Like Windows event logs, Linux logs provide in-depth footprint information on the system, security, and applications installed. Again, the logging scope is fully configurable, and the default settings are not enough for the current state of the threats. Example of Linux logs can be found below:
var/log/syslog
The syslog file stores all system activity,
including startup activity. Note that this is not the syslog protocol used to collect log entries from other systems.
var/log/messages
This log contains a wide variety of general
system messages. It includes some messages logged during startup, some messages related to mail, the kernel, and messages related to authentication.
Room Answers | TryHackMe Log Universe
What is the Thread ID of the user creation event?
744
What is the account name that creates the new user?
Administrator
What is the name of the created account name?
Adminstrator
What is the “SubjectLogonID” value of the “account reset attempt” event?
0x4B666
What is the number of successful sync events done by the NTPD service?
28
Which user logged in using the SSHD service?
THMjohn-p
What is the PID number of the Apache web server?
5678
Which service is stopped due to RAM issues?
nginx
Which service is stopped due to CPU issues?
Apache Tomcat
What is the timestamp of the second time reset event?
03/27 15:51:56
Use the Access.log file to answer the first few questions.
What is the user’s IP address who accessed “/secure.html”? (In defanged format)
203[.]45[.]78[.]102
Which user failed to access the settings page?
buyer986
Which user accessed the malicious page?
adv8779
What is the user agent that discovered the malicious page?
nikto/2.1.5 (OpenVAS)
Use the Error.log file to answer the rest of the questions.
What is the PID of the process that causes permission error?
7654
What is the request that contains an invalid method?
\x80\x03\x01\x00\x01
What pattern match triggered the access error in ModSecurity?
“SELECT.+FROM”
What is the path value of the file that tries to remove data from the system?
/etc/httpd/conf.d/malicious.conf
FREE Short Course | Log Analysis & Management: Windows & Linux
