to navigate. To the slap, go to www dot cyber dot i t.
Click, browse and then click the link for the cyber score labs.
Scroll through the labs until you find the log Correlation Analysis Lab
Welcome to long correlation analysis. The objectives for this course are to correlate. Server and machine logs and application logs determine the level of access, sub teamed and determined program used to provide access.
The scenario here is that you're responding to an event that was detected by the Incident Response Team. You're aware that there's been an incident or an attack but need to verify what level of access was obtained by what programs.
So go ahead and log into the Windows seven machine with the student account and the password password
hadn't opened the Splunk logs voter on the desktop and double click on each little log. Files located inside
reviewed them to get a feel for the data in its raw form.
Well, in these logs, look for any signs that there have been malicious activity. This one come in the form of user creation or modification, file downloads or high number of invalid log in attempts
once a sign of suspicious activity has seen. This gives you a reason to import the logs into a lot of correlation tool so that they're in a more efficient use. A readable format.
No security logs can be Schubert time consuming to go through, but they also provide Aton of information regarding Loggins and file access and modification, etcetera. Pretty much details. A little bit of everything that happens on this system.
Same kind of story with the Windows Update logs it will provide you with information on missing. Our failed patch is making sure that exploited vinyl vulnerabilities related to missing patches can be fixed.
So we're going to go ahead and open. Splunk taken Splunk at the start manual. Click on the Enterprise Icon that appears
once on the home screen. Go ahead and click. Add data to be in the process to import the data.
The purpose of adding these logs is to get you familiar with what you can view in the Windows Update logs. You also look through power show, but this is pretty easy in terms of using another price solution and using a seam tool like we talked about.
So you want to select upload files. Go ahead and up. Open this blank logs folder and select win update dot Log
press The next button to continue
at the set source type screen will be using sis Law. You can go to the operating system, drop down menu
at the input setting screen.
You can enter hosts field value, which will help us organize our data and Irwin underscore update
in the host field value box
and select press review. Quit the review, then submit buttons.
Then you can click on add more data and go ahead and upload the web app dot C S V file
For this one, you can leave the source type as the dot c S V and then enter web app in the whole spiel Value and click review and then submit
next, we're gonna upload the mail, sir, about he has to be filed
for this one. You can also leave the source type of C S B and then
enter male serve in the host field value field in review and submit.
Finally, we're gonna go ahead and add the wind sec Boggs.
So go ahead and upload those logs
crest the next button to continue. You can also leave the default dot CSTV swords type on this one
and then for this one, you're gonna wanna enter when underscore sec
Return to the Splunk search and reporting page and we're gonna go ahead and start searching. We must begin by searching the male serving web logs to identify malicious activity.
So enter the following in the search window source equals male serve dot C S V.
If you want Thio, put the earliest entries first. You can also put a straight line and then reverse after that.
See by looking at the logs that there was a large amount of log in failures in the mail serve log. This is an indication that someone's attempting as a sage brute force actions against your mail server
that should be documented in your notes.
Next, we can go ahead and search the Web app. Log file
equals web app dot C S V and you can leave the river's command in there.
So here you can see some suspicious files being downloaded, followed by a post activity from the windows system to a remote page. That activity could indicate that a file was installed on the machine and that this machine is now under some sort of control.
Everything we know so far, we know that they're indicators of brute force of times on the mail server as well. A suspicious file downloads on a machine in the server room
to zero in on the Windows logs entered the following into the search field
source equals win underscores sec underscore logs dot CSP You can leave that reverse command in
now. We can look at the log information towards the bottom of the page.
You'll find a lot of that State's a user account was created.
Expanding this log shows that a user account called gamer with a three instead of any
was created at 9:27 p.m. On 2 15 16
Now we're gonna change the command so we can review additional log information to determine if the game our user account was added to the administrators group.
You're gonna type in source equals win. Underscore Stack underscored logs dot C S V security dash enabled.
On the third log here, we can see that the game where account was added to the ad administrators a build in group. This confirms that the gamer account was assigned administrative privileges.
So in this lab today, we've looked at the logs provided and begin to formulate what's happened.
Based on the searches we performed, we noticed that there were numerous attempts to gain sshh access to the mail server.
We then noticed the user and clicked on the link that downloaded an application onto his computer. This happened on the same system that was reported to have suffered from erratic system behavior.
Once the application was downloaded, it attempted to create a user called Gamer and added it to the administrator group.
After the user was added to the administrator group, the attacker would have full access to the machine.
However, thanks to your sharp eye and catching the activity, the application will be removed from the system and mitigations we put into place in order to stop future breaches via the same program.
Thanks for joining me for the lab today and let's continue on whip introduce seem tools