Introduction

In this video walkthrough, we covered investigating a compromised endpoint by going over the malicious events.

Part of the Blue Primer series. This room is based on version 3 of the Boss of the SOC (BOTS) competition by Splunk.

In this task, you’re focused on events that have mostly occurred on the endpoint.

The questions below are from the 300 series of the BOTSv3 dataset.

 

Get Splunk Field Notes

 

Question 1 & 2

A lot of malicious activity has occurred on Fyodor’s endpoint. You can start your search with his host.

Downloads can involve various protocols: HTTP, TCP, FTP, etc. Depending on the protocol, you might need to add an operation, such as FTP & RETR.

If you go this route, the suspected port should be noticeable in the Available Fields.

There are a couple of different paths you can take for this question.

Question 3

This one might take some work. You’re provided with a starting point, /tmp directory. Don’t forget the asterisks, /tmp/*.*.

Review the data returned; you’ll need to exclude source types to help narrow down the search.

Additionally, add a keyword to help shrink the returned results even further.

There are a few suspect files. Two of them, in particular, are the correct answer.

Question 4

An email was sent to Grace Hoppy. Honestly, you have enough here to find this answer. 🙂

The question lies on what source type to include or exclude in your search query.

Question 5-6

Tackling this one will require some work too. To point you in the right direction, PowerShell Logging & some decoding will help you with this one.

Once you’ve found the events with the attacker payloads, you’ll have enough to build a search query for question #6.

Video Walk-through

Answers

What port number did the adversary use to download their attack tools?

Based on the information gathered for question 1, what file can be inferred to contain the attack tools? Answer guidance: Include the file extension.

During the attack, two files are remotely streamed to the /tmp directory of the on-premises Linux server by the adversary. What are the names of these files? Answer guidance: Comma separated without spaces, in alphabetical order, include the file extension where applicable.

The Taedonggang adversary sent Grace Hoppy an email bragging about the successful exfiltration of customer data. How many Frothly customer emails were exposed or revealed?

What is the path of the URL being accessed by the command and control server? Answer guidance: Provide the full path. (Example: The full path for the URL https://imgur.com/a/mAqgt4S/lasd3.jpg is /a/mAqgt4S/lasd3.jpg)

At least two Frothly endpoints contact the adversary’s command and control infrastructure. What are their short hostnames? Answer guidance: Comma separated without spaces, in alphabetical order.

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles