I’ve been doing some courses and experiences to learn Cybersecurity Defense and Blue Team, as I’ve always been attracted by the investigative and forensic side of cybersecurity, and recently I’m doing the SOC Level 1 path on TryHackMe. I’ve decided then to start publishing some posts about the blue team experiences I’m doing. This is the first one I’ve written down, and surely there will be more coming in the future. I’m still not sure about the format that I will use for these posts, so it may change eventually.
Table of Contents
Scenario
As explained in the TryHackMe room:
During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs index in Kibana.
Our task in this room will be to examine the network connection logs of this user, find the link and the content of the file, and answer the questions.
Investigation
For this room you are provided with access to a Kibana dashboard that was showing the connection logs for this case.
By looking at the logs it was clear that the suspicious user, connected to pastebin.com and opened a .txt file with the required flag. As explained in the room description, pastebin.com, (especially at the time these logs were taken, in 2022) was often used as a C2 server used by the malware authors to communicate.
In the following screenshot it’s possible to see the connection to the website, with the host (pastebin.com), the URI of the suspicious resource(/yTg0Ah6a), and even the useragent, “bitsadmin”, which is a legitimate windows binary used to download the file from the C2 server (BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress).
With the URL of the file, I searched on VirusTotal for additional information, in case it was used in the past for malware campaigns, for example. I think checking suspicious URLs using resources like VirusTital is a good habit to have while doing this type of investigations.
At the moment the URL was clean and not having any past flags for malicious activities, but the additional details provided by VirusTotal was that on that suspicious URL was only a .txt file (which could inferred also by the logs, that was showing the resp_mime_type as text/plain).
I’ve opened the link from my cloud-based Virtualbox machine (it was of course a safe link, since this was a challenge by TryHackMe, but I prefer to treat these experiences as they were real to learn the correct habits, same reason for which before opening the URL I got from the connection logs I checked with VirusTotal) and the secret.txt file contained the flag required by this room.
Conclusion
It was a quick and easy investigation experience I did with this room, and it gave me an opportunity to play some more with the ELK stack (Elastic, Logstash, Kibana), which is a great because I think it’s the type of technologies one will end up using often in a SOC Analyst type of job. Also, the skills learned from these experiences are easily transferable to other software widely used in the industry.
