Immersive Labs | Cyber Million : Introducing the Cyber Kill Chain | Cyber Kill Chain: Actions on Objectives | Write-Up
For Any suggestions leave a comment.
Briefing
Scenario
Actions on Objectives is a phase in the Cyber Kill Chain framework that refers to the final stage of a cyberattack, where the attacker achieves their intended goal or objective, such as data exfiltration, system compromise, or disruption of services. It involves the attacker taking actions to exploit the compromised environment and accomplish their mission, which may include stealing sensitive information, causing damage, or establishing persistent access for future attacks.
All attacks happen for a reason. Sometimes for theft of property, sometimes for planting evidence, and sometimes even for fun. However, there’s always an objective, which makes every attack slightly different.
As defenders, you’ll only know what the attackers are after if they achieve their objectives. If you stop them earlier, the objectives may never be known.
In this lab
In this lab, you’ll investigate a cybersecurity incident against your organization. You have several logs recorded in a central Splunk instance and must use these to identify malicious activity from each stage of the Cyber Kill Chain.
Having identified which ransomware was in operation based on the C2 investigation, you can now investigate the specific actions that were taken.
There are a few inbuilt Windows tools that attackers (and, in turn, their malware) will use. Using Splunk, search for cases where these Windows tools have been leveraged to perform malicious actions.
However, it’s worth remembering that not all command-line actions will be malicious. Normal processes and administrator scripts can also generate these same log entries as they use the same tools. Understanding the time and correlating this against other logs is an important part of the threat-hunting process.
Lab Solution
Tasks:
I. To open Splunk, double-click the icon located on the Desktop.
II. Adjust the time range from “24 hours” to “All time”.
III. To filter for the relevant logs, use this Splunk search query:
index=botsv1 earliest=0 Process_Command_Line="*" (vssadmin OR cmd.exe)IV. Create additional queries to answer the questions.
V. What command line tool was used to delete Volume Shadow Copies?
Answer: vssadmin.exe
Solution:
1. We will modify the query to include word delete. Query:
index=botsv1 earliest=0 Process_Command_Line="*" (vssadmin OR cmd.exe) delete2. This will filter out the events that have delete keyword used. If not found, we could use shadow as a keyword or had to manually search form the events.
3. Only one event is filtered out.
4. We will inspect to find the name of the tool.
VI. What temporary file is executed by the command prompt using the “/C” option?
Answer: 121214.tmp
Solution:
1. We will modify the query so it will filter out the events that contains the /C and .tmp in the events so that we will have less events to look through. Query:
index=botsv1 earliest=0 Process_Command_Line="*" (vssadmin OR cmd.exe) /C .tmp2. We have filtered out the events.
3. The first event has 121214.tmp run with /C option that is our answer.
VII. Which host in the network was this temporary file executed on?
Answer: we8105desk.waynecorpinc.local
Solution:
1. In the same event of the above answer, we will find the host name.
2. Expand the event by clicking show all lines.
3. It will expand the event details.
4. Search for Computer Name/host name to get the answer.
VIII. At what time was the “whoami” command executed? (Provide your answer in the format HH:MM:SS)
Answer: 9:58:30
Solution:
1. Edit the query to search for command whoami, this can be done with the following query:
index=botsv1 earliest=0 Process_Command_Line="whoami"2. We will get only one event note the time and answer the question.
Connect with me on
Thank you for taking the time to read my walk through.
If you found it helpful, please hit the 👏 button (up to 40x) and share it to help others with similar interests! + Feedback is always welcome!
