🙌
Writeups
LearningLinkedIn
  • The Great Escape
  • Lookback
  • Outlook NTLM Leak
  • Year of the Fox
  • PS Eclipse
  • Eavesdropper
  • Tony the Tiger
  • Intro to Offensive Security
  • MD2PDF
  • Content Security Policy
  • Agent T
  • Introduction to Flask
  • Atlas
  • Bugged
  • Sigma
  • Intro to Cloud Security
  • Holo
  • CCT2019
  • Opacity
  • Empline
  • Phishing Emails 5
  • BlueTeam
  • Tempest
  • hackerNote
  • Watcher
  • CMesS
  • HA Joker CTF
  • OWASP Top 10 2021
  • Metasploit
  • Oh My WebServer
  • Road
  • Anonymous
  • Ollie
  • Training for New Analyst
  • Tokyo Ghoul
  • Dependency Management
  • KoTH Food CTF
  • Android Malware Analysis
  • Intro To Pwntools
  • AD Certificate Templates
  • CVE 2022 26923
  • Basic Static Analysis
  • Introduction To Honeypots
  • Intro to Pipeline Automation
  • Intro to Containerisation
  • ARP Spoofing
  • Mindgames
  • Brute Force Heroes
  • SQLMAP
  • Insekube
  • TakeOver
  • Boiler CTF
  • GoldenEye
  • Splunk 3
  • Tempus Fugit Durius
  • Warzone 1
  • OWASP API Security Top 10 2
  • Temple
  • AllSignsPoint2Pwnage
  • OWASP API Security Top 10 1
  • Secret Recipe
  • NoNameCTF
  • Binex
  • Jack
  • Tactical Detection
  • Jurassic Park
  • DX1 Liberty Island
  • Brute
  • Biblioteca
  • Napping
  • Kubernetes for Everyone
  • 0day
  • Osiris
  • Set
  • NoSQL injection Basics
  • Warzone 2
  • Atlassian, CVE 2022 26134
  • Jason
  • VulnNet: Roasted
  • VulnNet Internal
  • VulnNet Node
  • Brooklyn Nine Nine
  • Thompson
  • The Cod Caper
  • Neighbour
  • ColddBox Easy
  • Library
  • All in One
  • Poster
  • Gallery
  • Cat Pictures
  • Boogeyman 1
  • Corridor
  • Team
  • Ra 2
  • Advent of Cyber 2022
  • Bookstore
  • Intro to Malware Analysis
  • TheHive Project
  • Velociraptor
  • KAPE
  • Lunizz CTF
  • Linux Forensics
  • DFIR An Introduction
  • Benign
  • Cyborg
  • Year of the rabbit
  • Blaster
  • Easy Peasy
  • Couch
  • Chocolate Factory
  • REmux The Tmux
  • Spring4Shell
  • Dirty Pipe
  • OverlayFS
  • Pwnkit
  • CTF collection Vol.2
  • Gotta Catch'em All!
  • Break Out The Cage
  • Bolt
  • Source
  • AttackerKB
  • Intro to Defensive Security
  • Careers in Cyber
  • OSI Model
  • Packets&Frames
  • Extending Your Network
  • How websites work
  • Putting it all together
  • Operating System Security
  • Network Security
  • Security Operations
  • Network Services
  • Network Services 2
  • Active Directory Basics
  • Attacking Kerberos
  • Subdomain Enumeration
  • Authentication Bypass
  • IDOR
  • File Inclusion
  • Masterminds
  • SSRF
  • Command Injection
  • Cross site Scripting
  • Burp Suite Extender
  • Burp Suite Intruder
  • Surfer
  • Willow
  • Conti
  • Unattended
  • Tardigrade
Powered by GitBook
On this page

Was this helpful?

Benign

Scenario: Identify and Investigate an Infected Host

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

About the Network Information

The network is divided into three logical segments. It will help in the investigation.

**IT Department **

  • James

  • Moin

  • Katrina

**HR department **

  • Haroon

  • Chris

  • Diana

Marketing department

  • Bell

  • Amelia

  • Deepak

Answer the questions below

How many logs are ingested from the month of March?

13959

Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

index=win_eventlogs| rare limit=20 UserName

Amel1a

Which user from the HR department was observed to be running scheduled tasks?

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

index=win_eventlogs EventID=4688

or

index=win_eventlogs "schtasks"

Chris.fort

Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host. Explore lolbas-project.github.io/ to find binaries used to download payloads

index=win_eventlogs| rare limit=20 ProcessName

https://lolbas-project.github.io/#certu

to download

index=win_eventlogs certutil.exe

haroon

To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

certutil.exe

What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

2022-03-04

Which third-party site was accessed to download the malicious payload?

controlc.com

What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

benign.exe

The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?

https://controlc.com/548ab556

*THM{KJ&*H^B0}*

What is the URL that the infected host connected to?

https://controlc.com/548ab556

[[Investigating with Splunk]]

PreviousDFIR An IntroductionNextCyborg

Last updated 2 years ago

Was this helpful?