Elastic Stack Lab

A network has been compromised during working day. Two servers, an SSH-facing cloud host and a backend server running an outdated Elastic Stack.The SSH password was likely brute-forced, allowing the attacker to pivot into the Elastic Stack server.

Both machines log to a new Elastic Stack instance. As a SOC/Blue Team specialist, your mission is to investigate the events and recover key details to understand what happened.

Attack timeframe (UTC):

May 25th, 2020, 11:00 AM - 2:00 PM

Infrastructure:

   1- front-facing server with SSH.

   2- internal server running a vulnerable Elastic Stack.

New Elastic credentials

Username: elastic
Password: elastic

Note: SIEM server may take up to 5 minutes to fully start

Before you start the investigation:

Follow these steps to successfully navigate and analyze the authentication logs using the Kibana dashboard.

Step 1: Access the Authentication Logs

Go to the Kibana dashboard and navigate through the following path:

Security → Explore → Users → Authentications

Step 2: Set the Time Range & Data View

Ensure the time range is set as shown in the screenshots:

May 25, 2020 @ 11:00:00.000 → May 25, 2020 @ 23:59:59.999

Ensure the Data View in top right corner is set to filebeat.

Step 3: Analyze the User Activity

Focus on users with a high number of failed logins.

Step 4: Identify the Brute-Force Pattern

Observe the "User Authentications" panel:

* success
*** failures

This indicates a classic brute-force pattern.

Step 5: Drill Down on the User

Scroll to the user table to focus on the user 'johnny':

* success
*** failures

All attempts are from the same source and to the same destination.

Step 6: Find the Source IP

Identify the source IP address of the brute-force attack.

In the same Kibana Authentications table, there is a need to identify the username that was targeted during a brute-force attack. The analysis shows that the username ****** experienced an unusual pattern of authentication attempts.

Indicators of Brute-Force

- Total Authentication Attempts: 6**

- Successful Attempts: *

- Failed Attempts: ***

This pattern of high failure count combined with a single success is characteristic of a brute-force attack targeting the user ******.

Your taks is to identify the username that was targeted during the brute-force attack.

Analyze the user authentication details in the Authentications table. Focus on the "Last successful destination" and "Last failed destination" columns. Both columns indicate the same host.

Determine which host (hostname) was targeted by the brute-force attack.

From the Authentications table, identify the total number of failed authentication attempts. Analyze the table to extract and count the entries where authentication has failed.

Analyze the system logs to find out the exact time of the last failed login attempt. Use the format HH:mm:ss to specify the time.

Answer format: HH:mm:ss

Determine the exact time when the attacker successfully logged into the system. Provide your answer in the format: HH:mm:ss.

Answer format: HH:mm:ss