Skip to content

CyberDefenders

Category : Threat Hunting

CyberDefenders : Write up

SIEM ThreatHunting IBM QRadar CyberDefenders

CyberDefenders : Qradar101 Blue Team Challenge

Details :

Instructions:

  • This challenge is designed to work with VirtualBox. Download challenge VM and uncompress it using the password ‘cyberdefenders.org’

  • Please make sure to watch the instructional video under the Walkthroughs section.

  • Make sure you have a host-only subnet within the following IP range 192.168.20.0/24.

  • Assign the proper network adapter (192.168.20.0/24) to the VM before starting it.

  • Wait for some minutes after the import completes then visit: https\://192.168.20.21/.

  • Challenge credentials: QRadar Dashboard: admin:Admin\@123 — SSH: root:cyberdefenders

  • In case you face a license issue, please go to > License Pool Management. Edit and set eps > 0 and edit the FPM and set it to 0. This will ensure you will not have a license problem.

  • Hardware Requirements: 8GB of memory and 65GB of disk space.

Challenge Overview

A financial company was compromised, and they are looking for a security analyst to help them investigate the incident, This Challenge consists of 24 questions, we will solve them and make things easier for those who have problems in solving them, let’s start.

Dataset:

-Sysmon — swift on security configuration

-PowerShell logging

-Windows Eventlog

-Suricata IDS

-Zeek logs (conn, HTTP)

First we will prepare the network for the machines:

Open oracle vm virtulbox > file > tools > network manager > host only Ethernet adapter

Then we will do the following:

Adapter should be set like this ….

The DHCP Server must be set up like this ….

-Make sure you have a host-only subnet within the following IP range 192.168.20.0/24.

-Assign the proper network adapter (192.168.20.0/24) to the VM before starting it.

-Wait for some minutes after the import completes then visit: https://192.168.20.21/.

-Challenge credentials: QRadar Dashboard: admin:Admin\@123 — SSH: root:cyberdefenders.

-Hardware Requirements: 8GB of memory and 65GB of disk space.

Let’s get started :

(1)How many log sources available?

Log in to QRadar SIEM and select the Admin tap>> and then click Log sources :

Answer: 1# Log sources .

(2)What is the IDS software used to monitor the network?

Looking at the sources of the logs above, you can find out what IDS is:

Answer: ####cata .

(3) What is the domain name used in the network?

The Event ID 4624 in the Windows Event Log indicates a successful logon event.

We examine the first event.

We found the Domain here.

Answer: ##########.local .

(4) Multiple IPs were communicating with the malicious server. One of them ends with “20”. Provide the full IP ?

We went to Dashboard and looked at top sources. We found 192.168.##.## have a greatest offenses 7 :

We can display a log of activity by source IP to see which IPs generated the most communication :

We found that the IP 192.168.##.## generated the most communication :

Answer: 192.168.##.## .

(5) What is the SID of the most frequent alert rule in the dataset?

We went to search edit, then we went to column definition, then we added the RULE SID :

Then we know that “#####65” is the correct answer, because it is the highest in the count column with a number of 72 :

Now that we are here we can see that the highest SID for the base is :

Answer: #####65 .

(6) What is the attacker’s IP address?

In closed offenses, we can see a suspicious public IP .

Answer : 192.##.##.## .

(7) The attacker was searching for data belonging to one of the company’s projects, can you find the name of the project ?

We can search for the project with regular expression then :

We can see 4 events :

then read payload information :

Answer : #######48 .

(8) What is the IP address of the first infected machine ?

We have added a filter for the attacker’s IP address with the source IP :

We found that the attacker’s IP was sending malware to IP 192.168.10.15 :

I found the serukata alert, like this :

Answer : 192.168.##.## .

(9) What is the username of the infected employee using 192.168.10.15 ?

We searched for successful logon event id on Google :

Then we added the filter :

Then I found that the username for 192.168.10.15 is Nour :

We also looked at the payload information :

Answer : ###r .

(10) Hackers do not like logging, what logging was the attacker checking to see if enabled ?

We can apply a new filter for log source is HD-FIN-03 , and the username “nour” :

You’ll find that the attacker tried using PowerShell :

Answer : p######### .

(11) Name of the second system the attacker targeted to cover up the employee ?

We added a process commandline filter with del :

Then we entered :

We found a second system :

This is the command line :

Answer : ####-01 .

(12) When was the first malicious connection to the domain controller (log start time — hh:mm:ss)?

We have searched for :

So we added id :

We found a file that the attacker is uploading at the same time :

Answer : 11:##:## .

(13) What is the md5 hash of the malicious file?

We will add a new filter by hash, we can find the .docx file that contains the malicious hash or add filter with event number 15 :

We can look at the payload information to access the hash of the file:

Answer : ###########CD9D35###############.

(14) What is the MITRE persistence technique ID used by the attacker?

we searched on google and found out that the most common techniques for establishing persistence by malware and threat actors is the usage of registry Run keys & Start up folders in a windows system.

Add filter Event id with number 13 :

we applied a filter for Sysmon Event ID 13: RegistryEvent (Value Set) and added a column for “Target Object”.

We will go to MITER ATT\&CKŽ , Then we will search for \windows\current\version :

The expected result will appear :

Answer : #####.001 .

(15) What protocol is used to perform host discovery?

We have added a filter , We can discover this information by analyzing outgoing traffic from “192.168.10.15”, with Log source is Zeek_conn

Then we block udp , tcp connections :

Answer : i### .

(16) What is the email service used by the company?(one word)

We added these filters, to find all the companies that speak from outside the network, to find the service that the company relies on :

Then we searched the website www.iplocation.net to find out the IP address of any service :

Hijab The search result showed #########365 and ######365

Answer : ######365 .

(17) What is the name of the malicious file used for the initial infection ?

Referring to Question No 13, We found the file with the md5 hash :

Answer : #########_############.docx***.***

(18) What is the name of the new account added by the attacker ?

We will search for the event id of A user account was created :

So I took the ID 4720 and added a filter :

Then we will look at the payload information :

Answer : ####o .

(19) What is the PID of the process that performed injection ?

We will search for what is event id of the process that performed injection in Google :

We added this filter :

Then we found, an alarm for the notepad file being uploaded :

We found the PID :

Answer : #### .

(20) What is the name of the tool used for lateral movement ?

We have added a filter to find out what technique the attacker used :

The result was some commands that the attacker typed into the command lines :

We used MITRE ATT\&CKÂŽ Software\policies\microsoft\windows\powershell

Here we found Impacket and searched it :

We even found the tool used for lateral movement, which the attacker used :

Then we headed to https://github.com/ To look at it :

Answer : #######.py .

(21) Attacker exfiltrated one file, what is the name of the tool used for exfiltration ?

We used this filter :

The result was :

Answer : ###l.

(22) Who is the other legitimate domain admin other than the administrator ?

To find the other domain admin, I applied a filter for event ID 4672 :

Then we added a filter :

We found the two devices logging into Administrator Adam’s account :

Answer : ###m .

(23)The attacker used the host discovery technique to know how many hosts available in a certain network, what is the network the hacker scanned from the host IP 1 to 30 ?

We used this filter :

You will find that the IP 192.168.10.15 has started scanning the IP addresses from 192.168.20.1 to 192.168.20.30 .

Answer : 192.168.##.# .

(24)What is the name of the employee who hired the attacker ?

Looking at the answers to the previous questions, we may know that the file is called Sami :

but we added the answers for confirmation :

Answer : #a## .

in the end :\  I hope you start solving the challenge before looking at where the solutions are. At the end of this wonderful challenge, I hope that we have succeeded in writing the report well. If you find any problem understanding part of the solution, please contact me. Thank you for reading the report.

See you soon in other reports….!!

Abdelwahab_Shandy

AS_Cyber