Investigate The Intrusion Attack using Splunk with TryHackMe:
New Hire Old Artifacts
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Now, I am trying to investigate the intrusion attack using Splunk with TryHackme
Room URL: https://tryhackme.com/room/newhireoldartifacts
Scenario:
You are a SOC Analyst for an MSSP (managed Security Service Provider) company called TryNotHackMe.
A newly acquired customer (Widget LLC) was recently onboarded with the managed Splunk service. The sensor is live, and all the endpoint events are now visible on TryNotHackMe’s end. Widget LLC has some concerns with the endpoints in the Finance Dept, especially an endpoint for a recently hired Financial Analyst. The concern is that there was a period (December 2021) when the endpoint security product was turned off, but an official investigation was never conducted.
Your manager has tasked you to sift through the events of Widget LLC’s Splunk instance to see if there is anything that the customer needs to be alerted on.
Question 1:
A Web Browser Password Viewer is executed on the infected machine. What is the name of the binary? Enter the full path.
Answer:
In the Splunk search column, write “password viewer” in the search field, then enter.
Then, the query search results appear where the image path that is being searched for matches the clue given.
Question 2:
What is listed as the company name?
Answer:
In the search for the same query, you can also see the Company field with the name NirSoft
Question 3:
Another suspicious binary running from the same folder was executed on the workstation. What was the name of the binary? What is listed as its original filename? (format: file.xyz,file.xyz)
Answer:
We get a folder format hint which is where to write including the username. Therefore, we search based on the computer username, namely FINANCE01.
To filter the username, in the interesting fields, column select User.
Then, do a search by entering the location of the folder with the username you have obtained, namely FINANCE01. After entering, filter again by selecting Image.
The Image Filter displays the search results and finds a file called IonicLarge.exe.
So, how to get the original filename?
We can start by doing a search with the file name IonicLarge.exe in the search query.
To get the original file name, we search for IonicLarge.exe’s findings then filter the fields on OriginalFileName.
Finally, we find the Original Filename which is named PalitExplorer.exe
Question 4:
The binary from the previous question made two outbound connections to a malicious IP address. What was the IP address? Enter the answer in a defang format.
Answer:
To find ip address with two outbound filter interesting fields with destination_ip. It can be seen that the IP address 2[.]56[.]59[.]42 has 2 outbound. Defang format, namely by initializing the “.” into square brackets “[ ]”
Question 5:
The same binary made some changes to a registry key. What was the key path?
Answer:
Still in the same search query, we do a search for TargetObject which made some changes to a registry key. Click show all 24 lines to see in detail the fields that have been obtained.
I am got path with the name HKLM\SOFTWARE\Policies\Microsoft\Windows Defender made some changes to registry key
Question 6:
Some processes were killed and the associated binaries were deleted. What were the names of the two binaries? (format: file.xyz,file.xyz)
Answer:
We get a clue that the process is running using the command taskkill /im. For that, we do a search with the command then do the filtering by selecting CommandLine.
And we get 2 binary names that were turned off and deleted with the taskkill /im command
Question 7:
The attacker ran several commands within a PowerShell session to change the behaviour of Windows Defender. What was the last command executed in the series of similar commands?
Answer:
Enter the word powershell in the search field. Then, filter fields by selecting CommandLine.
After that, a series of commands appear that explain in detail how to change the behavior of Windows Defender. Click the command.
And we find the last command that was run namely powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
Question 8:
Based on the previous answer, what were the four IDs set by the attacker? Enter the answer in order of execution. (format: 1st,2nd,3rd,4th)
Answer:
Still in the same search field as the result. You can see ThreatIDDefaultAction_Ids. It indicates that there are 4 IDs assigned by the attacker.
Question 9:
Another malicious binary was executed on the infected workstation from another AppData location. What was the full path to the binary?
Answer:
Enter appdata in the search field, then filter fields to Image to get the results.
There is a path named C:\Users\Finance01\AppData\Roaming\EasyCalc\EasyCalc.exe belonging to user FINANCE01.
Question 10:
What were the DLLs that were loaded from the binary from the previous question? Enter the answers in alphabetical order. (format: file1.dll,file2.dll,file3.dll)
Answer:
Still in the same command, we change the filter fields to ImageLoad to find the DLLs
There were found dll filenames namely nw_elf.dll, ffmpeg.dll and nw.dll in the EasyCalc folder which had previously been found to be malicious.
