Eugene Moore

/home

/posts

/about

Nerisbot

Threat Hunting Lab (Splunk)

- 2 min

Scenario:

As a security engineer recalled to investigate a university environment, you’ve identified unusual network activities indicative of malicious intent. These anomalies, observed just six hours ago, suggest the operation of command and control communications along with other potentially harmful behaviors.

Your mission is to analyze recent network traffic logs to pinpoint and investigate malicious interactions. Identify command and control servers, and segregate malicious flows.

Q1. Can you identify the IP address from which the initial unauthorized access originated?

  • By examining the various fields, we can determine that Suricata was installed on this machine. Since Suricata stores networking events in the eve.json file, we can narrow our search to find the relevant IP address.

  • Using eventtype=suricata_eve_ids_attack, we can analyze certain destination IP addresses that this server communicated with. One destination that stands out is nocomcom.com (195.88.191.59). Further investigation into the file fields indicates that malware was being downloaded from this server, marking the beginning of the initial attack.

images

  • Answer : 195.88.191.59

Q2. What is the domain name of the attacker server?

  • From Question 1, the domain associated with the IP address 195.88.191.59 is nocomcom.com.

images

  • Answer: nocomcom.com

Q3. What is the IP address of the system that was targeted in this breach?

  • From the information gathered above, the system that interacted with and downloaded malware files from the attacker server is listed as the dest_ip: 147.32.84.165.

images

  • Answer: 147.32.84.165

Q4. Identify all the unique files downloaded to the compromised host. How many of these files could potentially be malicious?

  • Using the search query from Q1 and including dest=“nocomcom.com”, we can look at the files{}.filename field.

    images

  • Answer: 5

Q5. What is the sha256 hash of the malicious file disguised as a txt file?

  • This question is time-consuming as it requires specific information. The most crucial detail is the time when the file was downloaded, which significantly narrows our search.

Using the query below

source="/home/ubuntu/suricata/eve.json" eventtype="suricata_eve_ids_attack" dest="nocomcom.com" "files{}.filename"="/kx4.txt"

We found that this file was downloaded around 10:10 AM, on 8/10/11 (The file was downloaded twice but we will use 10:10am)

images

This timestamp is essential because it helps us determine if our server has any detection systems that track file hashes. While direct fields for SHA256 hashes might not be available, we can look for SHA1 hashes.

The server has Zeek, which logs files in bro/files.log. By using the download time, Zeek source type (zeek:files), and the attacker’s IP address, we found one event that provides the SHA1 hash picture

Using this SHA1 hash on virustotal.com, we obtained more information about the file, including its SHA256 hash. picture

Answer : 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530