Scenario
You are a SOC analyst and handling the alerts within your SIEM, ELK, is part of daily duties. Answer the following questions by analysing the alerts provided in README.txt!
ELK Log Analysis Network Analysis T1569.002
Investigation Submission
1) Alert 1 (1/2) - What is the cmdlet used for downloading?
Open kibana dashboard, go to discover and investigate for winevt-powershell logs.
Looking for cmdlet used to download file in the window time indicated in README.txt file.
I filtered for Event_EventData_Data_#text{} : is one of Invoke, Download as suggested in README.txt file.
Or you can copy and paste in KQL bar the following rule: "*.DownloadFile*" OR "*.DownloadString*" OR "*Invoke-WebRequest*"
Invoke-WebRequest
2) Alert 1 (2/2) - What is the full URL from which the file is downloaded?
It is written in the same log.
https://raw.githubusercontent.com/nerrorsec/SBT-SOC/main/MSWorker.exe
3) Alert 2 (1/1) - What is the name of the suspicious EXE that is added for Persistence?
README.txt file contains all useful information to answer this question.
MSworker.exe
4) Alert 3 (1/2) - What is the name of the suspicious executable file involved?
Be careful to time!
service.exe
5) Alert 3 (2/2) - What is the name of the key path?
The complete key is HKU\S-1-5-21-2979773156-725440210-495427616-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service".
Service
6) Alert 4 (1/2) - What is the name of the task?
Copy and paste the following rule from README.txt file: Event_EventData_Image:*schtasks.exe* AND Event_EventData_CommandLine:*Create*
My Task
7) Alert 4 (2/2) - What is the full path of the program?
C:\Program Files\GameLoaderGen\gen.bat