Splunk Boss of the SOC v1
Scenario : Advanced Persistent Threat
Question 1
“What IP is scanning our web server?”
Navigate to http://10.10.29.30:8000 and then click on Investigating with Splunk Workshop.
We know:
- We have a compromised website: imreallynotbatman.com
- An index called: botsv1
Lets start with a basic search:
index=botsv1 imreallynotbatman.com
This provides ~80,0000 results.
Something that is scanning our webserver is likely to be via HTTP, so lets set sourcetype to stream:http.
index=botsv1 imreallynotbatman.com sourcetype="stream:http"
Lets see how many different ip addresses we are dealing with.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" | stats count by src_ip
We can assume that due to the volume of traffic, this source ip is scanning our server.
Answer: 40.80.148.42
Question 2
“What web scanner scanned the server?”
Looking at some of the traffic from 40.80.148.42, we can see it is running Acunetix - a vulnerability scanner.
Answer: Acunetix
Question 3
“What is the IP address of our web server?”
The requests from 40.80.148.42 are targetting 192.168.250.70
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="40.80.148.42" | stats count by dest_ip
Answer: 192.168.250.70
Question 4
“What content management system is imreallynotbatman.com using?”
Looking at the dest_headers we can see that Joomla is likely to be the CMS in use.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="40.80.148.42" dest_ip="192.168.250.70" | top limit=20 dest_headers
Answer: Joomla
Question 5
“What address is performing the brute-forcing attack against our website?”
A brute force attack is against some form of authentication. This will likely require GET/POST requests.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" | stats count by http_method
Looking at the http_content for a request shows that the password field is called passwd.
Refining our search further shows how many requests are coming from each ip.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd | stats count by src_ip
Listing form_data shows a brute force attempt on the admin user.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="23.22.63.114" dest_ip="192.168.250.70" http_method="POST" username passwd | top limit=20 form_data
Answer: 23.22.63.114
Question 6
“What was the first password attempted in the attack?”
The earliest entry will be at the tail.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="23.22.63.114" dest_ip="192.168.250.70" http_method="POST" username passwd | tail 1
Answer: 12345678
Quesion 7
“One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six character song is it?”
This is an interesting query as we need to separate the passwords from the form_data.
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="23.22.63.114" dest_ip="192.168.250.70" http_method="POST" username passwd
| table form_data
| rex field=form_data "passwd=(?<passwd>\w+)"
| table passwd
| regex passwd= \w{6}
There is still 343 possibilities, sorting alphabetically reveals the answer.
Answer: yellow
Question 8
“What was the correct password for admin access to the content management system running imreallynotbatman.com?”
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd
| rex field=form_data "passwd=(?<passwd>\w+)"
| stats count by passwd
| where count>1
Answer: batman
Question 9
“What was the average password length used in the password brute forcing attempt rounded to closest whole integer?”
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd
| rex field=form_data "passwd=(?<passwd>\w+)"
| eval length=len(passwd)
| stats avg(length)
Answer: 6
Question 10
“How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login rounded to 2 decimal places?”
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd | rex field=form_data "passwd=(?<passwd>\w+)" | search passwd=batman
| transaction passwd
| eval dur=round(duration, 2)
| table dur
Answer: 92.17
Question 11
“How many unique passwords were attempted in the brute force attempt?”
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd
| rex field=form_data "passwd=(?<passwd>\w+)"
| stats count by passwd
Answer: 412
Question 12
“What is the name of the executable uploaded by P01s0n1vy?”
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" form-data
Answer: 3791.exe
Question 13
“What is the MD5 hash of the executable uploaded?”
index=botsv1 3791.exe md5 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine="3791.exe"
| rex field="_raw" "MD5=(?<hash>\w+)"
| table hash
| stats count by hash
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0
Question 14
“What is the name of the file that defaced the imreallynotbatman.com website?”
index=botsv1 sourcetype="suricata" src_ip="192.168.250.70" dest_ip="23.22.63.114"
| stats count by http.http_method, http.hostname, http.url
| sort -count
Answer: poisonivy-is-coming-for-you-batman.jpeg
Question 15
“This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?”
index=botsv1 sourcetype=fgt_utm "poisonivy-is-coming-for-you-batman.jpeg"
| rex field="_raw" "hostname=(?<hostname>\w+)"
| table hostname
Answer: prankglassinebracket.jumpingcrab.com
Question 16
“What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?”
index=botsv1 sourcetype=fgt_utm "poisonivy-is-coming-for-you-batman.jpeg"
| table dstip
Answer: 23.22.63.114
Question 17
“Based on the data gathered from this attack and common open source intelligence sources for domain names, what is the email address that is most likely associated with P01s0n1vy APT group?”
Doing a google search for 23.22.63.114 provdes the following page: https://www.threatcrowd.org/ip.php?ip=23.22.63.114.
On this page a diagram is provided which reveals a potential email address.
Answer: lilian.rose@po1s0n1vy.com
Question 18
“GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the P01s0n1vy APT group if initial compromise fails is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to P01s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.”
Searching for 23.22.63.114 malware hash provides a link to https://www.threatminer.org/host.php?q=23.22.63.114#gsc.tab=0&gsc.q=23.22.63.114&gsc.page=1.
This reveals a hash for a number of trojans.
Following the link on the MD5 provides a SHA256 hash related to this malware - https://www.threatminer.org/sample.php?q=c99131e0169171935c5ac32615ed6261#gsc.tab=0&gsc.q=c99131e0169171935c5ac32615ed6261&gsc.page=1
Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Question 19
“What special hex code is associated with the customized malware discussed in the previous question?”
Following the VirusTotal link on the previous page reveals the HEX code - https://www.virustotal.com/gui/file/9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8/community
Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
Question 20
“What does this hex code decode to?”
Putting the HEX code into an online converter (https://cryptii.com/pipes/hex-decoder) reveals the following message.
Answer: Steve Brant’s Beard is a powerful thing. Find this message and ask him to buy you a beer!!!
Scenario : Ransomware
Question 21
“What was the most likely IP address of we8105desk on 24AUG2016?”
index=botsv1 host=we8105desk| top limit=20 src_ip
Answer: 192.168.250.100
Question 22
“What is the name of the USB key inserted by Bob Smith?”
index=botsv1 host=we8105desk sourcetype=WinRegistry friendlyname
| top limit=1 data
Answer: MIRANDA_PRI
Question 23
“After the USB insertion, a file execution occurs that is the initial Cerber infection. This file execution creates two additional processes. What is the name of the file?”
index=botsv1 host=we8105desk sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" "d:\\"
| reverse
Answer: miranda_tate_unveiled.dotm
Question 24
“During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of this field?”
index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" *.exe CommandLine=* EventCode=1
| eval length=len(CommandLine)
| table CommandLine length
| sort - 1 length
Answer: 4490
Question 25
“Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?”
index=botsv1 host="we8105desk" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" src="we8105desk.waynecorpinc.local"
| stats count by dest_ip
Answer: 192.168.250.20
Question 26
“What was the first suspicious domain visited by we8105desk on 24AUG2016?”
index=botsv1 src="192.168.250.100" sourcetype="stream:dns" record_type=A NOT (query{}=*.microsoft.com OR query{}=*.bing.com OR query{}=wpad* OR query{}=isatap OR query{}=*.waynecorpinc.local OR query{}=*.windows.com OR query{}=*.msftncsi.com)
| table _time query{} src dest
| reverse
Answer: solidaritedeproximite.org
Question 27
“The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?”
index=botsv1 src="192.168.250.100" sourcetype="suricata" url=*
| stats count values(url) by dest
The first result is mhtr.jpg, doing a google search of this file reveals it is related to a ransomware attack.
Answer: mhtr.jpg
Question 28
“What is the parent process ID of 121214.tmp?”
index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 121214.tmp
| table _time CommandLine ProcessId ParentProcessId ParentCommandLine
| reverse
Answer: 3968
Question 29
“Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times?”
index=botsv1 sourcetype=suricata alert.signature=*cerber*
| stats count by alert.signature_id
Answer: 2816763
Question 30
“The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?”
index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host=we8105desk *.txt EventCode=2 TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt"
| stats dc(TargetFilename)
Answer: 406
Question 31
“How many distinct PDFs did the ransomware encrypt on the remote file server?”
index=botsv1 sourcetype="*win*" pdf dest="we9041srv.waynecorpinc.local" Source_Address="192.168.250.100"
| stats dc(Relative_Target_Name)
Answer: 257
Question 32
“What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?”
index=botsv1 sourcetype="stream:DNS" src=192.168.250.100 record_type=A NOT (query{}=*.microsoft.com OR query{}=wpad OR query{}=isatap OR query{}=*.waynecorpinc.local OR query{}=*.bing.com OR query{}=*.windows.com OR query{}=*.msftncsi.com OR query{}=*.live.com)
| table _time query{} src dest
Answer: cerberhhyed5frqa.xmfir0.win
Recap
In this task we learnt how to:
- Conduct search queries to find information in Splunk
- Find identifiers of APT activity
- Find identifiers of Ransomware activity
- Conduct OSINT to find malware information