Analyzing auth.log and Playing with Grok Filters - HTB Sherlocks - Brutus
Вставка
- Опубліковано 19 жов 2024
- 00:00 - Introduction
02:10 - Going over the wtmp file, showing utmpdump and last
04:30 - Start of talking about the auth.log, grabbing all the programs (ssh, cron, etc) so we know what is in the log
08:15 - Question 1: Identify the bruteforce use grep with oP to extract all IP Addresses with login failures
11:50 - Question 2: Looking at successful logins and seeing the malicious IP logged into root
12:45 - Question 3: Looking at login/logoff times, getting the login time from wtmp as it is 1 second after the login
15:15 - Question 4: Grabbing the session number from logins which is part of systemd-logind
18:00 - Question 5: Finding the useradd line in the auth.log file
19:00 - Question 6: Looking at the MITRE Attack Framework and getting the ID-related to creating users for persistence
20:10 - Question 7: Using Last to look at how long a session was active for
21:25 - Question 8: Sudo is the only program in auth.log showing commands being ran, looking at what was run
23:10 - BEYOND ROOT: Talking about how we can create grok filters to convert this log to json, we will use Go-Grok
27:30 - Using an online Grok Debugger to manually create a Grok Rule, this is like regex101
32:00 - Showing how to do an "Optional Match" so we can match lines that are mostly alike
33:20 - Start of creating our program, showing how to add patterns and definitions
42:50 - Adding SSH_AUTH to our program
44:40 - Adding the New/Remove session lines to a grok filter
53:30 - Reading the auth.log in our golang program so we can parse all the lines we created rules for
54:40 - Using JQ to do some searches and create the desired output
1:02:30 - Doing some lazy searching with JQ and grep
The way you solved Boxes 👌👌..you are one of the best teacher
thank you ippsec, very good lesson😃
Man Last I Saw You On Cam Is On Vids 11 Months Ago
I See You Little Bit Fresh & Muscle There
Then I Saw This Vids , So Differen ,,
Sorry But,, Im Little Bit Woery About You
Hope U Ok Man 😅 Damnn
You Are Change My Life
*Sorry For My Bad English😂
Everything is fine with me - I simply made a New Years Resolution of wanting to live a healthier life and had an event I wanted to look good for, so traded a lot of computer time with exercise.
we need this kind of videos more
Legends 😊🎉
Man, you lost weight (a lot) is everything okay?!
Yup, thanks for asking just had an event I wanted to look my best in. So spent a good portion of this year at the gym.
@@ippsecYou look absolutely amazing! ❤️
Finaly another sherlock !
Wizardy
Great!
Good job
Push!
Hello Master🙂♥️
First of all, I am IppSec.
Second of all, you're not IppSec.
Third of all, you wanna be IppSec but you can't be IppSec because I'm IppSec.
Nice job! Still one of the first comments on my off-hours videos.
@@ippsec