katherinetipan/Incident-Response-Documentation
GitHub: katherinetipan/Incident-Response-Documentation
一份完整的恶意文件上传事件响应记录,展示如何使用Splunk进行日志溯源和Catalyst进行威胁工件文档化。
Stars: 0 | Forks: 0
✔️ 目标: 识别恶意文件上传的来源,并使用 Splunk 验证攻击者的痕迹,随后将工件上传至 Catalyst 进行记录和评估。
⚙️ 工具: Splunk, Catalyst
1. 使用 Splunk 查询索引的 CSV 日志,根据给定的 MD5 哈希值:3AA...BA4D 查找源 IP。
index=pathcode source="/home/codepath/Files/Splunk-5-6-7/uploadedhashes.csv" "3AADBF7E527FC1A050E1C97FEA1CBA4D" "File Uploaded"
2. 扩大搜索时间窗口以识别横向移动或同时进行的上传操作,并使用 rex 将原始日志数据解析为清晰的结构化表格。
index=pathcode "File Uploaded"
| where _time >= strptime("06/04/2023 15:59", "%m/%d/%Y %H:%M") AND _time <= strptime("06/04/2023 17:59", "%m/%d/%Y %H:%M")
| rex field=_raw "^(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+)"
| table timestamp, ip, filename
| dedup ip filename
| sort timestamp asc
Output + Sample:
6/4/2023 16:06 192.168.1.12 README.txt
6/4/2023 16:19 192.168.1.13 Presentation.pptx
6/4/2023 16:38 192.168.1.9 ExpenseReport.xls
6/4/2023 16:54 192.168.1.3 FamilyPhoto.jpg
6/4/2023 17:22 192.168.1.11 ProjectFiles.zip
6/4/2023 17:34 192.168.1.4 Homepage.html
6/4/2023 17:49 192.168.1.8 Style.css
6/4/2023 17:59 192.168.1.10 EvilScript.exe
|
|
3. Used Catalyst to document the incident through threat artifacts for risk assessment and compliance reporting.
4. Risk Assesment + OSINT
The detection of a malicious executable (EvilScript.exe) using Splunk logs, highlighted a successful infiltration into the network. The file was tied to a known malicious MD5 hash (3AADBF7E527FC1A050E1C97FEA1CBA4D) and executed by a user (ABurke) from internal IP 192.168.1.10. Based on activity logs, a user downloaded the malicious file using the Opera web browser.
Tools such as endpoint detection and response (EDR) could be deployed to provide better visibility and faster containment. User awareness training can mitigate the likelihood of similar incidents reocurring. Checking MD5 Hash 3AAD…1CBA4D on VirusTotal confirmed 46/63 security vendors flagged it as malicious and stated its popular threat label is trojan.w97m/emooodldr.
