Wednesday, August 5, 2020

JPCert's Log Analysis Training

6 Aug 2020

About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise. Having not messed around with logs that weren't my own from my lab, I thought I would give the training a shot.

The links for the blog article and Github repo where the PDF and CSV files are stored can be found at the bottom of this post. *Heads Up: Both the article, slides and CSV are in Japanese.

The training consists of five different hands-on exercises. This post will focus on the first exercise in which the analyst is notified of an antivirus suspicious file removal alert.

I do not speak fluent Japanese, I can navigate my way through hiragana, katakana and am probably a first grade level kanji reader. A good bit of Google Translate was used along the way.

Training Material

The PDF comes with two versions, one with notes, and a copy without. I chose the version with notes, which came in at 223 pages. This includes the five different exercises, so the number of pages is to be expected.

After cloning the repository with all the exercises, we are ready to get started. Each exercise sits in its respective folder along with the corresponding CSV files. For the first exercise, we are supplied with PowerShell, Security Audit, Sysmon, and TaskScheduler logs.

The training makes heavy use of grep for working through the CSV files. We all probably need the command line practice, however I will be zipping these files and importing them into Splunk.

Exercise 1

As stated above, we start this first exercise with a user notifying us that the antivirus software removed a suspicious file from their workstation. We are asked to verify if this alert could be a bigger issue. The suspicious file was identified as "win.exe".

Question 1

Identify the destination IP address of the malware




Querying by our suspect file name and Windows Event ID 5156, "Windows Filtering Platform has allowed a connection", we can identify the suspect IP address as 198[.]51.100.101.

Question 2

Identify the malware operation start time and malware execution method



Searching for Event ID 4688 (Process Creation), we can note that win.exe was executed at 15:53:00 on 07 Nov 2019.



Continuing our search through the logs, an additional process creation log shows that the parent image for win.exe is taskeng.exe. At this point, we have established that win.exe made a network connection, and was registered as a scheduled task.

Question 3

The attacker is attempting to break into another machine from Win7_64JP_01. Please identify another computer (host name or IP address) that was targeted.

The computer name identified above belongs to the user that alerted us to the antivirus file removal. We now know that the attacker is in our network and is attempting to move to different workstations. For this question, we have to think of common ways attackers move laterally through a network.