TryHackMe | ItsyBitsy Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “ItsyBitsy” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-ELK Stack
-IDS
-Command & Control Server
-Event Analysis
Introduction
In this challenge room, we will take a simple challenge to investigate an alert by IDS regarding a potential C2 communication.
Room Machine
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP “Machine IP: MACHINE_IP”. The machine will take up to 3–5 minutes to start. Use the following credentials to log in and access the logs in the Discover tab.
→ Username: Admin
→ Password: elastic123
Scenario — Investigate a potential C2 communication alert
During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs index in Kibana.
Our task in this room will be to examine the network connection logs of this user, find the link and the content of the file, and answer the questions.
Definition
ELK is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a stash like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch.
An Intrusion Detection System (IDS) is a monitoring system that detects suspicious activities and generates alerts when they are detected. Based upon these alerts, a security operations center (SOC) analyst or incident responder can investigate the issue and take the appropriate actions to remediate the threat.
A command and control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Solution
Answer the questions below
Q1: How many events were returned for the month of March 2022?
A1: 1482
By adjusting the time filter to cover the month of March, we can see the number of events.
Q2: What is the IP associated with the suspected user in the logs?
A2: 192.166.65.54
We can view the source IP addresses of the relevant events in the Fields Pane.
There is traffic from the source IP address “192.166.65.54” to the destination IP address “104.23.99.190”. When we search the relevant destination IP address, we can see that the IP address 104.23.99.190 is classified in the Command and Control IPs category by reliable cyber intelligence resources.
Q3: The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?
A3: bitsadmin
Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress.
Q4: The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?
A4: pastebin.com
We can find the domain address by carefully inspecting the parameters.
Q5: What is the full URL of the C2 to which the infected host is connected?
A5: pastebin.com/yTg0Ah6a
When we examine other information detected about the relevant event, we can determine the full URL address.
Q6: A file was accessed on the filesharing site. What is the name of the file accessed?
A6: secret.txt
Have I mentioned that the word “secret” has always piqued my interest?
Q7: The file contains a secret code with the format THM{_____}.
A7: ***{************}
And here is our secret code.
Congratulations, you have successfully completed the event analysis!
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.elastic.co/what-is/elk-stack
https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids
https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
