Open in app

Sign in

Write

Sign in

CyberDefender: BlueTeam Elastic Challenge

Mohitrajai
9 min readAug 20, 2022

--

Q-1) Who downloads the malicious file which has a double extension?

  • >In Elastic First You Select Overview In Security Option. and see the alerts as displays:
  • >After that you select View alerts in right corner:

->In a Search bar type and select file.name: *. *exe.3

  • > now you can see the user.name of that malicious file:

Q-2) What is the hostname he was using?

In output of the first question you also see the hostname in hostname column.

Q-3) What is the name of the malicious file?

In output of the first question you also see the file name of malicious file.

Q-4) What is the attacker's IP address?

In The Alerts Click on Analysis Click on Analysis Event.

You Can See the Details of the Alert where We got the IP Address of the Attacker.

Q-5) Another user with high privilege runs the same malicious file. What is the username?

In Security Events we already Find the One suspicious Host by using the File name search.

We also see the “cybery” Username User Have The Run that Malicious File.

Q-6) The attacker was able to upload a DLL file of size 8704. What is the file name?

Filter out the Alerts using file.name: *.dll.

We can see the file size 8704 name is “mCblHDgWP.dll”.

Q-7) What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

We can Search the Process.pid: 10716 and process.name:”cmd.exe”.

By clicking Analysing Event we are clearly visible the parent process name is “rundll32.exe” of the “cmd.exe”.

Q-8) The previous process was able to access a registry. What is the full path of the registry?

As we Know the Parent Process name is Rundll32.exe By clicking the registry We see the Exact the path of the registry which is able to access by it.

Q-9) PowerShell process with pid 8836 changed a file in the system. What was that filename?

Using the Search of process.name:”powershell.exe” and process.pid: “8836” we are finding the below one:

Click on to the Analyze event same as below to view the process structure:

Now clicking on the files which is created by the powershell.exe you can see the file is created by this one:

You also see the file name in the details of the files in the below:

Q-10) PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

Using the search with process.pid:11676 and process.extension: ps1 we are finding all the events which is related to this:

You can see the first file is the below which is created extension by ps1:

Now clicking to analyze button and you can see there are 6 file created by powershell:

You can see the first file name which is created:

Q-11) What is the machine's IP address that is in the same LAN as a windows machine?

In Security-> Hosts we can see the list of hosts in elastic:

The windows Host machine which name is Desktop-Q1SL9P2 is IP address is 192.168.10.10:

We can see the Ubantu machine IP which is same range as the Windows its means this is also in network:

Q-12) The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

We can See the machine Ubantu have the 520 fail attampts for login:

We are clearly See That There are number of failed attempt from root and salem users its clearly possibility that attacker first gain access that user after that using SSH they enter the Ubuntu system:

We can search the SSH logs of ubantu that may help as to find out the details what the login activity is done for that using search in kibana we are used the following search:

Q-13) After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

We are now already know that attacker is used salem account and target to ubantu machine using SSH connection. For URL which attacker used for download github repository we check the events of Ubantu & salem Users at the same time:

As we can see there are so many events from the host ubantu and user salem but we already know in the question that attacker used the wget command so we search with this:

As we are see that in wget process the process.args: is shows the URL of the python script which is used by attacker:

14) After The attacker runs the exploit, which spawns a new process called pkexec, what is the process's md5 hash?

As we know the username which is attacker is using is ubantu and we already know the process name in the question so lets search the query using following:

Now we are see In analyser the process name pkexec and after the click on that we see the all the details regards of this:

Q-15) Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

We have process id and host name in question so lets search in elastic using process id and host name Ubuntu:

After the clicking on the analyser part we see the details of the process execution by the attackers:

We can clearly see the process args is bash it means attacker use that command now if we want clearly see the command lets see in the kibana logs We can see the command which is use by attacker Is bash -i:

Q-16) What is the hostname which alert signal.rule.name: "Netcat Network Activity"?

We already know the attacker is gain access the 2 systems and after that they trying to access webserver and exploit vulnerability we can search from logs that signal.rule.name:”Netcat Network Activity”:

After the searching we can see the host.name which is used by the attacker is CentOS:

Q-17) What is the username who ran netcat?

We want to username who run the netcat command so we first search in the logs using process.args:”netcat” and event.action : exec:

We can see the username which is used the netcat command is in this field:

Q-18) What is the parent process name of netcat?

è Now as question 17 output if you want to see the parent process of the netcat command first you add the field process.parent.name from fields:

Q-19) If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

As we already find the question 18 answer we can add the field commandline to see the entire command which is used by the attacker like this:

Q-20) From the previous three questions, you may remember a famous java vulnerability. What is it?

Log4shell

Q-21) What is the entire log file path of the “solr” application?

We already know the application name is “solr” so we can easily find using the kibana search engine we can find it using log.file.path:

The path is : /var/solr/logs/solr.log

Q-22) What is the path that is vulnerable to log4j?

è In question 21 we see the path of the log file this is the path where store the logs if we expand that alert we see the entire vulnerable path:

After the expand the alert you see the field message which path is vulnerable the path is path=/admin/cores:

Q-23) What is the GET request parameter used to deliver log4j payload?

è The same previous question we see the path of the vulnerable in the message we also see the GET request:

The Get Request is params=(foo

Q-24) What is the JNDI payload that is connected to the LDAP port?

An JNDI (java naming and directory interface API) is the API which is provide the connection to systems such as databases or the messaging systems.

In the path /var/solr/logs/solr.log we see in the field message that the ldap pass the query of it:

Cyberdefender
Incident Response
Blue Team
Elasticsearch

--

--

Mohitrajai
Mohitrajai

Written by Mohitrajai

24 Followers
5 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams