Lab – Analyzing Events using Security Onion

Objectives
In this lab, you will review logs that were gathered during the exploitation of a documented vulnerability to
determine the compromised hosts and file.
Part 1: Review Alerts in Sguil
Part 2: Pivot to Wireshark
Part 3: Pivot to Kibana
Part 4: Investigate an SQL Injection Attack
Part 5: Investigate DNS Data Exfiltration

Background / Scenario
The 5-tuple is used by IT administrators to identify requirements for creating an operational and secure network
environment. The components of the 5-tuple include a source IP address and port number, destination IP address
and port number, and the protocol in use in the data payload. This is the protocol field of the IP packet header.
MySQL is a popular database used by numerous web applications. Unfortunately, SQL injection is a common web
hacking technique. It is a code injection technique where an attacker executes malicious SQL statements to
control a web application's database server.
Domain name servers (DNS) are directories of domain names, and they translate the domain names into IP
addresses. This service can be used to exfiltrate data.
Cybersecurity personnel have determined that an exploit has occurred, and data containing PII may have been
exposed to threat actors.
In this lab, you will also review the logs to identify the compromised hosts and the content of the compromised file.
Then, you will use Kibana to investigate the exploits to determine the data that was exfiltrated using HTTP and
DNS during the attacks.

Required Resources
 Security Onion virtual machine

Part 1 Review Alerts in Sguil

After the attack, the users no longer have access to the file named confidential.txt. Now you will review the logs
to determine how the file was compromised.
Note: If this was a production network, it is recommended that analyst and root users change their passwords
and comply with the current security policy.
a. Launch the Security Onion VM and log in. Log in with the user analyst and password cybercops
b. Right-click on the Desktop and click Open Terminal. Enter the sudo so-status command to check the
status of services. The status for all the services should be OK before starting your analysis. This could
take a few minutes.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

c. Open Sguil and log in with the user analyst and password cybercops.

d. Click Select All to select the interfaces and then Start SGUIL.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

e. Review the events listed in the Event Message column. One of these messages is GPL
ATTACK_RESPONSE id check returned root. This message indicates that root access may have been
gained during an attack. The host at 209.165.200.235 returned root access to 209.165.201.17. The alert
ID 5.1 is used as an example in this lab.

f. Select the Show Packet Data and Show Rule checkboxes to view each alert in more detail.

g. Right-click the alert ID 5.1 and select Transcript.

h. Review the transcripts for the alert.

i. Insert a screenshot of the result.

j. The transcript displays the transactions between the threat actor source (SRC) and the target (DST)
during the attack. The threat actor is executing Linux commands on the target.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

k. What kind of transactions occurred between the client and the server in this attack?

Click here to enter text.

Part 2 Pivot to Wireshark

a. Select the alert that provided you with the transcript from the previous step. Right-click the alert ID 5.1
and select Wireshark. The Wireshark main window displays three views of a packet.

b. To view all packets that are assembled in a TCP conversation, right-click any packet and select Follow >
TCP Stream.

c. What did you observe? What kind of data has the threat actor been reading?

Click here to enter text.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

d. The attacker issues the whoami command on the target.

e. What does this show about the attacker role on the target computer?

Click here to enter text.

f. Scroll through the TCP stream.
g. Insert a screenshot of the result.

h. Exit the TCP stream window. Close Wireshark when you are done reviewing the information provided.

Part 3 Pivot to Kibana

Return to Sguil. Right-click either the source or destination IP for the alert ID 5.1 and select Kibana IP Lookup >
SrcIP. Enter username analyst and password cyberops if prompted by Kibana.
In Security Onion, Kibana has many pre-built dashboards and visualizations for monitoring and analysis. You can
also create your own custom dashboards and visualizations catered to monitoring your particular network
environment.

Note: If you received the message "Your connection is not private", click ADVANCED > Proceed to localhost
(unsafe) to continue.
a. If the time range is the last 24 hours, change it to June 2020 so June 11 is included in the time range. Use
the Absolute tab to change the time range.
b. In the displayed results, there is a list of different data types. You were told that the file confidential.txt is
no longer accessible. In the Sensors - Sensors and Services (Pie Chart), ftp and ftp-data are present in
the list, as shown in the figure. We will determine if FTP was used to steal the file

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

c. Let's filter for bro_ftp. Hover over the empty space next to the count of bro_ftp data types. Select + to
filter for only FTP related traffic as shown in the figure.

d. Scroll down to the All Logs section. There are two entries listed.
e. Insert a screenshot of the result.

f. What are the source and destination IP addresses and port numbers for the FTP traffic?

Source IP address:

Destination IP address:

Port Numbers:

g. Expand and review both log entries. In one of these entries, the ftp_argument has an entry of
ftp://209.165.200.235/./confidential.txt. Also review the message in the log entry to learn more about this
event.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

h. Within the same log entry, scroll up back to the alert _id field and click the link.

i. Review the transcript for the transactions between the attacker and the target. If desired, you can
download the pcap and review the traffic using Wireshark.
j. What are the user credentials to access the FTP site?

Click here to enter text.

k. Now that you have verified that the attacker has used FTP to copy the content of the file confidential.txt
and then deleted it from the target. So what is the content of the file? Remember one of the services listed
in the pie chart is ftp_data.
l. Navigate to the top of the dashboard. Select Files under the Zeek Hunting heading in the left panel, as
shown in the figure. This will allow you to review the types of the files that were logged.

m. Insert a screenshot of the result.

n. What are the different types of files?

Click here to enter text.

o. Look at the MIME Type section of the screen. Scroll to the Files - Source heading.
Note: A MIME type is a way for the server to inform the client the type of the file being sent.
p. What are the file sources listed?

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

Click here to enter text.

q. Filter for FTP_DATA by hovering over the empty space next to the Count for FTP_DATA and click +.

r. Scroll down to review the filtered results. Look for the MIME type, source and destination IP address
associated with the transfer of the FTP data.
s. Insert a screenshot of the result.

t. In the File logs, expand the entry associated with FTP data. Click the link associated with alert _id.
u. What is the text content of the file that was transferred using FTP?

Click here to enter text.

v. Close Kibana.

Part 4 Investigate an SQL Injection Attack

In this part, you will investigate an exploit in which unauthorized access was made to sensitive information
that is stored on a web server. You will use Kibana to determine the source of the attack and the information
accessed by the attacker.
It has been determined that the exploit happened at some time during the month of June 2020. Kibana
defaults to displaying data for the last 24 hours. You will need to change the time settings to see the data for
the month of June 2020.
a. On the Security Onion Desktop, open Kibana using the shortcut on the Desktop. Login with the username
analyst and the password cyberops.
Note: Your dashboard may not have any results in the last 24 hours.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

b. In the upper-right corner of the window, click Last 24 hours to change the sample Time Range size.
Expand the time range to include the interesting alerts. An SQL injection attack took place in June 2020
so that is what you need to target. Select Absolute under Time Range and edit the From and To times to
include the entire month of June in 2020. Click Go to continue.

c. Notice the total number of logs for the entire month of June 2020. Your dashboard should be similar to
that shown in the figure. Take a moment to explore the information that is provided by the Kibana
interface.

d. Insert a screenshot of the result.

e. Because the threat actor assessed data that is stored on a web server, the HTTP filter is used to select
the logs associated with HTTP traffic. Select HTTP under the Zeek Hunting heading, as shown in the
figure. Scroll through the results.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

f. What is the source IP address? What is the destination IP address? What is the destination port
number?

Source IP address:

Destination IP address:

Destination port number:

g. Scroll down to the HTTP Logs. The results list the first 10 results.
h. Insert a screenshot of the result.

i. Expand the details of the first result by clicking the arrow that is next to the log entry timestamp. Note the
information that is available.
j. What is the timestamp of the first result?

Click here to enter text.

k. What is the event type?

Click here to enter text.

l. What is included in the message field?

Click here to enter text.

m. These are details about the HTTP GET request that was made by the client to the server. Focus
especially on the uri field in the message text.
n. What is the significance of this information?

Click here to enter text.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

o. Some of the information for the log entries is hyperlinked to other tools. Click the value in the alert _id
field of the log entry to get a different view on the event.

p. The result opens in a new web browser tab with information from capME!. capME! tab is a web interface
that allows you to view a pcap transcript. The blue text contains HTTP requests that are sent from the
source (SRC). The red text is responses from the destination web server (DST).
q. In the Log entry section, which is at the beginning of the transcript, notice the portion
username='+union+select+ccid,ccnumber,ccv,expiration,null+from+credit_cards+--+&password=
indicates that someone may have tried to attack the web browser using SQL injection to bypass
authentication. The keywords, union and select, are commands that are used in searching for
information in a SQL database. If the input boxes on a web page are not properly protected from illegal
input, threat actors can inject SQL search strings or other code that can access data contained in
databases that are linked to the web page.
r. Find for the keyword username in the transcript. Use Ctrl-F to open a search box. Use the down arrow
button in the search box to scroll through the occurrences that were found.

s. You can see where the term username was used in the web interface that is displayed to the user.
However, if you look farther down, something unusual can be found.
t. What do you see later in the transcript as regards usernames?

Click here to enter text.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

u. Insert a screenshot showing some examples of a username, password, and signature that was
exfiltrated.

v. Close the capME! tab and return to Kibana.

Part 5 Analyze DNS exfiltration

A network administrator has noticed abnormally long DNS queries with strange looking subdomains. Your job is to
investigate the anomaly.
a. From the top of the Kibana Dashboard, clear any filters and search terms and click Home under the
Navigation section of the Dashboard. The Time period should still include June 2020.
b. In the same area of the Dashboard, click DNS in the Zeek Hunting section. Notice the DNS Log Count
metrics and Destination Port horizontal bar chart.

c. Scroll down the window. You can see the top DNS query types. You may see address records (A record),
IPv6 address Quad A records (AAAA), NetBIOS records (NB) and a pointer records for resolving the
hostnames (PTR). You can also see the DNS response codes.
d. By Scrolling further down, you can see a list of the top DNS clients and DNS Servers based on their
request and response counts. There is also a metric for number of DNS Phishing attempts, which are also
known as DNS pharming, spoofing, or poisoning.
e. Scrolling further down the window you can see a listing of the top DNS queries by domain name. Notice
how some of the queries have unusually long subdomains attached to ns.example.com. The domain
example.com should be investigated further

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

f. Scroll back to the top of the window and enter example.com in the search bar to filter for example.com
and click Update. Note that the number of entries in the Log Count is smaller because the display is now
limited to requests to the example.com server.

g. Locate information about the DNS - Client and DNS - Server.

h. Insert a screenshot showing the IP addresses of DNS client and server.

i. Continue to scroll further down to see four unique log entries for DNS queries to example.com. Notice
how the queries are to suspiciously long subdomains attached to ns.example.com. The long strings of
numbers and letters in the subdomains look like text encoded into hexadecimal (0-9, a-f) rather than
legitimate subdomain names. Click the Export: Raw download link to download the queries to an external
file. A CSV file is downloaded to the /home/analyst/Downloads folder.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 14 www.netacad.com
Lab – Analyzing Events using Security Onion

j. Navigate to the /home/analyst/Downloads folder. Open the file using a text editor, such as gedit. Edit
the file by deleting the text surrounding the hexadecimal portion of the subdomains, leaving only the
hexadecimal characters. Be sure to remove the quotes too. The contents of your file should look like the
information below. Save the edited text file with the original file name.
434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053
484152450a5468697320646f63756d656e7420636f6e7461696e7320696e
666f726d6174696f6e2061626f757420746865206c617374207365637572
697479206272656163682e0a

k. Insert a screenshot of the result.

l. In a terminal, use the xxd command to decode the text in the CSV file and save it to a file named
secret.txt. Use cat to output the contents of secret.txt to the console.
analyst@SecOnion:~/Downloads$ xxd -r -p "DNS - Queries.csv” > secret.txt
analyst@SecOnion:~/$ cat secret.txt
m. Insert a screenshot of the result.

n. Were the subdomains from the DNS queries subdomains? If not, what is the text?

Click here to enter text.

o. What does this result imply about these particular DNS requests? What is the larger significance?

Click here to enter text.

p. What may have created these encoded DNS queries and why was DNS selected as the means to
exfiltrate data?

Click here to enter text.

 2018 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 14 www.netacad.com