Lab – Isolated Compromised Host Using 5-Tuple

Objectives
In this lab, you will review logs during an exploitation of a documented vulnerability to determine the
compromised hosts and file.
Part 1: Prepare the Virtual Environment
Part 2: Review the Logs

Background / Scenario
The 5-tuple is used by IT administrators to identify requirements for creating an operational and secure
network environment. The components of the 5-tuple include a source IP address and port number,
destination IP address and port number, and the protocol in use.
In this lab, you will also review the logs to identify the compromised hosts and the content of the compromised
file.

Required Resources
 Host computer with at least 3 GB of RAM and 10 GB of free disk space
 Latest version of Oracle VirtualBox
 Internet connection
 One virtual machine: Alternate Security Onion VM

Part 1: Prepare the Virtual Environment

a. Download the Alternate Security Onion virtual machine.
b. Launch Oracle VirtualBox. Import the Alternate Security Onion VM.
c. Launch and log into Alternate Security Onion VM. Log in with the user analyst and password cyberops.
d. In the Alternate Security Onion VM, right-click the Desktop > Open Terminal Here. Enter the sudo
service nsm status command to verify that all the servers and sensors are ready. This process could
take a few moments. If some services report FAIL, repeat the command as necessary until all the
statuses are OK before moving on to the next part.
analyst@SecOnion:~/Desktop$ sudo service nsm status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 5577 26 Jun 10:04:27
proxy proxy localhost running 5772 26 Jun 10:04:29
seconion-eth0-1 worker localhost running 6245 26 Jun 10:04:33
seconion-eth1-1 worker localhost running 6247 26 Jun 10:04:33
seconion-eth2-1 worker localhost running 6246 26 Jun 10:04:33

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

Status: seconion-eth0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
<output omitted>

Part 2: Review the Logs

After the attack, the users no longer have access to the file named confidential.txt. Now you will review the
logs to determine how the file was compromised.
Note: If this was a production network, it is recommended that analyst and root users change their
passwords and comply with the current security policy.

Step 1: Review alerts in Sguil.

a. Open Sguil and log in. Click Select All and then Start SGUIL.
b. Review the Events listed in the Event Message column. Two of the messages are GPL
ATTACK_RESPONSE id check returned root. These messages indicate that root access may have
been gained during an attack. The host at 209.165.200.235 returned root access to 209.165.201.17.
Select the Show Packet Data and Show Rule checkbox to view each alert in more detail.

c. Select the returned root message that is associated with Sensor seconion-eth1-1 for further analysis. In
the figure below, Alert ID 5.5846 and its correlated event are used.

d. Right-click the number under the CNT heading to select View Correlated Events.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

e. In the new tab, right-click the Alert ID for one of the GPL ATTACK_RESPONSE id check returned root
alerts and select Transcript. The Alert ID 5.5848 is used in this example.

f. Review the transcripts for all the alerts. The latest alert in the tab is likely to display the transactions
between the threat actor and the target during the attack.

What had happened during the attack?

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

Step 2: Pivot to Wireshark.

a. Select the alert that provided you with the transcript from the previous step. Right-click the Alert ID and
select Wireshark.

b. To view all packets assembled in a TCP conversation, right-click any packet and select Follow TCP
Stream.

What did you observe? What do the text colors red and blue indicate?
____________________________________________________________________________________
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

c. Exit the TCP stream window. Close Wireshark when you are done reviewing the information provided by
Wireshark.

Step 3: Use ELSA to pivot to the Bro Logs.

a. Return to Sguil. Right-click either the source or destination IP for the same GPL ATTACK_RESPONSE
id check returned root alert and select ELSA IP Lookup > DstIP. Enter username analyst and
password cyberops when prompted by ELSA.
Note: If you received the message "Your connection is not private", click ADVANCED > Proceed to
localhost (unsafe) to continue.

b. Change the date in the From field to the date before the date displayed in Sguil. Click Submit Query.
c. Click bro_notice.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

d. The result indicates that 209.165.201.17 was performing a port scan on 209.165.200.235. The attacker
probably found vulnerabilities on 209.165.200.235 to gain access.

e. If an attacker has compromised 209.165.200.235, you want to determine the exploit that was used and
what was accessed by the attacker.

Step 4: Return to Squil to investigate attack.

a. Navigate to Sguil and click the RealTime Events tab. Locate the ET EXLOIT VSFTPD Backdoor User
Login Smiley events. These events are possible exploits and occurred within the timeframe of
unauthorized root access.

b. Right-click the number under the CNT heading and select View Correlated Events to view all the related
events. Select the Alert ID that starts with 5. This alert gathered the information from sensor on seconion-
eth1-1 interface.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

c. In the new tab with all the correlated events, right-click the Alert ID and select Transcript to view each
alert in more detail. The latest alert is likely to display the TCP transmission between the attacker and
victim.

d. You can also right-click the Alert ID and select Wireshark to review and save the pcap file and TCP
stream.

Step 5: Use ELSA to view exfiltrated data.

a. To use ELSA for more information about the same alert as above, right-click either the source or
destination IP address and select ELSA IP Lookup > DstIP.
b. Change the date in the From field to before the event occurred as indicated by the timestamp in Sguil.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

c. Click bro_ftp to view ELSA logs that are related to FTP.

Which file was transferred via FTP to 209.165.200.235? Whose account was used to transfer the file?
____________________________________________________________________________________
d. Click info to view the transactions in the last record. The reply_msg field indicates that this is the last
entry for the transfer of the confidential.txt file. Click Plugin > getPcap. Enter username analyst and
password cyberops when prompted. Click Submit if necessary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.

e. To determine the content of the file that was compromised, open ELSA by double clicking the icon on the
Desktop to open a new tab and perform a new search.
f. Expand FTP and click FTP Data.
g. Change the date in the From field as necessary to include the time period of interest, and click Submit
Query.
h. Click one of the Info links and select getPcap from the dropdown menu to determine the content of the
stolen file.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple

i. The result displays the content of the file named confidential.txt that was transferred to the FTP server.

Step 6: Clean up
Shut down the VM when finished.

Reflection
In this lab, you have reviewed the logs as a cybersecurity analyst. Now summarize your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com