We covered responding to cyber incident using Splunk to analyze the related events and uncover the attack artifacts. This was part of TryHackMe Incident Handling with Splunk.
Introduction
The investigation centers on a hacked website called “I’m really not Batman,” which represents a company named Wine Enterprises. The website was defaced, and the task is to investigate how the attack occurred using logs and Splunk.
The logs available for investigation include Windows event logs, registry logs, firewall logs, web server logs, vulnerability scanner logs, IDS logs, and others.
Investigation Process with Splunk
Log Setup in Splunk
The video begins by uploading and setting up the relevant logs in Splunk. The instructor defines the index bot_sv1 and starts analyzing the data, which includes around 80,000 events from various sources.
Analyzing HTTP Traffic
The investigation focuses on the website’s HTTP traffic using the source type “HTTP” in Splunk. Two primary IP addresses are identified, with one IP being highly active (17,000 events).
The URLs accessed by the attacker reveal that the website is running on Joomla CMS, and the attacker accessed the administrator page.
IDS Logs
The Suricata IDS logs reveal various attack categories, including web application attacks, SQL injection attempts, and administrator privilege gain attempts.
A specific CVE-2014-6271 vulnerability (Shellshock) is identified as the potential method the attacker used to gain access to the web server.
Brute Force Attack
The attacker attempted a Brute Force attack on the Joomla admin page using a different IP address. Splunk logs show repeated login attempts with various username and password combinations. The successful password was “Batman”.
File Upload and Execution
After gaining access, the attacker uploaded a malicious file (executable) to the server. The investigation shows that the file was successfully executed on the server.
The file’s MD5 hash is extracted and checked using VirusTotal, confirming that the file is a Trojan horse.
Data Exfiltration Investigation
The next phase of the investigation involves checking for data exfiltration. The IDS logs are analyzed for traffic originating from the victim machine to external IP addresses.
A request to download an image, likely used during the defacement, is uncovered. The image was uploaded to the attacker’s server after the website defacement.
Key Findings
The attacker used multiple IP addresses, including one for vulnerability scanning and another for the brute force attack.
The website was vulnerable due to CVE-2014-6271 (Shellshock), which the attacker exploited to gain access.
After access was gained, a backdoor Trojan was planted on the server to maintain persistence.
The attacker defaced the website by uploading an image, which was identified through traffic logs.
Room Answers | TryHackMe Incident Handling with Splunk
What is the CMS our web server is using?
What is the IP address of the server imreallynotbatman.com?
What was the URI which got multiple brute force attempts?
What was the correct password for admin access to the content management system running imreallynotbatman.com?
How many unique passwords were attempted in the brute force attempt?
Looking at the logs, which user executed the program 3791.exe on the server?
Search hash on the virustotal. What other name is associated with this file 3791.exe?
Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?
Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?
What is the name of the Malware associated with the Poison Ivy Infrastructure?
