Can briefly discuss how I got here.

1. The Cloud provider motioning the IDS noticed there was website scanning activity

2. The Cloud provider saw an IP Address scanning the website making an SSH connection

? SSH traffic is encrypted, so the analyst reviewing the logs was not sure about malicious activity

? Displaying the scanning activity and discussing that in the logs would be helpful

? please help me Explain where I can find these forensic artifacts on the system

Transcribed Image Text:

> This PC > JESSE-OS (C:) > inetpub logs > LogFiles W3SVC1 (1 u_ex220226.log- Notepad ts File Edit Format View Help dc #Software: Microsoft Internet Information Services 10.0 # Version: 1.0 #Date: 2022-02-26 17:19:32 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-take 2022-02-26 17:19:32 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0) +like+Gecko 200 0 0 175 2022-02-26 17:19:32 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 404 0 2 21 2022-02-26 17:32:27 127.0.0.1 GET /hidden/admin.txt 80 - 127.0.0.1 Mozilla/5.0+(Windows +NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 200 0 0 2 (2022-02-26 17:32:27 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 404 0 2 57 2022-02-26 17:33:24 10.138.10.211 GET / - 80 - 10.138.23.18 Mozilla/5.0+(X11; +Linux+x86_64;+rv: 78.0) +Gecko/20100101+Firefox/78.0 - 304 0 0 4 - 2022-02-26 17:33:36 10.138.10.211 GET /hidden/admin.txt - 80 10.138.23.18 Mozilla/5.0+(X11; +Linux+x86_64;+rv: 78.0) +Gecko/20100101+Firefox/78.0 - 200 0 0 0 2022-02-26 17:38:51 10.138.10.211 GET /randomfilel - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) - 404 0 2 4 2022-02-26 17:38:51 10.138.10.211 GET /frand2 - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows + NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.bash_history - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows+NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.bashrc - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) 404 0 2 0 M2022-02-26 17:38:51 10.138.10.211 GET /.cache - 80 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.config - 80 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows+NT+5.1) - 404 02 0 2022-02-26 17:38:51 10.138.10.211 GET /.cvs - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows +NT+5.1) 404 0 2 0 en 2022-02-26 17:38:51 10.138.10.211 GET /.cvsignore - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /. forward - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows +NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.git/HEAD - 80 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows + NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.history 80 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows +NT+5.1) - 404 0 2 0 80 e.l 54 - - x > This PC > JESSE-OS (C:) > inetpub logs > LogFiles W3SVC1 (1 u_ex220226.log- Notepad ts File Edit Format View Help dc #Software: Microsoft Internet Information Services 10.0 # Version: 1.0 #Date: 2022-02-26 17:19:32 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-take 2022-02-26 17:19:32 127.0.0.1 GET / - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0) +like+Gecko 200 0 0 175 2022-02-26 17:19:32 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 404 0 2 21 2022-02-26 17:32:27 127.0.0.1 GET /hidden/admin.txt 80 - 127.0.0.1 Mozilla/5.0+(Windows +NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 200 0 0 2 (2022-02-26 17:32:27 127.0.0.1 GET /favicon.ico - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0; +WOW64; +Trident/7.0;+rv: 11.0)+like+Gecko - 404 0 2 57 2022-02-26 17:33:24 10.138.10.211 GET / - 80 - 10.138.23.18 Mozilla/5.0+(X11; +Linux+x86_64;+rv: 78.0) +Gecko/20100101+Firefox/78.0 - 304 0 0 4 - 2022-02-26 17:33:36 10.138.10.211 GET /hidden/admin.txt - 80 10.138.23.18 Mozilla/5.0+(X11; +Linux+x86_64;+rv: 78.0) +Gecko/20100101+Firefox/78.0 - 200 0 0 0 2022-02-26 17:38:51 10.138.10.211 GET /randomfilel - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) - 404 0 2 4 2022-02-26 17:38:51 10.138.10.211 GET /frand2 - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows + NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.bash_history - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows+NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.bashrc - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) 404 0 2 0 M2022-02-26 17:38:51 10.138.10.211 GET /.cache - 80 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.config - 80 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows+NT+5.1) - 404 02 0 2022-02-26 17:38:51 10.138.10.211 GET /.cvs - 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows +NT+5.1) 404 0 2 0 en 2022-02-26 17:38:51 10.138.10.211 GET /.cvsignore - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows+NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /. forward - 80 - 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows +NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.git/HEAD - 80 80 - 10.138.23.18 Mozilla/4.0+(compatible; +MSIE+6.0; +Windows + NT+5.1) - 404 0 2 0 2022-02-26 17:38:51 10.138.10.211 GET /.history 80 10.138.23.18 Mozilla/4.0+(compatible;+MSIE+6.0; +Windows +NT+5.1) - 404 0 2 0 80 e.l 54 - - x