IntroductionWorking as the security analyst for ACME Inc., you notice several events on the SGUIL dashboard. Your task is to analyze these events, learn more about them, and decide if they indicate malicious activity.
Search engines are allowed learn more about the events. Security Onion can be enabled with Internet access (recommend NAT on Adapter 1) in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluating Snort/SGUIL events.
o Using SGUIL as a pivot to launch Kibana, Bro and Wireshark for further event inspection.
o Using Google search as a tool to obtain intelligence on a potential exploit.
The SecurityOnion16.1 has a pre-recorded attack stored in it. Install this OVA as a VM in Virtual Box and answer the questions and provide the information required in this document.
You will likely need to use the internet to gather some information. To reconfigure the network interface run sosetup-network and reboot. The management interface is enp0s3 and the monitor interface is enp0s8. Use DHCP to get an address from the NAT Server on VirtualBox. Ignore the message on the SO Screen to run setup again.
Part 1: Gathering Basic Information
a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services and sensors are ready.
c. When all services are ready, log into SGUIL with the username analyst and password cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.
d. Highlight any alerts dated 2021 and press F5 to dismiss the alters and review the remaining alerts.
e. In the SGUIL window, identify the group of events that are associated with exploit(s). This group of events are related to a single exploit.
How many events were generated by the entire exploit?
f. According to SGUIL, when did the exploit begin? When did it end? Approximately how long did it take?
g. What is the IP address of the internal computer or computers involved in the events?
h. What is the MAC address of the internal computer involved in the events? How did you find it?
i. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the Source IDs from?
j. Do the events look suspicious to you? Does it seem like the internal computer was infected or compromised? Explain.
k. What is the operating system running on the internal computer or computers?
Part 2: Learn About the Malware
a. According to Snort, why were these alerts generated (in your own words)?
b. What is type malware was delivered? Does SNORT recognize the malware?
c. Upload the malware to virtustotal.com. Do a quick Google search on the type of malware that was delivered. Summarize your findings and record them here
Part 3: Determining the Source of the Malware
a. In the context of the events displayed by SGUIL for this exploit, record below the IP addresses involved.
b. According to SGUIL, what is the IP address of the host that appears to have delivered the malware?
c. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the IP address of the host that appears to have delivered the exploit?
d. What type of malware was delivered?
e. The first SGUIL event is a DNS update. Why is this event flagged as an alert?
f. The DNS update was attempted on what IP address
g. What was the result of the DNS update attempt?
h. What is your conclusion about the DNS update alert?
Part 4: Analyze Details of the Malware
a. What was the domain that delivered the malware? ________________________________________________________________________
b. Run CyberChef (it’s on the desktop) to analyse the malware (drag the file into input)? Are there any long strings of interest? What are they?
c. What is the SHA256 of the malware?
d. What type of infection is this attack? What other indicators of compromise are created by this malware?