Investigating with Splunk

Task 1 : Investigating with Splunk

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.

To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.

All the required logs are ingested in the index main.

Answer the questions below

1. How many events were collected and Ingested in the index main?

Ans: 12256

2. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

Ans: A1berto

This is the hint you’re looking for: Narrow down based on the Event ID that relates to the creation of a new user on the system.

index=main EventID="4720"

In the hostname Micheal.Beaven, James created a new user A1berto

OR

Usually in CMD users are created using net user /add <username> <password>

so we can filter index=main net1.exe TargetUserName="-"

3. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

Ans: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

4. Examine the logs and identify the user that the adversary was trying to impersonate.

Ans: Alberto

In the “User” field, we can clearly see that “Alberto” is the legitimate user account, confirming that “A1berto” was intentionally crafted to appear similar and evade detection.

the attacker created a deceptive username — A1berto — where the lowercase letter “l” was replaced with the number “1.”

5. What is the command used to add a backdoor user from a remote computer?

Ans: C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1

search username name and net command which is used to add users

net or net1 or net1.exe are all same

Add field “CommandLine” —> Click on “All fileds”, search for commandline, then check the box

select it to view full log details:

6. How many times was the login attempt from the backdoor user observed during the investigation?

Ans: 0

Use EventID =4624 for Successful login attempts

We don’t see username A1berto, so even though malicious user created, not logged in .

7. What is the name of the infected host on which suspicious Powershell commands were executed?

Ans: James.browne

add powershell to filter search

look over the events, suspicious commands are executing in powershell

ContextInfo field contain Base64-encoded PowerShell — likely an obfuscation attempt.
Only the host James.browne shows this PowerShell activity

8. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

Ans: 79

External research

9. An encoded Powershell script from the infected host initiated a web request. What is the full URL?

Ans: hxxp[://]10[.]10[.]10[.]5/news[.]php

Now lets decode this base64 string, copy it, use Cyberchef to decode.

Congratulations on completing the room. I hope you enjoyed this walkthrough

Keep Hunting!