Tryhackme

Advent of Cyber 2024 — Day 7: Sandboxes

Today’s task involved investigating suspicious activities in AWS logs, including the creation of an anomalous IAM user with administrative privileges, which was linked to unauthorized actions, such as modifying files in an S3 bucket and redirecting funds, ultimately tracing the malicious activity to a specific IP address and user account.

Key Concepts

• CloudTrail Logs: CloudTrail provides an audit trail of all API calls made in AWS, including who made the request, from which IP, and what actions were taken.
• IAM User Creation & Policy Attachments: Users with specific permissions can create new accounts, assign policies, and escalate privileges.
• CloudWatch Logs: CloudWatch captures RDS logs, which help track database transactions and changes.
• Source IP and User-Agent: IP address and User-Agent can offer insights into where a request originated and what system was used.

Task Breakdown

1. Detecting Suspicious Logins: The first step was identifying a ConsoleLogin event for mcskidy, which came from a suspicious IP 53.94.201.69. The User-Agent string revealed that the login was made from a Mac OS system using Google Chrome. This was inconsistent with mcskidy’s usual login behavior.
2. Investigating IAM Events: Filtering CloudTrail logs for IAM-related events revealed that the user mcskidy invoked the CreateUser and AttachUserPolicy actions, creating the glitch account and assigning AdministratorAccess permissions.
3. Examining the Anomalous User Actions: The glitch user performed a PutObject action on the S3 bucket (replacing the wareville-bank-account-qr.png file) from the same IP address, 53.94.201.69, suggesting that the user was malicious.
4. Correlating Data Across Logs: Further investigation using CloudWatch RDS logs revealed that Mayor Malware started receiving donations after the suspicious activity, confirming the exploitation timeline.
5. Identifying the Culprit: The IP 53.94.201.69 and the associated User-Agent matched the activity for mcskidy, glitch, and mayor_malware. After comparing the usual login patterns and anomalies, glitch seemed to be the primary actor behind the malicious actions.

Tasks

1. Other Activity by Glitch: PutObject

2. Source IP for Glitch’s S3 Activities: 53.94.201.69

3. AWS Service for ConsoleLogin Event: signin.amazonaws.com

4. Time of ConsoleLogin Event: 2024–11–28T15:21:54Z

5. Created User by McSkidy: glitch

6. Access Assigned to Glitch: AdministratorAccess

7. Mayor Malware’s Typical Login IP: 53.94.201.69

8. McSkidy’s Actual IP Address: 31.210.15.79

9. Bank Account Number Owned by Mayor Malware: 2394 6912 7723 1294

This exercise demonstrated how defenders can leverage AWS logs, particularly CloudTrail and CloudWatch, to detect and investigate anomalous user behavior. The takeaway is the importance of log correlation and thorough investigation to trace unauthorized actions across different services. Anomalous user behavior can often point to malicious actors, and understanding the context of each log entry is crucial for identifying threats and securing the environment.