Provide steps on how to review the logs.

After the attack, the user analyst no longer has access to the file named confidential.txt. Now you will
review the logs to determine how the file was compromised.

Note: If this was a production network, it would be desirable for the users analyst and root to change the pass-
word and comply with the current security policy.

Step 1. Review alerts in Squil.
a. Access the Security Onion VM. Log in with the user analyst and password cyberops.
b. Open Sguil and log in. Click Select All and then Start SGUIL.
c. R eview the Events listed in the Event Message column. Two of the messages are GPL
ATTACK_RESPONSE id check returned root. This message indicates that root access
may have been gained during an attack. The host at 209.165.200.235 returned root
access to 209.165.201.17. Select the Show Packet Data and Show Rule checkbox to
view each alert in more detail.

d. Select the returned root message that is associated with Sensor seconion-eth1-1 for
further analysis. In the figure below, Alert ID 5.2568 and its correlated event are used.
However, your Alert ID will most likely be a different number.

e. Right-click the number under the CNT heading to select View Correlated Events.

f. In the new tab, right-click the Alert ID for one of the GPL ATTACK_RESPONSE id
check returned root alerts and select Transcript. The Alert ID 5.2570 is used in this
example.

g. Review the transcripts for all the alerts. The latest alert in the tab is likely to display
the transactions between the Kali (threat actor) and Metasploitable (target) during the
attack.
What happened during the attack?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
The attacker gained root access to Metasploitable. A new user myroot without any
password was added to the system.

Step 2. Pivot to Wireshark.
a. Select the alert that provided you with the transcript from the previous step. Right-click
the Alert ID and select Wireshark. The Wireshark’s main window displays 3 views of a
packet.

b. To view all packets assembled in a TCP conversation, right-click any packet and select

Follow TCP Stream.

What did you observe? What do the text colors red and blue indicate?
____________________________________________________________________________
____________________________________________________________________________
The TCP stream shows the transaction between Kali (threat actor) displayed in red text
and Metasploitable (target) in blue text. The information from the TCP stream is the
same as in the transcript.

c. Exit the TCP stream window. Close Wireshark when you are done reviewing the infor-
mation provided by Wireshark.
Step 3. Use ELSA to pivot to the Bro Logs.
a. Return to Sguil. Right-click either the source or destination IP for the same GPL
ATTACK_RESPONSE id check returned root alert and select ELSA IP Lookup >
DstIP. Enter username analyst and password cyberops when prompted by ELSA.
Note: If you received the message “Your connection is not private”, click ADVANCED > Proceed to
localhost (unsafe) to continue.

b. Click bro_notice.

c. The result indicates that 209.165.201.17 was performing a port scan on

209.165.200.235, the Metasploitable VM. The attacker probably found vulnerabilities
on the Metasploitable VM to gain access.
d. If an attacker has compromised Metasploitable, you want to determine the exploit that

was used and what was accessed by the attacker.

Step 4. Return to Squil to investigate the attack.
a. Navigate to Sguil and click the RealTime Events tab. Locate the ET EXPLOIT
VSFTPD Backdoor User Login Smiley events. These events are possible exploits and
occurred within the timeframe of unauthorized root access. Alert ID 5.2567 is used in
this example.

b. Right-click the number under the CNT heading and select View Correlated Events to
view all the related events. Select the Alert ID that starts with 5. This alert gathered the
information from sensor on seconion-eth1-1 interface.

c. In the new tab with all the correlated events, right-click the Alert ID and select
Transcript to view each alert in more detail. Alert ID 5.2569 is used as an example. The
latest alert is likely to display the TCP transmission between the attacker and victim.

d. You can also right-click the Alert ID and select Wireshark to review and save the pcap

file and TCP stream.
Step 5. Use ELSA to view exfiltrated data.
a. To use ELSA for more information about the same alert as above, right-click either the

source or destination IP address and select ELSA IP Lookup > DstIP.

b. Click bro_ftp to view ELSA logs that are related to FTP.

c. Which file was transferred via FTP to 209.165.200.235? Whose account was used to

transfer the file?
____________________________________________________________________________
The file confidential.txt was transferred by the user analyst.

d. Click info to view the transactions in the last record. The reply_msg field indicates that
this is the last entry for the transfer of the confidential.txt file. Click Plugin > getPcap.

Enter username analyst and password cyberops when prompted. Click Submit if neces-
sary. CapMe is a web interface that allows you to get a pcap transcript and download

the pcap.
The pcap transcript is rendered using tcpflow, and this page also provides the link to
access the pcap file.

e. To determine the content of the file that was compromised, open ELSA by double
clicking the icon on the Desktop to open a new tab and perform a new search.
f. Expand FTP and click FTP Data. Click one of the Info links and select getPcap from

the dropdown menu to determine the content of the stolen file.
g. The result displays the content of the file named confidential.txt that was transferred

to the FTP server.

Step 6. Clean up
Shut down all VMs when finished.
Reflection
In this lab, you have used a vulnerability to gain access to unauthorized information and reviewed the
logs as a cybersecurity analyst. Now summarize your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
From the Sguil and ELSA logs, it was determined that an attacker at 209.165.201.17 exploited the
vsftpd vulnerability to gain root access to 209.165.200.235. By using root access gained from the
attack, the attacker added a new root user myroot for future root access. The attacker compromised
the user analyst to gain access to an internal workstation, 192.168.0.11. By using the analyst account,
the attacker was able to gain access to the file named confidential.txt and transfer the file using FTP to
209.165.200.235, where the attacker has remote access to retrieve the file.