Brutus

Writeup

** Q1: Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?**

We need to look for failure attempt

Search for cat auth.log | grep "Failed password"

** Q2: The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?**

We need to look for successful attempt

Search for cat auth.log | grep "Accepted password"

** Q3: Identify the timestamp when the attacker logged in manually to the server to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.**

Using utmpdump to view data’s content of wtmp.

Then we manually look for IP attacker and root, we can get the timestamp.

** Q4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?**

We have the timestamp, now we look for Accepted password for root, A session number is assigned immediately after the password is accepted.

** Q5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?**

cat auth.log | grep "add"

** Q6: What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account?**

We can go to MITRE ATT&CK, click on Create Accounts and try the sub-technique ID.

** Q7: What time did the attacker’s first SSH session end according to auth.log?**

Look at wtmp, and hint from Question 3, we can notice the timestamp.

** Q8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?**

cat auth.log

grep “sudo”