Story:

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.

Questions:

  1. How many events were collected and Ingested in the index main?

alt

  1. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

Examining the logs we can find field called EventID

alt

Let’s search what is the event ID for creating a new user in windows

alt

We add the event ID to our query

alt

alt

  1. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

We add the new user to our search

alt

After quick examination of the logs we find the path of the registry key

alt

  1. Examine the logs and identify the user that the adversary was trying to impersonate.

alt

Selecting the User field we instantly see that new user ‘A1berto’ is impersonating ‘Alberto’

  1. What is the command used to add a backdoor user from a remote computer?

Going back to our logs regarding ‘A1berto’ user we can see CommandLine field. There we find the command that is using the wmic.exe which is used in administrating tasks on remote computers

alt

  1. How many times was the login attempt from the backdoor user observed during the investigation?

Lets check the event ID for successful and failed login

alt

alt

Now lets search for ‘A1berto’ with these Event IDs

alt

No login attempts were made

  1. What is the name of the infected host on which suspicious Powershell commands were executed?

To find the powershell command we go back to “A1berto” logs. There is a Category field

alt

Executing a powershell would be ‘Executing Pipeline’ category so lets search for this event

alt

alt

We get the command and the hostname it was executed on

  1. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

Lets check the event ID for executing powershell commands I found the IDs and their meanings on this blog: https://blog.reconinfosec.com/endpoint-logging-for-the-win

alt

  1. An encoded Powershell script from the infected host initiated a web request. What is the full URL?

Since the script executed on the infected host lets add him to our search

alt

We quickly find encrypted script

alt

After decrypting it with cyberchef we get script

alt

alt

The url is base64 encoded so we decode it once again, we defang it and add the path news.php

hxxp[://]10[.]10[.]10[.]5/news[.]php