Benign

Investigate host-centric logs on a compromised host to find suspicious process execution.

Introduction

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, only the process execution logs with Event ID: 4688 could be pulled and ingested into Splunk with the index win_eventlogs for further investigation.

About the Network Information

IT departmentHR departmentMarketing department

James

Haroon

Bell

Moin

Chris

Amelia

Katrina

Diana

Deepak

Identify and Investigate an Infected Host

How many logs are ingested from the month of March, 2022?

13,959

Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

Using the "rare" SPL command to target the usernames, there is one obvious unwanted user:

Amel1a

Which user from the HR department was observed to be running scheduled tasks?

Searching for "schtasks" will index 87 events:

sctasks

From here, querying the usernames involved in these tasks should narrow down the search to the user from the HR department.

Chris.fort

Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.

haroon

To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

certutil.exe

What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

2022-03-04

Which third-party site was accessed to download the malicious payload?

controlc.com

What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

benign.exe

The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?

Inside the Splunk history, the following qery could be found:

https://textbin.net/osk7oyduzi
THM{KJ&*H^B0}

What is the URL that the infected host connected to?

https://controlc.com/548ab556

PreviousInvestigating with SplunkNextDigital Forensics and Incident Response

Last updated