We covered responding to cyber incident using Splunk to analyze the related events and uncover the attack artifacts. This was part of TryHackMe Incident Handling with Splunk.

Get Splunk SIEM Notes

Splunk

Description

Learn to use Splunk for incident handling through interactive scenarios.

Highlights

Incident Handling Life Cycle

1. Preparation

The preparation phase covers the readiness of an organization against an attack. That means documenting the requirements, defining the policies, incorporating the security controls to monitor like EDR / SIEM / IDS / IPS, etc. It also includes hiring/training the staff.

2. Detection and Analysis

The detection phase covers everything related to detecting an incident and the analysis process of the incident. This phase covers getting alerts from the security controls like SIEM/EDR investigating the alert to find the root cause. This phase also covers hunting for the unknown threat within the organization.

3. Containment, Eradication, and Recovery

This phase covers the actions needed to prevent the incident from spreading and securing the network. It involves steps taken to avoid an attack from spreading into the network, isolating the infected host, clearing the network from the infection traces, and gaining control back from the attack.

4. Post-Incident Activity / Lessons Learnt
This phase includes identifying the loopholes in the organization’s security posture, which led to an intrusion, and improving so that the attack does not happen next time. The steps involve identifying weaknesses that led to the attack, adding detection rules so that similar breach does not happen again, and most importantly, training the staff if required.

Scenario

A Big corporate organization Wayne Enterprises has recently faced a cyber-attack where the attackers broke into their network, found their way to their web server, and have successfully defaced their website http://www.imreallynotbatman.com. Their website is now showing the trademark of the attackers with the message YOUR SITE HAS BEEN DEFACED as shown below.

They have requested “US” to join them as a Security Analyst and help them investigate this cyber attack and find the root cause and all the attackers’ activities within their network.

Room Answers

One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?

What is the CMS our web server is using?

What is the web scanner, the attacker used to perform the scanning attempts?

What is the IP address of the server imreallynotbatman.com?

What was the URI which got multiple brute force attempts?

Against which username was the brute force attempt made?

What was the correct password for admin access to the content management system running imreallynotbatman.com?

How many unique passwords were attempted in the brute force attempt?

What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
After finding the correct password, which IP did the attacker use to log in to the admin panel?

Sysmon also collects the Hash value of the processes being created. What is the MD5 HASH of the program 3791.exe?

Looking at the logs, which user executed the program 3791.exe on the server?

Search hash on the virustotal. What other name is associated with this file 3791.exe?

What is the name of the file that defaced the imreallynotbatman.com website ?

Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?

This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?
What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?

What is the HASH of the Malware associated with the APT group?

What is the name of the Malware associated with the Poison Ivy Infrastructure?

Video Walkthrough

, , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles