Benign
Investigate host-centric logs on a compromised host to find suspicious process execution.
Last updated
Investigate host-centric logs on a compromised host to find suspicious process execution.
Last updated
One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, only the process execution logs with Event ID: 4688 could be pulled and ingested into Splunk with the index win_eventlogs for further investigation.
| IT department | HR department | Marketing department |
|---|---|---|
James | Haroon | Bell |
Moin | Chris | Amelia |
Katrina | Diana | Deepak |
How many logs are ingested from the month of March, 2022?
Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
Using the "rare" SPL command to target the usernames, there is one obvious unwanted user:
Which user from the HR department was observed to be running scheduled tasks?
Searching for "schtasks" will index 87 events:
From here, querying the usernames involved in these tasks should narrow down the search to the user from the HR department.
Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?
certutil.exe
What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)
2022-03-04
Which third-party site was accessed to download the malicious payload?
controlc.com
What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
benign.exe
The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?
Inside the Splunk history, the following qery could be found:
What is the URL that the infected host connected to?
https://controlc.com/548ab556
