Introduction
In this post, we covered part 2 of using Splunk in a security operation center. We investigated web applications attacks and answered 100 series, 200 series, 300 series and 400 series questions in TryHackMe. This was part of Boss of the SOC v2.
BOTSv2 Dataset
The data included in this app was generated in August of 2017 by members of Splunk’s Security Specialist team – Dave Herrald, Ryan Kovar, Steve Brant, Jim Apger, John Stoner, Ken Westin, David Veuve and James Brodsky. They stood up a few lab environments connected to the Internet. Within the environment they had a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders were configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment included a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS.
In this exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly (a beer company) to assist them with their recent issues.
What Kinds of Events Do We Have?
The SPL (Splunk Search Processing Language) command metadata can be used to search for the same kind of information that is found in the Data Summary, with the bonus of being able to search within a specific index, if desired. All time-values are returned in EPOCH time, so to make the output user readable, the eval command should be used to provide more human-friendly formatting.
Certified Security Blue Team Level 1 Study Notes
Tasks and Investigations
1. Finding the Tor Browser Version
- Objective: Determine the Tor browser version used by a user.
- Steps:
- Query for events containing
Toras a keyword. - Narrow down results using relevant fields like
image. - Extract the browser path from the
imagefield, showing the version (e.g.,704).
- Query for events containing
2. Identifying the Public IPv4 Address of the Server
- Objective: Locate the server’s public IP.
- Steps:
- Search for events mentioning the specific server.
- Check the
destination IPfield, as servers receive traffic. - Identify the IP that corresponds to the server.
3. Web Vulnerability Scanner’s Source IP
- Objective: Find the IP address of the system running a vulnerability scan.
- Steps:
- Query the server’s logs for high-traffic events.
- Focus on the
source IPfield to identify the scanner’s IP.
4. URL Path of the Attack
- Objective: Discover the targeted URL path.
- Steps:
- Filter traffic from the attacker’s source IP.
- Check logs for HTTP requests to the server.
- Identify the most frequently accessed path (e.g.,
/member.php).
5. SQL Function Exploited in the URL
- Objective: Identify the SQL function abused in the attack.
- Steps:
- Narrow search to logs containing SQL queries in the URL.
- Analyze query patterns for SQL functions.
- Example:
update XML.
6. Cookie Used in an XSS Attack
- Objective: Retrieve the cookie transmitted in a cross-site scripting (XSS) attack.
- Steps:
- Search for HTTP events related to the target user (
Kevin). - Filter for logs with
cookiefields. - Identify the active session cookie used in the attack.
- Search for HTTP events related to the target user (
7. Username from a Spear-Phishing Attack
- Objective: Find the username created by the attacker during a phishing attack.
- Steps:
- Search for logs containing
CSRF tokenassociated with the attack. - Analyze the form data for
usernamefields. - Extract the registered username.
- Search for logs containing
Key Takeaways
Interpreting log data to derive actionable insights.
Splunk is instrumental in analyzing large datasets and pinpointing anomalies.
Each task demonstrates a critical aspect of log analysis, from HTTP traffic to SQL injection detection.
The process involves:
Query refinement.
Leveraging Splunk’s field extraction and filtering.
Room Questions and Answers
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
www.berkbeer.com
Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext
/images/ceoberk.png
What is the CEO’s name? Provide the first and last name.
Martin Berk
What is the CEO’s email address?
mberk@berkbeer.com
After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?
hbernhard@berkbeer.com
What is the name of the file attachment that Amber sent to a contact at the competitor?
Saccharomyces_cerevisiae_patent.docx
What is Amber’s personal email address?
ambersthebest@yeastiebeastie.com
What is the public IPv4 address of the server running www.brewertalk.com?
Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php
What SQL function is being abused on the URI path from the previous question?
What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
What brewertalk.com username was maliciously created by a spear phishing attack?
Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?
Frothly_marketing_campaign_Q317.pptx.crypt
There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?
S07E02
Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.
Alcor Micro Corp.
What programming language is at least part of the malware from the question above written in?
Perl
When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD
2017-01-17
The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?
eidk.duckdns.org
From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?
eidk.hopto.org
A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
invoice.zip
What is the password to open the zip file?
912345678
The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
C = US
What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
나는데이비드를사랑한다.hwp
What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith
Ryan Kovar
Within the document, what kind of points is mentioned if you found the text?
CyberEastEgg
To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html
process.php
