Skills Assesement

Hunting For Stuxbot (Round 2)

Hunt 1: Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public. Enter the content of the user.name field in the document that is related to a transferred tool that starts with "r" as your answer.

Steps:

According to MITRE attack - Lateral tool transfer

Under Detection

Monitor newly constructed files to/from a lateral tool transfer

File: File Creation

Initial construction of a new file (ex: Sysmon EID 11)

Add KQL query : event.code : "11"

Add filter file.directory: C:\Users\Public

Add search field name filers: user.name and file.name

Answer:

file.name = Rubeus.exe

user.name = svc-sql1

Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

Steps:

Navigate to https://attack.mitre.org/techniques/T1547/001/ : Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The following run keys are created by default on Windows systems:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Under detection check for

Windows Registry: Windows Registry Key Modification

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Go to Elastic and Add KQL query:

event.code: "13" AND registry.path:*Run* OR

event.code : "13" AND "Run"

add search fields = registry.value

Answer

registry.value = LgvHsviAUVTsIN

registry.path = HKU\S-1-5-21-1518138621-4282902758-752445584-1107\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LgvHsviAUVTsIN

process.executable = C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

Hunt 3: Create a KQL query to hunt for "PowerShell Remoting for Lateral Movement". Enter the content of the winlog.user.name field in the document that is related to PowerShell remoting-based lateral movement towards DC1.

Steps:

Poweshell Script Block Logging: This is the raw, deobfuscated script supplied through the command line or wrapped in a function, script, workflow or similar. Think of everytime an adversary executes an encoded PowerShell script or command, script block logging provides that data in its raw form. EventCode = 4104.

Add KQL query for event.code: "4104" and powershell.file.script_block_text : "DC1"

search result shows 1 hit

Answer:

winlog.user.name = svc-sql1

PreviousHunting For Stuxbot With The Elastic StackNextIntroduction To Splunk & SPL

Last updated