CyberDefenders — “Bucket” Walkthrough
SPOILER ALERT: THIS IS A SOLUTION TO THE CHALLENGE
Objectives
I’m writing this walkthrough to share how JQ could help investigate this especially after finishing the challenge i checked the write-ups and non of them used JQ capabilities.
Scenario
Welcome, Defender! As an incident responder, We’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.
Environment
Questions
What is the full AWS CLI command used to configure credentials?
aws configure
What is the ‘creation’ date of the bucket ‘flaws2-logs’?
i’ve checked the cli s3 bucket info returned but there was no creation date so i switched to the console.
What is the name of the first generated event -according to time?
First pulling all the files in that bucket
Using JQ to view all Event times and Event Names, we can immediately identify the first generated event.
What source IP address generated the event dated 2018–11–28 at 23:03:20 UTC?
Adding the sourceIPAddress field in our JQ query and searching for the time mentioned in the question we can identify the IP Address.
Which IP address does not belong to Amazon AWS infrastructure?
There were only 2 IP Addresses mentioned in the Log files. Checking their ownership via [https://www.infobyip.com/ipbulklookup.php]
Which user issued the ‘ListBuckets’ request?
We can grep on ListBuckets request through the log files to identify the relevant events and the user who made such request.
We could also list all users and events, see below.
What was the first request issued by the user ‘level1’?
Conclusion
This was a nice quick and easy challenge. JQ has a lot of capabilities and potential for Defenders.