Simon Turner's Cybersecurity Project Portfolio

Posting my project work as it pertains to computer security

Download as .zip Download as .tar.gz View on GitHub

Developing a Dashboard & Visualization via Elastic

Overview

Through HTB’s VM, security events and incidents were pre-programmed into the Elastic interface. It was my assignment to complete four tasks/visualizations.

Documentation

Task one was to assemble a visualization consisting of failed login attempts from all users.

First, I filtered the visualization to only include events with the event code of 4625, which is the Windows event code for when a user fails to login.

image

Per the task, I also filtered out the specific usernames shown below:

image

I configured a table to be able to cleanly show the failed login data. The NOT user.name : *$ omits all system accounts from the search. The “Security” keyword ensures that all Security logs are accounted for and not any other unrelated system logs. I included the username, host system that the event was logged by, the logon type, and the number of times the user tried to login.

image image

My next step was to find the failed login attempts to disabled accounts. This is important because we don’t know if the attacker has the login info, as it is impossible to login to disabled accounts. I was able to use the ‘SubStatus’ filter and the code “0xc0000072” that indicates a disabled account. We only found one incident for this by the user ‘anni’.

image

A side task was to filter the login attempts to admin accounts. I did this simply through the “user.name:admin” KQL query that filters all login attempts to an ‘admin’ account (or any account with ‘admin’ in it).

image

My next task was to filter successful RDP logins. For this task, I had to filter a different event code, which was 4624 (successful Windows logins). I also had to filter the logon type to RemoteInteractive as that indicates an RDP.

image

I also changed up the table configuration to where we could see the IP that the user connected from. We can see that ‘svc-sql1’ connected from ‘192.168.28.130’ to the ‘PKI’ host twice.

image

My last task was to record all events of administrative accounts being either added or removed from the server.

The event code 4732 indicates that a member has been added to a security-enabled local group. The event code 4733 indicated that a member has been removed from a security-enabled local group. So, I filtered for one of these two codes. Under the group name, I used ‘administrators’.

image

As you can see, this provided me with a dashboard of admin account activity, telling me when users were added or unadded from the administrators group. The second column is the SID token used during the process. The fifth column tells us what host the user was added on.

image

Altogether, after the dashboard of SOC alerts looks like this:

image

Done!