# Day 7

**Detecting Malicious Behavior in AWS!**

<figure><img src="/files/Z9MUSL8I6Tx2nqYdfKBG" alt=""><figcaption></figcaption></figure>

The goal is to analyze logs, identify anomalies, and uncover the root cause of suspicious activities in the Wareville AWS environment.

We will be focusing mostly on AWS CloudTrail. This is a service which allows you to monitor and log activity performed on your AWS infrastructure, including API calls, audit logs of changes or actions performed by users, etc.

Let's Begin:

* Start the machine and wait for the attack box to be delpoyed

The logs are located at warewille\_logs, so cd to that location: `cd wareville_logs`

**Analyzing S3 Bucket Events:**&#x20;

We first examine `cloudtrail_log.json` for activities related to the S3 bucket **wareville-care4wares**. Using `jq`, a JSON processor, we extract events specific to this bucket.

{% code overflow="wrap" %}

```bash
jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
```

{% endcode %}

From the output, we can see that the glitch has used another command concerning objects (other than ListObjects)

From this same command we can also see  Glitch’s IP address. - ConsoleLogin event

From yet again the same command, you can see the time the event occurred- ConsoleLogin event

To find the event related to the CreateUser action execute the command below:

{% code overflow="wrap" %}

```bash
jq '.Records[] |select(.eventSource=="iam.amazonaws.com" and .eventName== "CreateUser")' cloudtrail_log.json
```

{% endcode %}

From the output:&#x20;

* &#x20;**mcskidy** account created the **glitch** user and assigned admin privileges via **AttachUserPolicy**.
* These actions occurred from the same IP address as before.

To find what type of access was assigned to the anomalous user, run the following command:

```bash
jq '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName== "AttachUserPolicy")' cloudtrail_log.json
```

To find the IP Mayor Malware typically use to log into AWS,&#x20;

We can use the following command:

```bash
jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.sourceIPAddress=="53.94.201.69") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
```

We can see the answer here:

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*3U5ovE8_g9_kiKcOTFtaTw.png" alt="" height="144" width="700"><figcaption></figcaption></figure>

Finding McSkidy’s actual IP address,

For this, we can use the following command:

```bash
jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="mcskidy") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
```

We can see a few logs from the real McSkidy towards the end of this output, also revealing her true IP address.

Now, let’s look at the bank transactions stored in the `~/wareville_logs/rds.log` file.

We analyze the RDS logs to check for suspicious transactions. Specifically, we look for SQL `INSERT` statements that could indicate fraudulent activity.

```bash
grep INSERT rds.log
```

And we can clearly see the bank account number in this output:

<figure><img src="/files/8L8bSOXW5ktVASW6Czkw" alt=""><figcaption></figcaption></figure>

### Questions:

1.What is the other activity made by the user glitch aside from the ListObject action?

A: **PutObject**

2.What is the source IP related to the S3 bucket activities of the user glitch?

A: **53.94.201.69**

3.Based on the eventSource field, what AWS service generates the ConsoleLogin event?

A: **signin.amazonaws.com**

4.When did the anomalous user trigger the ConsoleLogin event?

A: **2024-11-28T15:21:54Z**

5.What was the name of the user that was created by the mcskidy user?

A: **glitch**

6.What type of access was assigned to the anomalous user?

A: **AdministratorAccess**

7.Which IP does Mayor Malware typically use to log into AWS?

A: **53.94.201.69**

8.What is McSkidy's actual IP address?

A: **31.210.15.79**

9.What is the bank account number owned by Mayor Malware?

A: **2394 6912 7723 1294**

***Thank you!***

:christmas\_tree: ***Happy Hacking*** :christmas\_tree:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://adarshsr.gitbook.io/writeups/walk-through/advent-of-cyber-2024/day-7.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.