Splunk 2
Last updated
Last updated
In this exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly to assist them with their recent issues.
hat Kinds of Events Do We Have?
The SPL (Splunk Search Processing Language) command metadata can be used to search for the same kind of information that is found in the Data Summary, with the bonus of being able to search within a specific index, if desired. All time-values are returned in EPOCH time, so to make the output user readable, the eval command should be used to provide more human-friendly formatting.
In this example, we will search the botsv2 index and return a listing of all the source types that can be found as well as a count of events and the first time and last time seen.
Resources:
Metadata command:
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
The questions below are from the BOTSv2 dataset, questions 100-104. Some additional questions were added.
The first objective is to find out what competitor website she visited. What is a good starting point?
When it comes to HTTP traffic, the source and destination IP addresses should be recorded in logs. You need Amber's IP address.
You can start with the following command, index="botsv2" amber
, and see what events are returned. Look at the events on the first page.
Amber's IP address is visible in the events related to PAN traffic, but it's not straightforward.
To get her IP address, we can hone in on the PAN traffic source type specifically.
Command: index="botsv2" sourcetype="pan:traffic"
From here, you should have Amber's IP address. You can build a new search query using this information.
It would be best if you used the HTTP stream source type in your new search query.
Using Amber's IP address, construct the following search query.
Command: index="botsv2"
IPADDR
sourcetype="stream:HTTP"
You must substitute IPADDR with Amber's IP address.
After this query executes, there are many events to sift through for the answer. How else can you narrow this down?
Look at the additional fields.
Another field you can add to the search query to further shrink the returned events list is the site field.
Think about it; you're investigating what competitor website Amber visited.
Expand the search query only to return the site field. Additionally, you can remove duplicate entries and display the results nicely in a table.
Command: index="botsv2"
IPADDR
sourcetype="stream:HTTP" |
KEYWORD
site |
KEYWORD
site
You must substitute KEYWORD with the Splunk commands to remove the duplicate entries and display the output in a table format.
Note: The first KEYWORD is to remove the duplicate entries, and the second is to display the output in a table format.
The results returned to show the URIs that Amber visited, but which website is the one that you're looking for?
To help answer these questions: Who does Amber work for, and what industry are they in?
The competitor is in the same industry. The competitor website now should clearly be visible in the table output.
Extra: You can also use the industry as a search phrase to narrow down the results to a handful of events (1 result to be exact).
Command: index="botsv2"
IPADDR
sourcetype="stream:HTTP"
*INDUSTRY*
|
KEYWORD
site |
KEYWORD
site
Note: Use asterisks to surround the search term.
Amber found the executive contact information and sent him an email. Based on question 2, you know it's an image.
Since you now know the competitor website, you can construct a more specific search query isolating the results to focus on Amber's HTTP traffic to the competitor website.
Command: index="botsv2"
IPADDR
sourcetype="stream:HTTP"
COMPETITOR_WEBSITE
Replace COMPETITOR_WEBSITE with the actual URI of the competitor website.
You can expand on the search query to output the specific field you want in a table format for an easy-to-read format, as we did for the previous objective.
Based on the image, you have the CEO's last name but not his first name. Maybe you can get the name in the email communication.
You can now draw your attention to email traffic, SMTP, but you need Amber's email address. You should be able to get this on your own. :)
Once you have Amber's email address, you can build a search query to focus on her email address and the competitor's website to find events that show email communication between Amber and the competitor.
Command: index="botsv2" sourcetype="stream:smtp"
AMBERS_EMAIL
COMPETITOR_WEBSITE
Replace AMBERS_EMAIL with her actual email address.
With the returned results from the above search query, you can answer your own remaining questions. :)
1) Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
Let’s specify the source type in our SPL.
Let’s include the source IP in our SPL query.
Answer: www.berkbeer.com
2) Amber found the executive contact information and sent him an email. What image file displayed the executive's contact information? Answer example: /path/image.ext
Now that we have identified the competitor website, let’s incorporate it into our query and analyze the results.
3) What is the CEO's name? Provide the first and last name.
We need to locate Amber’s email address by querying the ‘stream:smtp’ source type.
This will give us 4 results, on the third one click Show as raw text.
Answer: Martin Berk
4) What is the CEO's email address?
Answer: mberk@berkbeer.com
5) After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?
Answer: hbernhard@berkbeer.com
6) What is the name of the file attachment that Amber sent to a contact at the competitor?
Answer: Saccharomyces_cerevisiae_patent.docx
7) What is Amber's personal email address?
Let's decode this using CyberChef.
Answer: ambersthebest@yeastiebeastie.com
In this task, we'll attempt to tackle the 200 series questions from the BOTSv2 dataset.
Note: As noted in the previous task, this guide is not the only way to query Splunk for the answers to the questions below.
Our first task is to identify the version of Tor that Amber installed. You can use a keyword search to get you started.
What are some good keywords? Definitely Amber. Another would be Tor. Give that a go.
Command: index="botsv2" amber tor
Over 300 results are returned. You can reverse the order of results (hoping the 1st event is the TOR installation) and see if you can get the answer.
You should add another keyword to this search query. I'll leave that task to you.
Command: index="botsv2" amber tor
KEYWORD
Replace the KEYWORD with another search term to help narrow down the events to the answer.
You need to determine the public IP address for brewertalk.com and the IP address performing a web vulnerability scan against it.
You should be able to tackle this one on your own. Use the previous search queries as your guide.
Now that you have the attacker IP address, build your new search query with the attacker IP as the source IP.
Command: index="botsv2" src_ip="
ATTACKER_IP
"
Tip: Change the Sampling to 1:100 or your query will auto-cancel and throw errors.
Yikes! The number of events returned is over 18,000 .. but that is fine.
Use the Interesting Fields to help you identify what the URI path that is being attacked is.
Once the URI path has been identified, you can use it to expand the search query further to determine what SQL function is being abused.
Command: index="botsv2" src_ip="
ATTACKER_IP
" uri_path="
URI_PATH
"
You should have over 600 events to sift through but fret not; the answer is there.
Awesome, thus far, you have identified Amber downloaded Tor Browser (you even know the exact version). You identified what URI path and the SQL function attacked on brewertalk.com.
Your task now is to identify the cookie value that was transmitted as part of an XSS attack. The user has been identified as Kevin.
Before diving right in, get some details on Kevin. This is the first time you hear of him.
Command: index="botsv2" kevin
Ok, now you have Kevin's first and last name. Time to figure out the cookie value from the XSS attack.
As before, you can start with a simple keyword search.
You know that you're looking for events related to Kevin's HTTP traffic with an XSS payload, and you're focused on the cookie value.
Honestly, you should be able to tackle this one on your own as well. Use the previous search queries as your guide.
After you executed the search query that yields the events with the answer, you can identify the username used for the spear phishing attack.
Based on the question hint, you can perform a keyword search query here as well.
Command: index="botsv2"
KEYWORD
As times before, replace KEYWORD with the actual keyword search term.
Great! You should have been able to find all the answers to the questions using basic keyword searches.
1) What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.
Answer: 7.0.4
2) What is the public IPv4 address of the server running www.brewertalk.com?
Answer: 52.42.208.228
3) Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
Answer: 45.77.65.211
4) The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php
Answer: /member.php
5) What SQL function is being abused on the URI path from the previous question?
Answer: updatexml
6) What was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
Answer: 1502408189
7) What brewertalk.com username was maliciously created by a spear phishing attack?
Answer: kIagerfield
Upward and onwards! Time to tackle some of the 300 series questions.
As with the 100 series questions, there are extra questions in this task that are not from the BOTS2 dataset.
The questions start with an individual named Mallory, her MacBook, and some encrypted files.
As per the previous tasks, you can start with a keyword search to see what events are returned that are associated with Mallory.
Command: index="botsv2" mallory
Over 11,000 events are returned, but if you draw your attention to the Selected Fields, you should get the name of her MacBook.
Ok, build a new search query with just the name of her MacBook and see what you get.
Command: index="botsv2" host="
NAME_MACBOOK
"
Note: You don't have to run this command. Trust me; the results returned are well over 9 million events.
Looking back at the question (our objective), the focus is on a critical PowerPoint presentation.
Add common file extensions for PowerPoint to help significantly shrink the amount of returned events.
Command: index="botsv2" host="
NAME_MACBOOK
" (*.ppt OR *.pptx)
Nice! You should have the filename of the critical document.
Now you need to find another file, this time a movie file.
Use the same source type from the previous query that returned the event with the filename of the critical PowerPoint document.
Since you don't know the file extension, you can't use the same approach as before.
What do you know? You know the file extension of the files once they have been encrypted.
You can use that file extension in your search query.
Command: index="botsv2" host="
NAME_MACBOOK
" sourcetype="
?
"
*.EXT
Replace the ? with the name of the source type and .EXT with the actual encryption file extension.
After execution, you should see the results are over 1,000, but the answer should be on the first page of the results.
Next task, you need to provide the name of the manufacturer of the USB drive Kevin used on Mallory's personal MacBook (kutekitten).
You can search for the malware or search for the USB manufacturer (vendor). In either case, you need to start with the MacBook.
You know the drill, start with a simple keyword search using the name of the MacBook.
Command: index="botsv2" kutekitten
The number of returned events is over 6,000, and the 2 data sources/source types are related to Osquery.
What is Osquery?
"Osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With Osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes."
Tip: Visit the Osquery room to learn more.
Look through some of the events and get familiar with the structure of the data.
Back to the search, a good place to start searching for the malware is in Mallory's user folders. Find it in the search results from the last command.
Once you have it, expand the search query with the user path and try different folders.
Command: index="botsv2" kutekitten "\\
/PATH
\\
/MALLORY\\/FOLDER
"
Replace \\/PATH\\/MALLORY\\/FOLDER with Mallory's user folder path. For the search query to successfully execute, the path needs to be double escaped.
Look at the other available interesting fields related to a path that you can use to add as a field to the search query and look for an interesting file that stands out once you've used the added field as part of the query.
Hint: You know you have found the interesting file if the available field shows a count of 1.
Once you think you found the file (you can confirm the file's hash in VirusTotal), pivot, and look at the events 1 minute prior.
To do this, click on the date/time of the event. A new window will pop up that will allow you to view events before or after that specific point in time.
Now you need to run a new search query to focus on events within the specific time segment.
It would be a good idea to refer to the documentation on Osquery here to help you with this.
Command: index="botsv2" kutekitten
KEYWORD
KEYWORD
Don't forget to replace the KEYWORD with the actual keywords you think will help you narrow down your search.
Note: The events will not provide the name of the USB manufacturer; you need to perform external research on the ID value to get that answer.
For questions 4-7, you have enough at this point to help you get the answers to those questions. :)
1) Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?
Answer: Frothly_marketing_campaign_Q317.pptx.crypt
2) There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?
Answer: S07E02
3) Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory's personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.
Answer: Alcor Micro Corp.
4) What programming language is at least part of the malware from the question above written in?
Let's get the sha256 hash and search by it on Virustotal.
Answer: perl
5) When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD
Answer: 2017-01-17
6) The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?
Answer: eidk.duckdns.org
7) From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?
Answer: eidk.hopto.org
Continuing on, it's time to attempt to answer some of the 400 series questions from the BOTS2 dataset and then some.
You're tasked to find the name of the attachment sent to Frothly by the malicious APT actor. This will involve events related to emails.
You're provided with a command that will lead you to the answer. Replace the ? and .EXT with the appropriate values.
Command: index="botsv2" sourcetype="stream:
?
" *.
EXT
You should be able to retrieve the password on your own at this point. :)
For this question, you will need the attacker's IP. Remember, there was an IP address scanning brewertalk.com.
Use that IP address and search the TCP stream instead of the HTTP stream.
Once the events are returned, look at the Interesting Fields.
Command: index="botsv2" sourcetype="stream:
?
"
ATTACKER_IP
Next task, find an unusual file that was downloaded with winsys32.dll.
Notice that it's mentioned that this file would be considered unusual for an American company. This is a hint that it has something to do with language.
Command: index="botsv2" winsys32.dll
Look through the results; you should see a tool associated with transferring files from system to system.
There is a source type associated with the binary. Use that to start a new search query.
Command: index="botsv2" sourcetype="stream:
?
"
Replace the ? with the appropriate value.
Over 1,000 events are returned. It might be a good idea to shrink this further down. But how?
You're looking for an unusual file that was downloaded by the winsys32.dll. Research commands that can be utilized with the tool that is specific to downloads. Once you find the command, expand your search query.
Command: index="botsv2" sourcetype="stream:
?
" method=
COMMAND
You know the drill, replace the ? and COMMAND with the appropriate values.
The unusual file should be noticeable in the returned events. If not, then look at the Interesting Fields.
Use the following links to examine the execution of the malware contained within the aforementioned zip file.
These sources will help you find the answer to this question, along with the following question.
I'm confident you can tackle this one solo. Below is a command to get you started.
Command: index="botsv2" schtasks.exe
The amount returned should be over 100 events. Look at the returned results. Some entries should stand out. Next figure out what keyword(s) and source type you need to find the answer.
You'll need to perform additional steps for each event to determine the answer to the last question. Good luck! :)
1) A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
Answer: invoice.zip
2) What is the password to open the zip file?
Answer: 912345678
3) The Taedonggang APT group encrypts most of their traffic with SSL. What is the "SSL Issuer" that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
Answer: C = US
4) What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
5) What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim's workstation? Answer example: John Smith
Answer: Ryan Kovar
6) Within the document, what kind of points is mentioned if you found the text?
Answer: CyberEastEgg
7) To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html
Answer: process.php