Kibana - ItsyBitsy

Tracing logs for suspicious activities on Kibana

By Ren Sie
Posted on October 1, 2024

Refer to ItsyBitsy for the challenge room on TryHackMe

Scenario

While monitoring security, Analyst John saw an alert from the IDS system about possible command-and-control (C2) communication involving a user named Browne from HR. A suspicious file with a known malicious pattern was accessed. We’ve pulled a week’s worth of HTTP connection logs to investigate, but due to limited resources, we only have these logs in Kibana (Index: connection_logs). Our job is to review the network connection logs for this user, identify the link and content of the suspicious file.

Task

After logging into the Elastic home, click on the hamburger icon and navigate to the Discover under the Analytics section.

How many events were returned for the month of March 2022?
By setting the date range to March 1, 2022, to April 1, 2022, as specified in the question, we can determine the number of events that occurred during that time period.

What is the IP associated with the suspected user in the logs?
I began the investigation by examining the source IP. Since one address accounts for only 0.4% of all the logs, I decided to start there to check for any suspicious activity.

When seeing a user from the internal network retrieving data from Pastebin, it indicates the suspicious activity.

Note: Pastebin is used for sharing snippets of code, configuration files, or other text.

The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
Refer to the previous screenshot for the user agent used to retrieve the file from the suspicious IP address identified earlier.

The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
As mentioned in the second question, Pastebin is frequently used to share snippets of code, configuration files, or other text-based content.

What is the full URL of the C2 to which the infected host is connected?
Refer to the previous screenshot. The full URL is the combination of the host (pastebin.com) and the URI (/yTg0Ah6a) because the host identifies the server, while the URI specifies the exact location of the resource on that server.

A file was accessed on the filesharing site. What is the name of the file accessed?
To discover the file shared on Pastebin, enter the full URL that we discovered from the previous question into a web browser.

The file contains a secret code with the format THM{_____}.
The flag was mentioned in the previous question as well.

Share: X (Twitter) Facebook LinkedIn