TryHackMe - Investigating with Splunk
Case Overview: SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.
#1: How many events were collected and ingested in the index main?
"main" is the default Splunk index. Unless the Splunk user has created indexe(s), data will be stored in the main index. We can find the total events in the main index by heading over to "Search & Reporting" on the left side of the screen, changing our preset to "All time" to get ALL the events, and searching
#2: On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
At the beginning of this challenge, we were told that all events for this room will be in the index main. We can search index main for a specific Window Event ID by using EventID=. When a new user account is created in Active Directory, the event ID will be logged as 4720. So our search query will be
Index=main EventID=4720. One event will show, and we will find our answer under "New Account:"
#3: On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
We can add the username we now have and "registry" to the search. We get three events showing that a registry object was added, deleted, and set. The path of the registry key will be under TargetObject. We can also use "EventID=12" in our search. Event ID 12 represents a registry object creation or deletion.
#4: Examine the logs and identify the user that the adversary was trying to impersonate.
If we clear out everything from the search, get all the events for the main index, and click on users on the left-hand side, we can see a list of usernames in our logs. One of them looks very similar to the username created by the adversary. The similar looking username is our answer.
#5: What is the command used to add a backdoor user from a remote computer?
We can search the main index followed by the adversary username. We are looking for a command, so we can click on the CommandLine field to bring up the values and get our answer.
#6: How many times was the login attempt from the backdoor user observed during the investigation?
We can search the main index and Category=logon. We got 27 results. We can narrow this down by putting in the adversary username.
#7: What is the name of the infected host on which suspicious PowerShell commands were executed?
PowerShell logging was enabled on this device, so we can see what commands were used. We can narrow down the logs by searching SourceName=PowerShell. We will see the contents of the commands under Message, and our answer will be under Hostname.
#8: PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
PowerShell logging is recorded as Event ID 4103 for module logs which show commands/code execution. Therefore, we can search the main index and use "EventID=4103" and get our answer.
#9: An encoded PowerShell script from the infected host initiated a web request. What is the full URL?
The PowerShell script can be found in the PowerShell logs.
index=main SourceName=PowerShell. Throw the base64 encoded script into CyberChef, or your decoder of choice. Read through the output. You will find a string within the message that is also encoded. Copy and paste that string and decode. This string is only part of the URL. Go back to the original decoded script and find the second half of the URL. Put the URL into CyberChef and use the "Defang URL" recipe.