情境

我這邊調查完了，截了幾張圖

另一位同事的調查也有一些資料，統整一下按照時間軸完成攻擊軌跡圖吧
https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Advanced-Persitent-Threat

實作

2016-08-10 21:36:45 利用Acunetix 刺探
40.80.148.42 > 192.168.250.70

index="botsv1" sourcetype="stream:http" src_ip="40.80.148.42" Acunetix | sort by _time | head 10

2016-08-10 21:45 開始嘗試帳密爆破
23.22.63.114 > 192.168.250.70
POST /joomla/administrator/index.php
Host http[:]//imreallynotbatman[.]com

2016-08-10 21:46 猜到網站帳密
23.22.63.114 > 192.168.250.70
username=admin&passwd=batman
User-Agent: Python-urllib/2.7

2016-08-10 21:48 網頁登入
40.80.148.42 > 192.168.250.70
User-Agent: Mozilla/5.0

index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=usernamepasswd* batman

2016-08-10 21:52:45 上傳惡意檔案 3791.exe
40.80.148.42 > 192.168.250.70
FGT_UTM 防火牆偵測到，可是開啟monitored模式放行
POST /joomla/administrator/index.php?option=com_extplorer&tmpl=component
Host http[:]//imreallynotbatman[.]com
MD5 AAE3F5A29935E6ABCC2C2754D12A9AF0

2016-08-10 21:56 使用joomla權限執行惡意檔案 3791.exe
192.168.250.70
Microsoft Windows security auditing
EventCode 4688
C:\inetpub\wwwroot\joomla\3791.exe
Security ID: IIS APPPOOL\joomla
Process Command Line: cmd.exe /c "3791.exe 2>&1"

2016-08-10 21:56 受害主機向C2 IP報到
192.168.250.70:80 > 23.22.63.114:47373
Sysmon
EventCode 3
Host we1149srv.waynecorpinc.local
DestHost ec2-23-22-63-114[.]compute-1[.]amazonaws[.]com

index="botsv1" "3791.exe" | sort by _time

2016-08-10 22:06:21 受駭主機至c2下載惡意檔案
192.168.250.70 > 23.22.63.114
Get /poisonivy-is-coming-for-you-batman.jpeg
Host prankglassinebracket[.]jumpingcrab[.]com:1337

index="botsv1" sourcetype="stream:http" src_ip="192.168.250.70" |table url

REF

https://www.aldeid.com/wiki/TryHackMe-BP-Splunk/Advanced-Persitent-Threat