Elastic-Case学习过程

1. Who downloads the malicious file which has a double extension?

1.下载带有双扩展名的恶意文件，很可能是*.*.exe文件

直接在discover里面搜索file.name : *.*.exe，不知道哪个索引没关系，一个一个换

可以看到如下，但可能不确定是哪个？

接下来打开overview-->security-->Alerts。继续搜索file.name : *.*.exe，可以看到告警

根据时间线和discover里的日志可以看出是ahmed下载了

2. What is the hostname he was using?

如上图:

3. What is the name of the malicious file?

如上图:

4. What is the attacker’s IP address?

首先进行事件分析：

查看attach_ip肯定跟网络有关系，如下，点击network

如下，destination.address就是attach_ip

5. Another user with high privilege runs the same malicious file. What is the username?

如1问中的图，ahmed上面的就是high privilege

6. The attacker was able to upload a DLL file of size 8704. What is the file name?

通过题目可知，两个条件：file.size : 8704 and file.name : *.dll，通过这个条件来筛查

第一种方法：

第二种方法：

在overview-->security-->Alerts，file.size : 8704 and file.name : *.dll，通过这个条件来筛查

7. What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

通过题目可知，两个条件：process.pid : 10716 and user.domain : NT AUTHORITY，通过这个条件来筛查

8. The previous process was able to access a registry. What is the full path of the registry?

筛选条件如上问

9. PowerShell process with pid 8836 changed a file in the system. What was that filename?

通过题目可知，两个条件：process.pid : 8836 and process.name : powershell.exe，通过这个条件来筛查

注意：不要再alerts里面搜，会搜不到的，因为这不是个Alerts事件，需要再overview里面模块里搜

 

先筛选file ，题目指的是change，所以选择file change

10. PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

通过题目可知，三个条件：process.pid : 11676 and process.name : powershell.exe and file.extension : ps1 ，通过这个条件来筛查

11. What is the machine’s IP address that is in the same LAN as a windows machine?

通过上一题发现machine ip address是：192.168.10.10

通过语句：host.ip : 192.168.10.0/24

12. The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

通过题目已知查看ubuntu的brute force attack行为

通过查看以下success的状态可知success login account（cyber和root账号都是内部账号）

13. After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

通过上题，可知，user.name : salem，结合本题题目可知，process.name : wget 

14. After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?

通过题目可知，一个条件：process.name : pkexec ，通过这个条件来筛查

15. Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

通过题目可知，两个条件：user.name : root and process.pid : 3011 ，通过这个条件来筛查

16. What is the hostname which alert signal.rule.name: “Netcat Network Activity”?

通过题目可知，一个条件: signal.rule.name : "Netcat Network Activity"  ，通过这个条件来筛查

17. What is the username who ran netcat?

如上图

18. What is the parent process name of netcat?

如16图，通过analyze event

19. If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

20. From the previous three questions, you may remember a famous java vulnerability. What is it?

著名的log4shell漏洞

21. What is the entire log file path of the “solr” application?

通过题目条件：log.file.path : *solr* ，通过这个条件来筛查

22. What is the path that is vulnerable to log4j?

如上题条件，增加一个message的展示字段

23. What is the GET request parameter used to deliver log4j payload?

如上图

24. What is the JNDI payload that is connected to the LDAP port?

如上图