Splunk Medium Level (TryHackMe)

-

 



             This room by TryHackMe explores the process of investigating a compromised web server using Splunk SIEM. It focuses on analyzing various Windows data sources such as Sysmon, PowerShell, and event logs to identify indicators of compromise (IOCs). By correlating events, analyzing fields, and pivoting data, anomalies can be detected and the attacker’s actions can be reconstructed. This exercise aims to improve log analysis skills for efficient threat detection and response.






       SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.


On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

Answer: A1berto


Event ID 4720 is logged when a user account is created.



  • On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
Answer: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

This would query to Sysmon events that logged modifications of a registry value.


Examine the logs and identify the user that the adversary was trying to impersonate.


  • Answer: Alberto

  • What is the command used to add a backdoor user from a remote computer?
Answer: C:\windows\System32\Wbem\WMIC.exe” /node:WORKSTATION6 process call create “net user /add A1berto paw0rd1

Select the “CommandLine” field. Of the values, the first set of commands is a command a remote user would used because the “wmic” is a command-line tool which can be leveraged for remote execution of commands.

  • How many times was the login attempt from the backdoor user observed during the investigation?

The query will filter events where successful and failed account logon attempts were made by the backdoor user.

Answer: 0

You can use also this query not only from the video "index="main" EventID="4625" OR EventID="4624" A1berto" , the result will be 0 .


  • What is the name of the infected host on which suspicious Powershell commands were executed?
Answer: James.browne


  • PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
Answer: 79



  • An encoded Powershell script from the infected host initiated a web request. What is the full URL?
Answer: hxxp[://]10[.]10[.]10[.]5/news[.]php




Comments

Post a Comment

Popular posts from this blog

TryHackMe - Threat Hunting Simulator - Health Hazard

-
Image
  Scenario overview After months of juggling content calendars and caffeine-fueled brainstorming, co-founder Tom Whiskers finally carved out time to build the company’s first website. It was supposed to be simple: follow a tutorial, install a few packages, and bring the brand to life with lightweight JavaScript magic.   But between sleepless nights and copy-pasted code, Tom started feeling off. Not sick exactly, just off. The terminal scrolled with reassuring green text, the site loaded fine, and everything looked normal.   Then, a strange file appeared on the system. No one could say where it came from. It wasn’t part of the tutorial, didn’t match any known dependencies, and didn’t even run.   It just waited.   Scenario objectives Determine how a threat actor first gained a foothold on the system. Identify suspicious activity that may point to the initial compromise method. Investigate signs of malicious execution following the initial access. Analyse the logs ...
Read more

TryHackMe - Typo Snare Threat Hunter Simulator (medium level)

-
Image
  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...
Read more

Phishing Unfolding SIM (SOC Simulator TryHackMe)

-
Image
        Dive into the heat of a live phishing attack as it unfolds within the corporate network. In this high-pressure scenario, your role is to meticulously analyze and document each phase of the breach as it happens. First I let all the alert to come to correlate them together. You start from the CRITICAL ones (0 alert) - HIGH - MEDIUM - LOW. I check all dns alert , all of them was false positive , nothing suspicious . On the Process ones you must to check on splunk , search on google if you don't know the specific process . I make one mistake , with the attashments invoice.pdf.ink , apparently it was true positive , but I check the SHA-256 on VirusTotal , nothing suspicious..  I realy enjoy with this SIM , Have Fun !! 
Read more