Premise

In this video walkthrough, we covered investigating malware / ransomware usb attacks with splunk to unleash artifacts related to the nature of the incident. This training is part of splunk SIEM Boss of the SOC v2 300 series questions.

Splunk Study Notes

Certified Security Blue Team Level 1 Study Notes

 Scenario Overview

  • The investigation focuses on tracing how ransomware infiltrated Mallory’s MacBook via a USB device, encrypting critical files. The tutorial explains using Splunk queries to identify affected files, track malware execution, and determine the USB brand used for the infection.

Steps for Analysis

  • Finding Encrypted Files:
    • By searching for encrypted file extensions (e.g., .crypt), the query filters results to identify filenames post-encryption, revealing files like a PowerPoint and an MKV movie with identifiable ransomware extensions.
  • Locating Malware Execution Path:
    • Splunk’s osquery logs are used to trace the path where malware was dropped. By analyzing paths within Downloads, an “Important HR Info” file with an associated MD5 hash is identified as the malware. The hash is verified on VirusTotal, confirming the file as ransomware.
  • Determining USB Brand:
    • Using timestamps from malware events, the investigator searches for USB connection events prior to the infection. Vendor and model IDs are extracted from these events, correlating the USB drive’s connection with malware initiation.

Key Techniques

File Hash Verification: The MD5 hash of the malware is checked on VirusTotal to confirm it as a threat, detailing its properties and infection behavior.

Time-Based Filtering: By checking events within a 60-second timeframe around the malware detection event, the investigator narrows down relevant USB connection logs.

Room Answers | TryHackMe Splunk 2 Boss of the SOC v2

Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?

Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

What programming language is at least part of the malware from the question above written in?

When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD

The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?

From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?

Room Link: Splunk 2

Video Walk-through

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles