Splunk BOTSv3 AWS & WINEvent
AWS S3 Bucket Challenge
Today I will be finishing up my Splunk course with 2 more blue team CTFs. The first challenge is a compromised S3 bucket due to a security misconfiguration. My first task is to find out who enabled public access to the bucket as well as the bucket name.?
Search string: sourcetype="aws:cloudtrail" eventName="PutBucketAcl"?
Next, I must find the event ID of the API call involved in the enabling of the S3 bucket. For this one I just looked at the log entry before the previous where I found the user and bucket name.?
Search string: sourcetype="aws:cloudtrail" user_arn="arn:aws:iam::622676721278:user/bstoll" app=AwsApiCall eventName="PutBucketAcl"?
There is a possibility that someone from outside of the organization may have uploaded files before the IAM team could revoke the privileges. It is my task to investigate.?
Search string: sourcetype="aws:s3:accesslogs" http_method=PUT bucket_name=frothlywebcode?
There was also a compressed file that was uploaded to the bucket while it had open permissions, I need to inspect the files size.?
Search string: sourcetype="aws:s3:accesslogs" frothly_html_memcached.tar.gz bytes=*?
Finally, they would like me to search for the source IP of the entity that uploaded the compressed file.?
领英推荐
Search string: sourcetype="aws:s3:accesslogs" http_method=PUT bucket_name=frothlywebcode src_ip="*"?
WINEvent Logs?Challenge
This brewing company is a mess. They are now dealing with some malicious activity on their WINDOWS endpoints, and I am tasked with getting to the bottom of it. I must seek out the endpoint that was compromised and inspect a new user creation. The WINEvent code for new account creation is 4720, so we’ll start with that. ?
Search string: sourcetype="wineventlog" EventCode = 4720?
I now must find the new user’s password. This took me quite some time, because there is no way to search outright for passwords in the clear. So, I went ahead and searched the host machine that the new account was created on, then the time and date from the prior account creation as well as the process command line.?
Search string: sourcetype="wineventlog" host="FYODOR-L" 08/19/2018 22:08:17 PM Process_Command_Line="*"?
To wrap this up they’d like to know one of the group names that the new malicious account was added to. Here we can search for the WINEvent code 4732, which is, “A member was added to a security enabled group.”?
Search string: sourcetype="wineventlog" EventCode=4732 user_name=svcvnc?
Triage Security Engineer | PJPT (TCM Security) | TryHackMe Top 1% | Immersive Top 1%
1 年AWS and Splunk! Nice!!