Benign

Scenario: Identify and Investigate an Infected Host

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

About the Network Information

The network is divided into three logical segments. It will help in the investigation.

**IT Department **

James
Moin
Katrina

**HR department **

Haroon
Chris
Diana

Marketing department

Bell
Amelia
Deepak

Answer the questions below

How many logs are ingested from the month of March?

13959

Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

index=win_eventlogs| rare limit=20 UserName

Amel1a

Which user from the HR department was observed to be running scheduled tasks?

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

index=win_eventlogs EventID=4688

index=win_eventlogs "schtasks"

Chris.fort

Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host. Explore lolbas-project.github.io/ to find binaries used to download payloads

index=win_eventlogs| rare limit=20 ProcessName

https://lolbas-project.github.io/#certu

to download

index=win_eventlogs certutil.exe

haroon

To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

certutil.exe

What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

2022-03-04

Which third-party site was accessed to download the malicious payload?

controlc.com

What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?