The Advent of Cyber: Day 7: AWS log analysis - Oh, no. I'M SPEAKING IN CLOUDTRAIL! (TryHackMe)

In this article, we’ll cover the AWS log analysis - Oh, no. I'M SPEAKING IN CLOUDTRAIL! write-up as the Day 7 challenge of the Advent of Cyber event challenge. It was interesting to monitor an AWS Environment i.e. AWS CloudWatch, AWS CloudTrail (S3 & IAM), and Intro to JQ - Command line JSON using the command line. We’re still at Wareville for SOC-mas!

1. What is the other activity made by the user glitch aside from the ListObject action? PutObject

   

2. What is the source IP related to the S3 bucket activities of the user glitch? 53.94.201.69

   

3. Based on the eventSource field, what AWS service generates the ConsoleLogin event? signin.amazonaws.com

   

4. When did the anomalous user trigger the ConsoleLogin event? 2024-11-28T15:21:54Z

   (based on the image above)

   

5. What was the name of the user that was created by the mcskidy user? glitch

   

6. What type of access was assigned to the anomalous user? AdministratorAccess

   

7. Which IP does Mayor Malware typically use to log into AWS? 53.94.201.69

   

8. What is McSkidy's actual IP address? 31.210.15.79

   

9. What is the bank account number owned by Mayor Malware? 2394 6912 7723 1294

   

10. Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!

Thank you for reading this article. Please leave a comment with your thoughts, areas for improvement, other suggestions, and questions. Stay secure until the next one!