- We will be using TryHackMe's Splunk 2 Room to complete Splunk's BOSS the SOC challenge.
- The data included in this app was generated in August of 2017 by members of Splunk's Security Specialist team - Dave Herrald, Ryan Kovar, Steve Brant, Jim Apger, John Stoner, Ken Westin, David Veuve and James Brodsky. They stood up a few lab environments connected to the Internet. Within the environment they had a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders were configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment included a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS.
BOTSv2 Github: https://github.com/splunk/botsv2
- In this exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly (a beer company) to assist them with their recent issues.
- The SPL (Splunk Search Processing Language) command metadata can be used to search for the same kind of information that is found in the Data Summary, with the bonus of being able to search within a specific index, if desired. All time-values are returned in EPOCH time, so to make the output user readable, the eval command should be used to provide more human-friendly formatting.
- In this example, we will search the botsv2 index and return a listing of all the source types that can be found as well as a count of events and the first time and last time seen.
- http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata
- https://www.splunk.com/blog/2017/07/31/metadata-metalore.html
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
By following along the instructions we use the command index="botsv2" amber
to get some information about Amber.
With index="botsv2" sourcetype="pan:traffic" amber
we can find the following IP address: 10.0.2.101
To look for HTTP connections including that IP, we use index="botsv2" sourcetype="stream:http" 10.0.2.101
.
This yields 2147 events, but we can whittle it down.
We can attempt to remove duplicate sites visited by using the dedup
command, like so: index="botsv2" sourcetype="stream:http" 10.0.2.101 | dedup site
This brings the number of results down to 107.
We can restrict the view to a table of the site column using: index="botsv2" sourcetype="stream:http" 10.0.2.101 | dedup site | table site
Finally, a competitor is in the same industry, so we can add that as a search keyword:
index="botsv2" sourcetype="stream:http" 10.0.2.101 *beer* | dedup site | table site
Answer: www.berkbeer.com
Amber found the executive contact information and sent him an email. What image file displayed the executive's contact information? Answer example: /path/image.ext
By using the index="botsv2" sourcetype="stream:http" 10.0.2.101 www.berkbeer.com
query, we can find a few datapoints:
We can further filter it to just the image collected by piping it through to the table uri_path
command:
index="botsv2" sourcetype="stream:http" 10.0.2.101 www.berkbeer.com | table uri_path
The two images that could be the correct answer are /images/ceoberk.png
and /images/chiefscience.png
. Chief Science Officers are rarely involved in such dealings so I went with the former.
Answer: /images/ceoberk.png
What is the CEO's name? Provide the first and last name.
To start, we need Amber's email address.
The command index="botsv2" sourcetype="stream:smtp" amber
produces the address aturing@froth.ly
.
We can then use the command index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berkbeer.com | table _raw
to get 4 results (in raw format).
A text search for "berk" will reveal an "mberk@berkbeer.com", a search for that will reveal a "Martin Berk".
Answer: Martin Berk
What is the CEO's email address?
Answer: mberk@berkbeer.com
After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?
By going back to our initial emails view and scrolling down, we find:
Answer: hbernhard@berkbeer.com
What is the name of the file attachment that Amber sent to a contact at the competitor?
From the previous view, we can expand the attach_filename array to show the name of the filename.
Answer: Saccharomyces_cerevisiae_patent.docx
What is Amber's personal email address?
By working off of the hint prompting us to look for encoded content, I found this base64 encoded block of text:
I put that block into Cyberchef to get the following:
Answer: ambersthebest@yeastiebeastie.com
What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.
The suggested searchstring is index="botsv2" amber tor
, which yields hundreds of results. When attempting to download Tor Myself, the installer filename on Windows is torbrowser-install
.
Searching for index="botsv2" amber tor torbrowser-install
yields the following:
Answer: 7.0.4
What is the public IPv4 address of the server running www.brewertalk.com?
By searching for index="botsv2" sourcetype="stream:http" www.brewertalk.com
and scrolling a bit, we find:
Answer: 52.42.208.228
Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
By focusing on the day with the most events, we can investigate the most common src for all events involving the website.
Answer: 45.77.65.211
The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php
By looking at this command index="botsv2" sourcetype="stream:http" 52.42.208.228 | dedup uri_path
we can deduce that a number of filetypes exist (.css, .php, .js, etc.), but that this is likely a PHP backend. As such we expand our query index="botsv2" sourcetype="stream:http" 52.42.208.228 php | dedup uri_path
Answer: /member.php
What SQL function is being abused on the URI path from the previous question?
When looking at the responses from before, we can filter using this query: index="botsv2" sourcetype="stream:http" uri_path="/member.php"
If we look a bit further, we can see the word: error
, we can see the updatexml
function is called and producess a XPath syntax error.
Answer: updatexml
What was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
By filtering again using the command index="botsv2" sourcetype="stream:http" 52.42.208.228 uri_path="/member.php"
, we can look at the set_cookie
array.
There are two different values: 1502408194
and 1502408189
, although only the latter works.
Answer: 1502408189
What brewertalk.com username was maliciously created by a spear phishing attack?
By searching for index="botsv2" sourcetype="stream:http" kevin
, we can find 13 events, in the first, within the form_data
field, we can see the homograph kIagerfield
be used to log into an account.
Answer: kIagerfield
Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?
First, we look for devices that Mallory may own, so we perform the following search: index="botsv2" mallory
This produces a ton of results, but also gives us MACLORY-AIR13
, which corresponds to a MacBook Air, and is a fun pun on the name Mallory. Moving on.
We can then look for PowerPoint files (which used to end in .ppt
and now usually end in .pptx
) on this host.
The command for that would be index="botsv2" host="MACLORY-AIR13" (*.ppt OR *.pptx)
Note: Whilst many strings are not considered case sensitive in Splunk, OR
definitely is.
Answer: Frothly_marketing_campaign_Q317.pptx.crypt
There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?
For this question we can look at any file that would end with the .crypt
extension with the index="botsv2" host="MACLORY-AIR13" (*.crypt)
search query.
This however yields an unsightly 1103 events to filter out.
We can further filter this by searching for file_events
(because an encryption usually affects a file in some way, shape or form) using the following query: index="botsv2" host="MACLORY-AIR13" (*.crypt) name="file_events"
.
This yields S7E2
, which in standard series notation is S07E02
.
Answer: S07E02
Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory's personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.
index="botsv2" host="kutekitten" name="file_events"
This leads us to this suspicious filename: Users/mkraeusen/Downloads/Important_HR_INFO_for_mkraeusen
Looking for it with this query: index="botsv2" host="kutekitten" \\/Users\\/mkraeusen\\/Downloads\\/Important_HR_INFO_for_mkraeusen
leads us to
produces the following hash: befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
, which VirusTotal flags as malicious, leading us to think we are on the right path.
Searching for index="botsv2" host="kutekitten" usb
between Thu Aug 03 17:19:07 2017 UTC
and Thu Aug 03 19:19:07 2017 UTC
produces a manageable 52 events, which we can filter down to 30 using the sourcetype="osquery_results"
filter.
Which leads us to find a vendor_id
of 058f
, which if we plug into the sz leads us to Alcor Micro Corp.
.
Answer: Alcor Micro Corp.
What programming language is at least part of the malware from the question above written in?
From the VirusTotal page mentioned above, we can see that it is Perl
.
Answer: Perl
When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD
From VirusTotal, we can see that the name of the malware is called FruitFly
(alternatively Quimitchin
), and searching for that will lead us to this MalwareBytes article, which was posted on 2017-01-18.
It isn't indicated (read: guessing backwards) when the malware was discovered, but it happened the day before.
Answer: 2017-01-17
The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?
By plugging the hash from earlier (befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
) into Hybrid Analysis, we get the following domains contacted:
Answer: eidk.duckdns.org
From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?
Answer: eidk.hopto.org
A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
We can run this query to find the name of the file.
index="botsv2" sourcetype="stream:smtp" *.zip
Answer: invoice.zip
What is the password to open the zip file?
We just read through the message's content to find the password to the zip.
Answer: 912345678
The Taedonggang APT group encrypts most of their traffic with SSL. What is the "SSL Issuer" that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
First, copy all of the base64 representation of the file to a text file (in my case ~/zip.b64
).
Then, we write a bit of Python:
f = open("zip.b64")
d = f.readlines()
f.close()
d = [a.replace("\n", "").replace(" ", "").replace("\t", "") for a in d]
out = "".join(d)
f2 = open("zip.b64.concat", "w")
f2.write(out)
f2.close()
This should produce a file named zip.b64.concat
which looks like this:
And then we can use the command line to produce a zip, unzip it, then get the hash for the file within!
cat zip.b64.concat | base64 --decode > invoice.zip
unzip invoice.zip
sha256sum invoice.doc
By plugging the hash from the file (d8834aaa5ad6d8ee5ae71e042aca5cab960e73a6827e45339620359633608cf1
) into Hybrid Analysis, we get the following domains contacted:
Weirdly enough, address number 2 (45.77.65.211
) is the same as for question 4.3.
If we search for it in Splunk, we get the following:
index="botsv2" sourcetype="stream:tcp" "45.77.65.211"
Answer: C = US
What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
We can first look at index="botsv2" winsys32.dll
It gets loaded by ftp.exe
, so maybe we can look at FTP streams: index="botsv2" sourcetype="stream:ftp"
To filter it out a bit, we can limit ourselves to FTP downloads, which are the RETR method.
index="botsv2" sourcetype="stream:ftp" method=RETR
We can see it download a weird .hwp
file, the name of which is the answer.
Answer: 나는_데이비드를_사랑한다.hwp
What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim's workstation? Answer example: John Smith
If we look at the file invoice.doc
with the file
utility, we get some interesting information, including the name of the Author.
Answer: Ryan Kovar
Within the document, what kind of points is mentioned if you found the text?
If you were to open AnyRun link provided in the description, you would see the text mentioned.
Answer: CyberEastEgg
To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html
Scheduled tasks are usually set up featuring some call to schtasks.exe
, soo we can look at references to it in Splunk.
index="botsv2" schtasks.exe
This produces two types of logs: Windows Events and Sysmon Logs.
Let us filter on the latter: index="botsv2" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" schtasks.exe
If we focus around the day of the incident, we should see a Powershell command be executed:
Within the fields is CommandLine
which references the registry key HKLM:\Software\Microsoft\Network debug
, which we can then query for:
index="botsv2" source="winregistry" "Software\\Microsoft\\Network"
This produces some base64 code, which we can plug into CyberChef (the weird dots can be removed with the Remove Null Bytes
element).
This references one single php file (process.php
) and since this event is from the same timeframe as the rest of the incident, we assume it is the correct file.
Answer: process.php