Sign in Subscribe
3 min read ctf

Day 7: Oh, no. I'M SPEAKING IN CLOUDTRAIL!

Tryhackme Advent of Cyber 2024 Day 7 Banner | Credits: Tryhackme

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

AWS CloudWatch is a monitoring and observability service that helps track the performance and health of your AWS resources and applications. It collects metrics, logs, and event data from AWS services and on-premises systems, providing a centralised platform to analsze and visualise this data. With CloudWatch, you can set alarms, generate dashboards, and create automated responses to specific thresholds, ensuring that you catch and resolve issues quickly. It’s especially useful for maintaining operational efficiency and optimising resource usage.

AWS CloudTrail, on the other hand, is a logging service focused on capturing and recording activity across your AWS account. It tracks API calls, actions taken through the AWS Management Console, SDKs, and command-line tools, providing a detailed history of changes and access to resources. This makes CloudTrail an essential tool for auditing, compliance, and security investigations, as it helps identify unauthorised access or misconfigurations. Together, CloudWatch and CloudTrail give you visibility into both performance and security in your AWS environment.

Q: What is the other activity made by the user glitch aside from the ListObject action?

A: Run the following jq command for the answer.

jq -r '["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key", "Source_IP"],(.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t

A: Run the following jq command for the answer.

jq -r '["Event_Time", "Event_Name", "User_Name", "Bucket_Name", "Key", "Source_IP"],(.Records[] | select(.eventSource == "s3.amazonaws.com" and .requestParameters.bucketName=="wareville-care4wares") | [.eventTime, .eventName, .userIdentity.userName // "N/A",.requestParameters.bucketName // "N/A", .requestParameters.key // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t

Q: Based on the eventSource field, what AWS service generates the ConsoleLogin event?

A: Run the following jq command for the answer.

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\\t'

Q:When did the anomalous user trigger the ConsoleLogin event?

A: Run the following jq command for the answer.

jq -r '["Event_Time", "Event_Source", "Event_Name", "User_Name", "Source_IP"],(.Records[] | select(.userIdentity.userName == "glitch") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A", .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\\t'

Q:What was the name of the user that was created by the mcskidy user?

A: Run the following jq command for the answer.

jq '.Records[] |select(.eventSource=="iam.amazonaws.com" and .eventName== "CreateUser")' cloudtrail_log.json

Q:What type of access was assigned to the anomalous user?

A: Run the following jq command for the answer.

jq '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName== "AttachUserPolicy")' cloudtrail_log.json

Q: Which IP does Mayor Malware typically use to log into AWS?

A: Run the following jq command for the answer.

jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="mayor_malware") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\\t'

Q:What is McSkidy's actual IP address?

A: Run the following jq command for the answer.

jq -r '["Event_Time","Event_Source","Event_Name", "User_Name","User_Agent","Source_IP"],(.Records[] | select(.userIdentity.userName=="mcskidy") | [.eventTime, .eventSource, .eventName, .userIdentity.userName // "N/A",.userAgent // "N/A",.sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\\t'

Q: What is the bank account number owned by Mayor Malware?

A: Run the following grep command for the answer.

grep INSET rds.log

Q: Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!

A: No answer needed!

Published by:

Rajin Sandira

You might also like...

Dec
16

Day 13: It came without buffering! It came without lag!

2 min read
Dec
16

Day 12: If I can’t steal their money, I’ll steal their joy!

2 min read
Dec
16

Day 11: If you'd like to WPA, press the star key!

4 min read
Dec
11

Day 10: He had a brain full of macros, and had shells in his soul.

2 min read
Dec
11

Day 9: Nine o'clock, make GRC fun, tell no one.

2 min read

Member discussion