Analyzing auth.log and Playing with Grok Filters - HTB Sherlocks - Brutus

00:00 - Introduction 02:10 - Going over the wtmp file, showing utmpdump and last 04:30 - Start of talking about the auth.log, grabbing all the programs (ssh, cron, etc) so we know what is in the log 08:15 - Question 1: Identify the bruteforce use grep with oP to extract all IP Addresses with login failures 11:50 - Question 2: Looking at successful logins and seeing the malicious IP logged into root 12:45 - Question 3: Looking at login/logoff times, getting the login time from wtmp as it is 1 second after the login 15:15 - Question 4: Grabbing the session number from logins which is part of systemd-logind 18:00 - Question 5: Finding the useradd line in the auth.log file 19:00 - Question 6: Looking at the MITRE Attack Framework and getting the ID-related to creating users for persistence 20:10 - Question 7: Using Last to look at how long a session was active for 21:25 - Question 8: Sudo is the only program in auth.log showing commands being ran, looking at what was run 23:10 - BEYOND ROOT: Talking about how we can create grok filters to convert this log to json, we will use Go-Grok 27:30 - Using an online Grok Debugger to manually create a Grok Rule, this is like regex101 32:00 - Showing how to do an "Optional Match" so we can match lines that are mostly alike 33:20 - Start of creating our program, showing how to add patterns and definitions 42:50 - Adding SSH_AUTH to our program 44:40 - Adding the New/Remove session lines to a grok filter 53:30 - Reading the auth.log in our golang program so we can parse all the lines we created rules for 54:40 - Using JQ to do some searches and create the desired output 1:02:30 - Doing some lazy searching with JQ and grep