Tryhackme

Advent of Cyber 2024 — Day 17: Log Analysis

An attack on Wareville’s CCTV has plunged Marta May Ware into chaos. Suspicions arose when WareSec&Aware accused Byte, Glitch’s loyal dog, of deleting critical camera recordings. Determined to clear Byte’s name, McSkidy and Glitch turned to their SOC team for help, leveraging the power of Splunk to investigate the logs.

Learning Objectives

• Understand how to parse and analyze custom logs in Splunk.
• Use Search Processing Language (SPL) to extract and investigate key fields.
• Correlate log data to identify malicious activity and attackers.

Investigation Process

Initial Log Analysis

1. Examination of CCTV Logs: Logs were ingested into Splunk but poorly parsed due to custom formatting.

• Splunk’s ingestion timestamp didn’t reflect the actual timeline of events.

2. Field Extraction: Used Splunk’s Extract New Fields tool to create custom regex patterns.

• Adjusted timestamp fields to reflect real event times.
• Fixed parsing issues for logs with varying formats, improving overall consistency.

Analyzing the Parsed Logs

1. Key Observations: Multiple failed login attempts hinting at brute force activity.

• Successful login followed by suspicious actions (camera footage watched, downloaded, and deleted).
• Consistent session ID observed across suspicious events.

2. Rare Event Examination: Narrowed focus on low-frequency events like “Delete Recording” and “Failed Login.”

Web Log Correlation

1. Correlating CCTV Logs with Web Logs: Identified a suspicious IP address (10.11.105.33) linked to the attacker’s session ID.

• Found two additional session IDs tied to the same IP.

2. Connecting the Dots: Investigated web logs to trace activities tied to these session IDs.

• Mapped a timeline of the attacker’s activities:
• Brute force attempts.
• Successful login.
• Watching and downloading camera streams.
• Deletion of CCTV footage.

Tasks

1. Number of Events for Successful Logins: 642
2. Session ID of the Attacker: rij5uu4gt204q0d3eb7jj86okt
3. Identity of the Attacker: mmalware

By leveraging Splunk, the SOC team uncovered the true culprit behind the CCTV attack, clearing Byte’s name. This exercise underscored the importance of proper log management and the power of SIEM tools in modern incident response.