Premise

The video is a technical walkthrough focused on using Splunk to investigate a ransomware attack scenario. It is a continuation of a previous video, diving into advanced steps for handling cyber threats.

Splunk Study Notes

Splunk SIEM Full Course with Practical Scenarios

Scenario Overview

The video examines a virtual machine infected with ransomware, with the objective of using Splunk to investigate the attack. The goal is not to recover files but to build a timeline of events to understand how the attack happened, identify the malicious files, and uncover key attack artifacts.

Task 6 focuses on determining the IP address of the infected machine. Using a Splunk search query, the user narrows down relevant fields to identify the source IP address associated with the ransomware.

USB Forensics: The video also covers identifying the name of a USB key that was inserted into the system, which triggered the infection. By searching Windows registry logs in Splunk, the user locates the “friendly name” of the USB key.

File Execution and Process Creation: After the USB insertion, a file execution occurs, initiating the infection. Splunk is used to trace the processes spawned by the executed file, specifically tracking the chain of processes initiated by a Microsoft Word file from the USB.

Splunk Query Building

The instructor demonstrates how to construct Splunk queries to filter and analyze specific events, like file executions and registry changes.Emphasis is placed on querying Windows registry data, filtering by process events, and using Splunk’s visualization tools to format the results.

The video showcases how to identify parent-child process relationships, revealing the chain of execution from the infected Word document to subsequent processes like Visual Basic scripts.

The walkthrough also discusses using specific Splunk fields to extract detailed information about the attack, including commands executed by processes and file paths.

Room Answers | TryHackMe Boss of the SOC V1

What was the most likely IP address of we8105desk on 24AUG2016?

 

What is the name of the USB key inserted by Bob Smith?

 

After the USB insertion, a file execution occurs that is the initial Cerber infection. This file execution creates two additional processes. What is the name of the file?

 

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of this field?

 

Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

 

What was the first suspicious domain visited by we8105desk on 24AUG2016?

 

The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

 

What is the parent process ID of 121214.tmp?

 

Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times?

 

The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?

 

How many distinct PDFs did the ransomware encrypt on the remote file server?

 

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

 

Video Walkthrough

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles