How to Use Wazuh SIEM to Investigate Cyber Attacks | TryHackMe Monday Monitor
The video is a tutorial on how to use Wazuh for investigating cyber incidents. The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document. The attacker created a scheduled task for persistence and exfiltrated sensitive data. This was part of TryHackMe Monday Monitor.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Introduction to Wazuh SIEM
The video begins by showing the Wazuh dashboard, where you can see added agents and inspect their configurations.
Agents are executables deployed on workstations to monitor them for security events.The importance of setting up the correct timeline and data index for accurate results is emphasized.
Practical Scenario
The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document.
The attacker created a scheduled task for persistence and exfiltrated sensitive data.The process involves using Wazuh to investigate the artifacts of the attack as part of an incident response.
Step-by-Step Investigation
Finding the initial file: Using Wazuh, the command logs are inspected to find the PowerShell command that downloaded the malicious Excel file.
Scheduled task creation: The video demonstrates how to search for the command that created a scheduled task, using the correct index and event data. It reveals the time (12:34) that the task was set to run.
Base64 decoding: A PowerShell command is inspected, and a Base64 string is extracted. Using CyberChef, the string is decoded to find more details about the attacker’s actions, including communication with a C2 (Command and Control) server.
Persistence Mechanism
The attacker created a new user account named “guest” with a password of “I am monitoring.” This persistence allows the attacker continuous access to the system.
Credential Dumping
The well-known tool Mimikatz was used by the attacker to dump credentials. The video shows how to search for its usage within the logs.
Data Exfiltration
The attacker exfiltrated data from the compromised host. The video demonstrates how to search for specific patterns, such as a flag starting with “THM,” which identifies the exfiltrated data through a PowerShell command.
Conclusion
The video concludes the investigation with the final flag and emphasizes the importance of using the right tools and processes in incident response to uncover details of a cyber attack.
Room Answers | TryHackMe Monday Monitor
Room answers can be found here.
