Day 7

Oh, no. I'M SPEAKING IN CLOUDTRAIL!

Detecting Malicious Behavior in AWS!

The goal is to analyze logs, identify anomalies, and uncover the root cause of suspicious activities in the Wareville AWS environment.

We will be focusing mostly on AWS CloudTrail. This is a service which allows you to monitor and log activity performed on your AWS infrastructure, including API calls, audit logs of changes or actions performed by users, etc.

Let's Begin:

• Start the machine and wait for the attack box to be delpoyed

The logs are located at warewille_logs, so cd to that location: cd wareville_logs

Analyzing S3 Bucket Events:

We first examine cloudtrail_log.json for activities related to the S3 bucket wareville-care4wares. Using jq, a JSON processor, we extract events specific to this bucket.

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

From the output, we can see that the glitch has used another command concerning objects (other than ListObjects)

From this same command we can also see Glitch’s IP address. - ConsoleLogin event

From yet again the same command, you can see the time the event occurred- ConsoleLogin event

To find the event related to the CreateUser action execute the command below:

jq '.Records[] |select(.eventSource=="iam.amazonaws.com" and .eventName== "CreateUser")' cloudtrail_log.json

From the output:

• mcskidy account created the glitch user and assigned admin privileges via AttachUserPolicy.

• These actions occurred from the same IP address as before.

To find what type of access was assigned to the anomalous user, run the following command:

jq '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName== "AttachUserPolicy")' cloudtrail_log.json

To find the IP Mayor Malware typically use to log into AWS,

We can use the following command:

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.sourceIPAddress=="53.94.201.69") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

We can see the answer here:

Finding McSkidy’s actual IP address,

For this, we can use the following command:

jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="mcskidy") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

We can see a few logs from the real McSkidy towards the end of this output, also revealing her true IP address.

Now, let’s look at the bank transactions stored in the ~/wareville_logs/rds.log file.

We analyze the RDS logs to check for suspicious transactions. Specifically, we look for SQL INSERT statements that could indicate fraudulent activity.

grep INSERT rds.log

And we can clearly see the bank account number in this output:

Questions:

1.What is the other activity made by the user glitch aside from the ListObject action?

A: PutObject

2.What is the source IP related to the S3 bucket activities of the user glitch?

A: 53.94.201.69

3.Based on the eventSource field, what AWS service generates the ConsoleLogin event?

A: signin.amazonaws.com

4.When did the anomalous user trigger the ConsoleLogin event?

A: 2024-11-28T15:21:54Z

5.What was the name of the user that was created by the mcskidy user?

A: glitch

6.What type of access was assigned to the anomalous user?

A: AdministratorAccess

7.Which IP does Mayor Malware typically use to log into AWS?

A: 53.94.201.69

8.What is McSkidy's actual IP address?

A: 31.210.15.79

9.What is the bank account number owned by Mayor Malware?

A: 2394 6912 7723 1294

Thank you!

🎄 Happy Hacking 🎄