siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

New Hire Old Artifacts | Jan 8, 2023

Introduction

Welcome to my another writeup! In this TryHackMe New Hire Old Artifacts room, you’ll learn: Investigate attack via Splunk and more! Without further ado, let’s dive in.

Background

Investigate the intrusion attack using Splunk.

Difficulty: Medium


A newly acquired customer (Widget LLC) was recently onboarded with the managed Splunk service. The sensor is live, and all the endpoint events are now visible on TryNotHackMe’s end. Widget LLC has some concerns with the endpoints in the Finance Dept, especially an endpoint for a recently hired Financial Analyst. The concern is that there was a period (December 2021) when the endpoint security product was turned off, but an official investigation was never conducted.

Your manager has tasked you to sift through the events of Widget LLC’s Splunk instance to see if there is anything that the customer needs to be alerted on.

Happy Hunting!

Question 1 - A Web Browser Password Viewer executed on the infected machine. What is the name of the binary? Enter the full path.

We can go to the http://MACHINE_IP:8000 to use Splunk:

Then click “Search & Reporting” to use the search function of Splunk:

Now, we can go to the search bar to search everything (*), and search all time events:

According to the question, we need to find a binary that infecting the machine.

To do so, I’ll use a filter query:

Image="*.exe" | dedup Image | table Image

This will only show table Image, distinct values, and anything value that contains .exe:

The C:\Users\FINANC~1\AppData\Local\Temp\11111.exe seems weird.

Question 2 - What is listed as the company name?

Let’s view that event:

Hmm… Nothing stands out.

Let’s search for it’s company name:

Image="C:\\Users\\FINANC~1\\AppData\\Local\\Temp\\11111.exe" | table Company | dedup Company

Found it!

Question 3 - Another suspicious binary running from the same folder was executed on the workstation. What was the name of the binary? What is listed as its original filename? (format: file.xyz,file.xyz)

Filter query:

Image="C:\\Users\\Finance01\\AppData\\Local\\Temp\\*.exe" | table Image | dedup Image

Note: According to Microsoft documentation, FINANC~1 is the tilde substitution convention.

Found it!

Let’s find the original filename of that binary:

Image="C:\\Users\\Finance01\\AppData\\Local\\Temp\\IonicLarge.exe" | table OriginalFileName | dedup OriginalFileName

Nice!

Question 4 - The binary from the previous question made two outbound connections to a malicious IP address. What was the IP address? Enter the answer in a defang format.

Filter query:

Image="C:\\Users\\Finance01\\AppData\\Local\\Temp\\IonicLarge.exe" | table DestinationIp | dedup DestinationIp

The 2[.]56[.]59[.]42 looks sussy.

Question 5 - The same binary made some change to a registry key. What was the key path?

Filter query:

Image="C:\\Users\\Finance01\\AppData\\Local\\Temp\\IonicLarge.exe" EventType="SetValue" | table TargetObject | dedup TargetObject

Question 6 - Some processes were killed and the associated binaries were deleted. What were the names of the two binaries? (format: file.xyz,file.xyz)

Filter query:

taskkill | table ParentCommandLine | dedup ParentCommandLine

Question 7 - The attacker ran several commands within a PowerShell session to change the behaviour of Windows Defender. What was the last command executed in the series of similar commands?

Filter query:

powershell | table CommandLine,UtcTime | dedup CommandLine

Question 8 - Based on the previous answer, what were the four IDs set by the attacker? Enter the answer in order of execution. (format: 1st,2nd,3rd,4th)

Question 9 - Another malicious binary was executed on the infected workstation from another AppData location. What was the full path to the binary?

Filter query:

Image="C:\\Users\\*\\AppData\\*.exe" | table Image | dedup Image

Question 10 - What were the DLLs that were loaded from the binary from the previous question? Enter the answers in alphabetical order. (format: file1.dll,file2.dll,file3.dll)

Image="C:\\Users\\Finance01\\AppData\\Roaming\\EasyCalc\\EasyCalc.exe" ImageLoaded="*.dll" | table ImageLoaded | dedup ImageLoaded

Conclusion

What we’ve learned:

  1. Investigate Intrusion Attack Using Splunk