Questions
1. What is the other activity made by the user glitch aside from the ListObject action?
PutObject
2. What is the source IP related to the S3 bucket activities of the user glitch?
53.94.201.69
3. Based on the eventSource field, what AWS service generates the ConsoleLogin event?
signin.amazonaws.com
4. When did the anomalous user trigger the ConsoleLogin event?
2024-11-28T15:21:54Z
5. What was the name of the user that was created by the mcskidy user?
jq -r '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName=="CreateUser" and .userIdentity.userName=="mcskidy") | .requestParameters.userName' cloudtrail_log.json
glitch
6. What type of access was assigned to the anomalous user?
jq -r '.Records[] | select(.eventSource=="iam.amazonaws.com" and .eventName=="AttachUserPolicy" and .requestParameters.userName=="glitch") | .requestParameters.policyArn' cloudtrail_log.json
7. Which IP does Mayor Malware typically use to log into AWS?
jq -r '["Event_Time", "Event_Name", "Source_IP"], (.Records[] | select(.userIdentity.userName=="mayor_malware") | [.eventTime, .eventName, .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
8. What is McSkidy’s actual IP address?
jq -r '["Event_Time", "Event_Name", "Source_IP"], (.Records[] | select(.userIdentity.userName == "mcskidy" and .eventName == "ConsoleLogin") | [.eventTime, .eventName, .sourceIPAddress // "N/A"]) | @tsv' cloudtrail_log.json | column -t -s $'\t'
9. What is the bank account number owned by Mayor Malware?
grep "INSERT INTO wareville_bank_transactions" rds.log | grep "Mayor Malware"
