Provide steps on how to review the logs.

After the attack, the users no longer have access to the file named confidential.txt. Now you will
review the logs to determine how the file was compromised.
Note: If this was a production network, it is recommended that analyst and root users change their passwords and
comply with the current security policy.

Step 1. Review alerts in Sguil.
a. Open Sguil and log in. Click Select All and then Start SGUIL.
b. Review the Events listed in the Event Message column. Two of the messages are GPL
ATTACK_RESPONSE id check returned root. These messages indicate that root
access may have been gained during an attack. The host at 209.165.200.235 returned
root access to 209.165.201.17. Select the Show Packet Data and Show Rule checkbox
to view each alert in more detail.

c. Select the returned root message that is associated with Sensor seconion-eth1-1 for fur-
ther analysis. In the figure below, Alert ID 5.5846 and its correlated event are used.

d. Right-click the number under the CNT heading to select View Correlated Events.

e. In the new tab, right-click the Alert ID for one of the GPL ATTACK_RESPONSE id
check returned root alerts and select Transcript. The Alert ID 5.5848 is used in this
example.
f. Review the transcripts for all the alerts. The latest alert in the tab is likely to display the

transactions between the threat actor and the target during the attack.

What happened during the attack?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
The attacker from 209.165.201.17 gained root access to 209.165.200.235. A new user
myroot without any password was added to the system.

Step 2. Pivot to Wireshark.
a. Select the alert that provided you with the transcript from the previous step. Right-click

the Alert ID and select Wireshark.
b. To view all packets assembled in a TCP conversation, right-click any packet and select

Follow TCP Stream.

What did you observe? What do the text colors red and blue indicate?
____________________________________________________________________________
____________________________________________________________________________
The TCP stream shows the transaction between the threat actor displayed in red text
and the target in blue text. The information from the TCP stream is the same as in the
transcript.

c. Exit the TCP stream window. Close Wireshark when you are done reviewing the infor-
mation provided by Wireshark.

Step 3. Use ELSA to pivot to the Bro Logs.
a. Return to Sguil. Right-click either the source or destination IP for the same GPL
ATTACK_RESPONSE id check returned root alert and select ELSA IP Lookup >
DstIP. Enter username analyst and password cyberops when prompted by ELSA.
Note: If you received the message “Your connection is not private”, click ADVANCED > Proceed to
localhost (unsafe) to continue.

b. Change the date in the From field to the date before the date displayed in Sguil. Click

Submit Query.
c. Click bro_notice.

d. The result indicates that 209.165.201.17 was performing a port scan on 209.165.200.235.
The attacker probably found vulnerabilities on 209.165.200.235 to gain access.
e. If an attacker has compromised 209.165.200.235, you want to determine the exploit that

was used and what was accessed by the attacker.

Step 4. Return to Squil to investigate the attack.
a. Navigate to Sguil and click the RealTime Events tab. Locate the ET EXPLOIT
VSFTPD Backdoor User Login Smiley events. These events are possible exploits and
occurred within the timeframe of unauthorized root access.
b. Right-click the number under the CNT heading and select View Correlated Events to
view all the related events. Select the Alert ID that starts with 5. This alert gathered the
information from the sensor on the seconion-eth1-1 interface.

c. In the new tab with all the correlated events, right-click the Alert ID and select
Transcript to view each alert in more detail. The latest alert is likely to display the TCP
transmission between the attacker and victim.
d. You can also right-click the Alert ID and select Wireshark to review and save the pcap

file and TCP stream.
Step 5. Use ELSA to view exfiltrated data.
a. To use ELSA for more information about the same alert as above, right-click either the

source or destination IP address and select ELSA IP Lookup > DstIP.

b. Change the date in the From field to before the event occurred as indicated by the

timestamp in Sguil.

c. Click bro_ftp to view ELSA logs that are related to FTP.

Which file was transferred via FTP to 209.165.200.235? Whose account was used to
transfer the file?
____________________________________________________________________________
The file confidential.txt was transferred by the user analyst.

d. Click info to view the transactions in the last record. The reply_msg field indicates that
this is the last entry for the transfer of the confidential.txt file. Click Plugin > getPcap.
Enter username analyst and password cyberops when prompted. Click Submit if
necessary.
The pcap transcript is rendered using tcpflow, and this page also provides the link to
access the pcap file.

e. To determine the content of the file that was compromised, open ELSA by double
clicking the icon on the Desktop to open a new tab and perform a new search.

f. Expand FTP and click FTP Data.
g. Change the date in the From field as necessary to include the time period of interest,

and click Submit Query.

h. Click one of the Info links and select getPcap from the dropdown menu to determine

the content of the stolen file.

i. The result displays the content of the file named confidential.txt that was transferred

to the FTP server.

Step 6. Clean up
Shut down the VM when finished.
Reflection
In this lab, you have reviewed the logs as a cybersecurity analyst. Now summarize your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
From the Sguil and ELSA logs, it was determined that an attacker at 209.165.201.17 exploited the
vsftpd vulnerability to gain root access to 209.165.200.235. By using root access gained from the
attack, the attacker added a new root user myroot for future root access. The attacker compromised
the user analyst to gain access to an internal workstation, 192.168.0.11. By using the analyst account,
the attacker was able to gain access to the file named confidential.txt and transfer the file using FTP to
209.165.200.235, where the attacker has remote access to retrieve the file.