Welcome to the "Investigating with Splunk" CTF Writeup, as the title suggest we are going to analyze and investigate some logs using Splunk, than, one we have collected all the information, we have to provide some answers to complete the challenge.
Here is the link to the challenge on TryHackMe: https://tryhackme.com/room/investigatingwithsplunk

Before starting the challenge it is suggested to have some knowledge about Splunk and logs investigation, as it will be the key to solve it.
In order to complete the challenge we have to analyze and find clues to submit 10 answers to the related questions.

As always in the THM challenges i will not post the answers but a step by step guide to get them.

The Scenario
SOC Analyst Johny has observed some anomalous behaviors in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.


Investigation
Start the machine and wait around 5 minutes, when it is ready visit the machine IP from the attack box or your own device connected with OpenVPN.

Once inside Splunk, click on the left side Search and Reporting, here is the ground for our investigations.

Firstly click on the data on the top right and select "All Time", this way we will see all the collected logs. We know that the logs we want to check are saved in the index main, to tell Splunk to show them we have to write in the search bar index=main

Now is time to hunt for anomalies in the logs and find which host was infected and what exactly has happened.


Questions
1. How many events were collected and Ingested in the 'index main'?

index=main

2. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

Since we know that a new account has been created we can filter for this specific type of event. After searching it up i found that the ID for that event is "4720". Let's add it to the search and give a look at the only log that appears, we can see the new user name.

index=main EventID="4720"

3. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

In this case we have to change the eventID to 13, we can also add the new user name to the search to better filter the results.

index=main EventID="13" A1berto

4. Examine the logs and identify the user that the adversary was trying to impersonate.

Checking the user field on the left side we notice that there is a legitimate user with a very similar name.

5. What is the command used to add a backdoor user from a remote computer?

This time we are searching the system logs events which id is 1.

index=main EventID="1"
Now there are 25 logs to analyze but, checking on the left side, the CommandLine filter shows 4 commands and we can identify the one we are interested in

6. How many times was the login attempt from the backdoor user observed during the investigation?

We can filter for events related to the fake user and notice that there are no events, this means we have observed 0 events.

index=main User="A1berto"

7. What is the name of the infected host on which suspicious PowerShell commands were executed?

Le'ts search Powershell and than use the Hostname filter on the left side, we can see there is only one value:

index=main Powershell

8. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

In Windows all the PowerShell commands are logged with the EventID 4103

index=main EventID="4103"

9. An encoded PowerShell script from the infected host initiated a web request. What is the full URL?

Further analyzing the logs of question 5 we can notice some encoded data in base 64.

We can copy this and drop it in an online base 64 decoder or use the Linux binary and we get this...

Now investigating this payload there is a another base 64 encoded string

aAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADAALgA1AA==
Let's decode this as well and we get the URL, now paste it in cyberchef to defang it.


Congratulations you have completed the investigation, hope you had fun as well.
See you in the next CTF WriteUp 🤗