Post

NSA Codebreaker 2022 Task A1

Posted
By TacEx
1 min read

Description:

We believe that the attacker may have gained access to the victim’s network by phishing a legitimate users credentials and connecting over the company’s VPN. The FBI has obtained a copy of the company’s VPN server log for the week in which the attack took place. Do any of the user accounts show unusual behavior which might indicate their credentials have been compromised?

Note that all IP addresses have been anonymized.

Solution:

It can be noted from the description that because the credentials are legitimate, the solution will not be found in failed logins or users not found. Additionally, due to IP addresses being anonymized, there will be no geo-disparate data or some similar metric using IPs to find anomolies.

Using the information previously stated it can be determined that the most likely anomoly that has not already been ruled out is simutanious logins.

I used awk with sort to parse and sort the data in a way that allowed me to easily analize time stamps.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

$ awk -F ',' '{print $2,"\t",$3,"\t",$4/60/60}' vpn.log | sort
Alice.H          2022.05.30 11:16:47 EDT         2.86278
Alice.H          2022.05.30 14:54:04 EDT         1.99222
Alice.H          2022.05.31 12:31:43 EDT         2.88167
Alice.H          2022.06.01 09:05:17 EDT         2.32806
...
Keith.Q          2022.06.04 17:53:12 EDT         1.27861
Kevin.I          2022.05.31 14:33:25 EDT         1.88111
Kevin.I          2022.06.01 18:38:48 EDT         1.99611
Kevin.I          2022.06.02 10:45:25 EDT         0
Kevin.I          2022.06.02 12:28:24 EDT         6.2825
Kevin.I          2022.06.03 09:46:29 EDT         8.94556
Kimberly.M       2022.05.30 09:57:31 EDT         5.38694
Kimberly.M       2022.05.30 10:50:01 EDT         4.13417
Logan.G          2022.06.02 08:02:20 EDT         5.20083
Marilyn.G        2022.05.30 15:30:58 EDT         2.55361
Marilyn.G        2022.05.31 16:29:34 EDT         1.84056
Marilyn.G        2022.06.03 11:25:27 EDT         3.72472
Marilyn.G        2022.06.03 16:17:26 EDT         1.19278
Marilyn.G        2022.06.04 14:58:58 EDT         4.42028
...
Stephanie.Y      2022.06.01 08:06:03 EDT         7.09389
Stephanie.Y      2022.06.02 14:41:25 EDT         0
Stephanie.Y      2022.06.04 09:27:34 EDT         9.13528
Username         Start Time      0

Looking through the data returned from the above command reveals that Kimberly.M had multiple sessions open at the same time.

Competitions, NSA Codebreaker 2022
nsa codebreaker digital forensics log analysis
This post is licensed under CC BY 4.0 by the author.