THM打靶日寄41-Advent of Cyber 2024：Day7

前置：
- Log Events ：日志事件，记录应用程序事件的单个日志条目
- Log Streams ：日志流，单一来源日志事件的集合
- Log Groups ：日志组日志流集合
  
  CloudTrail 跟踪 AWS 环境的操作

日志调查：

1	jq -r '.Records[] \| select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares")' cloudtrail_log.json

jq 是 json 文件的轻量查看器：-r 指示使用 RAW 格式输出结果，后面跟输入文件；.records[] 指示解析 records 容器元素中的事件，其是 CloudTrail 日志中顶部元素，并过滤出与 Amazon AWS S3 服务中 S3 存储桶相关的事件

但这样会显示所有字段，所以进一步筛选：

jq -r '.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]' cloudtrail_log.json

仅输出 .eventTime， .eventName和 .userIdentity.userName 后面不输出

又为了呈现在表格中：

jq -r '["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key", "Source_IP"],(.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t

'["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key", "Source_IP"], SELECT_FILTER | SPECIFIC FIELDS' 添加一个列标题行

| @tsv' 将每个数组元素设置为由制表符分隔的值

| column -t -s $'\t' 分隔制表符并对齐列

拿到可疑的用户 glitch

对用户调查

相关信息

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

显示和该用户有关的事件，注意到该用户使用了 consolelogin ，即访问了 AWS 管理控制台，用这个来查看 UA ：

jq -r '["Event_Time", "Event_type", "Event_Name", "User_Name", "Source_IP", "User_Agent"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime,.eventType, .eventName, .userIdentity.userName //"N/A",.sourceIPAddress //"N/A", .userAgent //"N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

可以看到一个很明显的 apple safari 的浏览器

创建者

该部分和 iam.amazonaws.com 有关

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.eventSource == "iam.amazonaws.com") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

注意到 mcskidy 调用了 createuser 操作，且源 ip 与可疑用户的 ip 相同

1	jq '.Records[] \| select(.eventSource=="iam.amazonaws.com" and .eventName== "AttachUserPolicy")' cloudtrail_log.json

过滤 attachuserpolicy 事件来检查新用户的权限

来源 ip

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"], (.Records[] | select(.sourceIPAddress=="53.94.201.69") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

可以看到由三个用户都从该地址访问过，那么调查这三个用户的访问记录，查看相关 ip 与 UA 是否能和可疑用户对应上：

jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName==[替换用户名]) | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'

What is the other activity made by the user glitch aside from the ListObject action?
PutObject

What is the source IP related to the S3 bucket activities of the user glitch?
53.94.201.69

Based on the eventSource field, what AWS service generates the ConsoleLogin event?
signin.amazonaws.com

When did the anomalous user trigger the ConsoleLogin event?
2024-11-28T15:21:54Z

What was the name of the user that was created by the mcskidy user?
glitch

What type of access was assigned to the anomalous user?
AdministratorAccess

Which IP does Mayor Malware typically use to log into AWS?
53.94.201.69

What is McSkidy's actual IP address?
31.210.15.79

What is the bank account number owned by Mayor Malware?
2394 6912 7723 1294