Analyzing auth.log and Playing with Grok Filters - HTB Sherlocks - Brutus

Name: Analyzing auth.log and Playing with Grok Filters - HTB Sherlocks - Brutus
Uploaded: 2024-10-19T01:31:08Z
Channel: IppSec
Description: 00:00 - Introduction 02:10 - Going over the wtmp file, showing utmpdump and last 04:30 - Start of talking about the auth.log, grabbing all the programs ...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·1y ago

00:00 - Introduction 02:10 - Going over the wtmp file, showing utmpdump and last 04:30 - Start of talking about the auth.log, grabbing all the programs (ssh, cron, etc) so we know what is in the log 08:15 - Question 1: Identify the bruteforce use grep with oP to extract all IP Addresses with login failures 11:50 - Question 2: Looking at successful logins and seeing the malicious IP logged into root 12:45 - Question 3: Looking at login/logoff times, getting the login time from wtmp as it is 1 second after the login 15:15 - Question 4: Grabbing the session number from logins which is part of sys…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

2:10 Going over the wtmp file, showing utmpdump and last

4:30 Start of talking about the auth.log, grabbing all the programs (ssh, cron, etc

8:15 Question 1: Identify the bruteforce use grep with oP to extract all IP Address

11:50 Question 2: Looking at successful logins and seeing the malicious IP logged in

12:45 Question 3: Looking at login/logoff times, getting the login time from wtmp as

15:15 Question 4: Grabbing the session number from logins which is part of systemd-l

18:00 Question 5: Finding the useradd line in the auth.log file

19:00 Question 6: Looking at the MITRE Attack Framework and getting the ID-related t

20:10 Question 7: Using Last to look at how long a session was active for

21:25 Question 8: Sudo is the only program in auth.log showing commands being ran,

23:10 BEYOND ROOT: Talking about how we can create grok filters to convert this log

27:30 Using an online Grok Debugger to manually create a Grok Rule, this is like reg

32:00 Showing how to do an "Optional Match" so we can match lines that are mostly al

33:20 Start of creating our program, showing how to add patterns and definitions

42:50 Adding SSH_AUTH to our program

44:40 Adding the New/Remove session lines to a grok filter

53:30 Reading the auth.log in our golang program so we can parse all the lines we cr

54:40 Using JQ to do some searches and create the desired output

1:02:30 Doing some lazy searching with JQ and grep

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →