Monday, January 27, 2020

SANS Holiday Hack 2019 - Objective 5: Windows Log Analysis: Determine Compromised System

Objective 5:  Windows Log Analysis:  Determine Compromised System

The hints for this challenge are given by Sparkle Redberry in the Laboratory. (Go to the left side of the quad into Hermey Hall.  Continue Left into the Laboratory.)  For this one, it gives a link to a file that must be downloaded and examined:  https://downloads.elfu.org/elfu-zeeklogs.zip.

Sparkle Redberry gives a hint about Rita.  If you’ve seen Black Hills Info Sec or Active Countermeasures webcasts, you may already know what that is. The hint leads to this link:  https://www.activecountermeasures.com/free-tools/rita/.



John Strand’s Kringle Con keynote, A Hunting We Must Go is useful as well.  Here's the link for his talk.  http://www.youtube.com/watch?v=jxOZ5u2CYWw


This objective actually wasn’t that difficult so long as you don’t overthink it.  John Strand covered things to look for in this talk.  One thing that stuck out in my mind was that he stated that when a system is compromised, and I'm paraphrasing here, the C&C might have differing intervals between communication attempts, and differing amounts of data sent at a a time to trip up analysts, however, the duration time would still be fairly high overall.  

He used an analogy involving pieces of spaghetti.  You can cut a noodle into pieces, but those pieces still add up to one long noodle of spaghetti.  So, look for an IP with a high duration time to find the compromised device.  Obviously, this should still be taken with a grain of salt, and not considered absolute truth, because analysts should still consider that there may be good reason for long duration, like some cloud, management, or backup software that dials home and sends/receives data.  The key is that the organization should have a known inventory of any software, so that if anything is abnormal, it can be detected quickly because it's not in the inventory of normal software.

Rita was already installed on my version of Slingshot that I downloaded earlier from the sans.org website.  However, if you'd like to install it, it’s fairly easy.  Just follow the instructions located here in the README.md file.  https://github.com/activecm/rita.


After installation, the easiest way to use it is to make an html-report.  The other options are nice if you'd like to parse through the information via the cli, the the report does a fine job of showing you the data necessary for the challenge.  Just run the following commands (keep in mind, the . means current directory - if you're running from a different directory, add the path to the zeeklogs.)  The "elfu" following the filename in the command below can be any name, that was just an easy database name to remember

.  The following commands create the report in the same directory as the database. 

rita import ./elfu-zeeklogs elfu
rita html-report

Once the report is created, navigate to the database directory to find the report and run your favorite browser (or whatever is available) to see the report.



Click on a database in the report.  In my case, the database is elfu, because it’s the only database I created.  It displays a tabbed interface.  

Clicking on each tab displays different information that RITA detected.  Like Beacons, Strobes, Any Source or Destination IPs that may have been Blacklisted (BL), Hostnames that were Blacklisted, Long Connections, and User Agents.  We’re interested in the Long Connection tab.  Choose the source with the longest duration, and that’s the compromised host: 192.168.134.130.


No comments:

Post a Comment