OMAR61-eng/BOTSv1-Joomla-Incident-Response

# BOTSv1 Incident Response: Joomla Web App Compromise & Defacement ## 📌 Executive Summary This repository contains a comprehensive, forensic-grade Incident Response and Threat Hunting investigation based on the **Splunk BOTSv1 (Boss of the SOC)** dataset. The investigation documents a coordinated multi-phase attack executed by the threat actor group known as **Poison Ivy APT** against our corporate web server (`192.168.250.70`). The attack chain began with active vulnerability scanning (abusing Shellshock `CVE-2014-6271` and automated Joomla probes). The threat actor then launched an aggressive, automated dictionary brute-force campaign to compromise administrative credentials (`admin` / `batman`). Following successful exploitation, the attacker utilized Joomla's extension installer (`com_installer`) to deploy a PHP Web Shell (`agent.php`) and a Trojan executable (`3791.exe`). This payload was executed under the web application pool security context (**NT AUTHORITY\IUSR**), subsequently establishing a persistent Reverse Shell on port `1337` and downloading a defacement image (`poisonivy-is-coming-for-you-batman.jpeg`) from the attacker's Command & Control infrastructure to deface the public web interface. ## 🔍 Incident Identification Overview | Field | Details | | --- | --- | | **Case Reference ID** | BOTS-INC-2016-001 | | **Incident Category** | Web Application Compromise & Defacement | | **SIEM Tool & Index** | Splunk / Index: `botsv1` | | **Targeted Asset** | IP: `192.168.250.70` (Domain: `imreallynotbatman.com`) | | **Targeted Hostname** | **we1149srv** | | **Target Operating System** | **Windows Server** | | **Content Management System** | Joomla CMS | | **Target URI** | `/joomla/administrator/index.php` | | **Scanner & Exploiter IP** | `40.80.148.42` | | **Brute Forcer & C2 IP** | `23.22.63.114` (Hosted on Amazon AWS US-East-1) | | **Threat Actor Location** | **USA (AWS US-East-1)** | | **Compromised Account** | `admin` (Password: **batman**) | | **Execution Context** | **NT AUTHORITY\IUSR** (Web Service Account) | | **Targeted Vulnerability** | CVE-2014-6271 (Shellshock) | | **Primary Payloads** | **3791.exe** (Windows Trojan) & **agent.php** (Web Shell) | | **Threat Actor Group** | Poison Ivy APT | ## 🗺️ Attack Phases & MITRE ATT&CK Mapping [Reconnaissance] ➔ [Weaponization] ➔ [Delivery] ➔ [Exploitation] ➔ [Installation] ➔ [Command & Control] ➔ [Execution] ➔ [Objectives] | Kill Chain Phase | MITRE ATT&CK Technique | Technical Description & Tooling | | --- | --- | --- | | **1. Reconnaissance** | T1595.002 (Active Scanning) | Probing administrative directories and searching for Shellshock vulnerabilities via **Acunetix Web Scanner**. | | **2. Weaponization** | T1583.003 (VPS Infrastructure) | Provisioning Command & Control nodes on AWS dynamic hosting environments and registering malicious domains (`po1s0n1vy.com`). | | **3. Delivery** | T1110.001 (Password Guessing) | Launching a highly-dense automated dictionary brute-force campaign on the Joomla backend using custom Python automation scripts. | | **4. Exploitation** | T1078.001 (Valid Accounts) | Gaining administrative dashboard access using cracked administrative credentials (`admin` / `batman`). | | **5. Installation** | T1505.003 (Web Shell) | Uploading persistent PHP web backdoor (`agent.php`) and executable payload (`3791.exe`) via the compromised Joomla `com_installer` component. | | **6. Command & Control** | T1071.001 (Web Protocols) | Establishing dynamic, outbound network sessions on non-standard dynamic ports (**Port 1337**) to malicious C2 dynamic domains. | | **7. Execution** | T1059.003 (Windows Cmd) | Spawning `cmd.exe` process trees in order to trigger the Trojan binary (`3791.exe`) under local system accounts. | | **8. Objectives** | T1491.001 (Internal Defacement) | Downloading the defacement image from `prankglassinebracket.jumpingcrab.com` to alter the public identity of the organization. | ## 📅 Forensic Timeline of Events (UTC) * **21:36:45** - Active scanning and directory probing begins from IP `40.80.148.42` using Acunetix. * **21:45:08** - Automated dictionary-based brute force campaign starts from IP `23.22.63.114` using `Python-urllib/2.7`. * **21:46:00** - Attack intensity reaches peak volume, generating **706 failed login attempts in a single minute**. * **21:48:05** - Successful login is recorded from IP `40.80.148.42` using the correct compromised credential `batman`. * **21:50:31** - Attacker leverages administrator rights to upload `agent.php` and `3791.exe` via the installer. * **21:56:10** - Malicious Trojan `3791.exe` is executed under the web service context `NT AUTHORITY\IUSR` via `cmd.exe`. * **22:06:21** - Outbound Reverse Shell session is established back to the C2 server IP `23.22.63.114` on Port `1337`. * **22:10:21** - Server is forced to download `poisonivy-is-coming-for-you-batman.jpeg` from `prankglassinebracket.jumpingcrab.com` to deface the homepage. ## 💻 Technical Evidence & Splunk Queries ### Evidence 1: Attacker IP & User-Agent Verification We analyzed the incoming HTTP streams to distinguish standard user browser sessions from automated scripts. index="botsv1" imreallynotbatman sourcetype="stream:http" | table _time src_ip dest_ip uri http_user_agent | dedup src_ip * **Findings:** IP `23.22.63.114` utilized an automated user-agent **`Python-urllib/2.7`**, proving the dictionary attack was scripted and automated. ### Evidence 2: Traffic Density & Attack Spikes We ran a timechart count on the brute-force actor to assess the speed and scale of the attack. index="botsv1" 23.22.63.114 sourcetype="stream:http" uri="/joomla/administrator/index.php" | timechart span=1m count as "Attempts per Minute" * **Findings:** The attack peaked aggressively, reaching **706 login attempts in a single minute** at **21:46:00**, confirming script-driven speed. ### Evidence 3: Failed vs. Successful Login Attempts We contrasted login request volumes across the target endpoint to trace the exact pivot point from brute force to compromise. index="botsv1" imreallynotbatman sourcetype="stream:http" uri="/joomla/administrator/index.php" form_data="*username*passwd*" | stats count by src_ip * **Findings:** The secondary IP (`23.22.63.114`) generated **412 failed attempts** (dictionary noise). The primary attacker IP (`40.80.148.42`) logged in successfully with **exactly 1 attempt**, proving they used the password cracked from the background dictionary scans. ### Evidence 4: Extraction of Compromised Credentials We parsed HTTP POST form data to identify the exact credential set used to achieve administrative access. index="botsv1" uri="/joomla/administrator/index.php" form_data="*passwd*" | rex field=form_data "passwd=(?[^&]+)" | stats count values(password) as tried_passwords by src_ip | sort - count | dedup tried_passwords * **Findings:** The password used by `40.80.148.42` to successfully log in was extracted as **`batman`**. ### Evidence 5: Malware execution & User Auditing We tracked execution context and command lines via Sysmon logging (Event Code 1: Process Creation). index="botsv1" "3791.exe" sourcetype=xmlwineventlog EventCode=1 | table _time host User CommandLine * **Findings:** The payload was executed via: `cmd.exe /c "3791.exe 2>&1"`. The execution run context was audited as the default low-privilege IIS web server account **`NT AUTHORITY\IUSR`**. ### Evidence 6: Malware Hash & Reputation Lookup We parsed cryptographic metadata to extract file hashes and cross-referenced them with global threat intelligence. index="botsv1" sourcetype="XmlWinEventLog" EventCode=1 "3791.exe" | rex field=Hashes "SHA256=(?[^,]+)" | table _time, SHA256 * **Extracted Hash (SHA256):** `ec78c938d8453739ca2a370b9bc275971ec46caf6e479de2b2d04e97cc47fa45d` * **Threat Intel Results:** * **VirusTotal:** Flagged **65 out of 72** security vendors as highly malicious (`Trojan.swrort/cryptz`), built as a trojanized version of `ab.exe` (ApacheBench). * **Hybrid Analysis:** Received a threat score of **100/100**, historically classified as a persistent backdoor named `MirandaTateScreensaver.scr.exe`. ## 🔒 Indicators of Compromise (IOCs) | Indicator Value | Type | Kill Chain Phase | First Seen (UTC) | Description | | --- | --- | --- | --- | --- | | `40.80.148.42` | Malicious IP | Recon / Exploit | 21:36:45 | Main IP used for scanning, file uploads, and exploiting credentials. | | `23.22.63.114` | Malicious IP | Weaponization | 21:45:08 | AWS infrastructure IP used for brute-forcing and the Reverse Shell. | | `po1s0n1vy.com` | APT Domain | Weaponization | OSINT | The attacker's primary registered domain linked to Poison Ivy APT. | | `prankglassinebracket.jumpingcrab.com` | C2 Domain | Actions on Obj. | 22:10:21 | External link used to host and download the defacement image. | | `agent.php` | Web Shell | Installation | 21:50:31 | The malicious PHP backdoor uploaded via Joomla extension manager. | | `3791.exe` | Payload | Installation | 21:50:31 | The malicious compiled Windows Trojan executable file. | | `ec78c938d8453739ca2a370b9bc275971ec46caf6e479de2b2d04e97cc47fa45d` | SHA256 Hash | Installation | 21:50:31 | Unique digital fingerprint of the malicious file `3791.exe`. | | `aae3f5a29935e6abcc2c2754d12a9af0` | MD5 Hash | Installation | 21:50:31 | Legacy cryptographic hash for identification of `3791.exe`. | | `CVE-2014-6271` | Vulnerability | Reconnaissance | 21:36:45 | Shellshock RCE vulnerability tested by the attacker's scanners. | | `NT AUTHORITY\IUSR` | User Account | Execution | 21:56:10 | Web service account context exploited to run the malicious payload. | | `cmd.exe /c "3791.exe 2>&1"` | Command | Execution | 21:56:10 | Specific command line executed to run the malicious binary. | | `Port 1337` | Network Port | C2 | 22:06:21 | Non-standard port used to establish remote Command & Control (C2). | ## 🛡️ Containment, Eradication & Remediation To secure the environment and automate future responses, the following steps were taken: ### Immediate Containment * **Network Isolation:** Disconnected the infected web server (`192.168.250.70`) from the network to kill active outbound Command & Control connections. * **IP Shunning:** Blacklisted adversary IP addresses (`40.80.148.42` and `23.22.63.114`) on the perimeter firewall. * **Port Closure:** Blocked all incoming and outgoing connections over Port `1337` at the firewall level. ### Eradication & Remediation * **Clean System Restore:** Restored the server from a clean, offline snapshot taken prior to `21:30:00` (before scanning began) to ensure no hidden web backdoors remained. * **Global Credential Reset:** Forced an immediate password reset for all administrative, service, and database accounts, enforcing complex password restrictions and banning predictable words like `batman`. * **Multi-Factor Authentication (MFA):** Implemented mandatory MFA policies for all Joomla backend administrative logins. ### Hardening & Prevention * **Execution Prevention Rules:** Implemented Group Policies (GPOs) and AppLocker rules to prevent web service accounts (`NT AUTHORITY\IUSR` / `IIS_IUSRS`) from launching command interpreters (`cmd.exe`, `powershell.exe`). * **Web Application Firewall (WAF) Configuration:** Enabled WAF rate-limiting to block aggressive brute-force activities (automated HTTP POST requests) and drop automated scanner payloads (Acunetix / Shellshock exploit attempts).