Splunk 2

Part of the Blue Primer series. This room is based on version 2 of the Boss of the SOC (BOTS) competition by Splunk.

THM Room https://tryhackme.com/room/splunk2gcd5

TASK 1 : Deploy!

Deployed the virtual machine and connected to the website found at 10.10.246.201:8000

No Answer

TASK 2 : Dive into the data

I’m ready to get hunting with Splunk.

No Answer

TASK 3 : 100 series questions

Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?

Firstly i searched traffic from Amber :

index="botsv2" sourcetype="pan:traffic" amber

Then i get her IP adress 10.0.2.101 so i could try to filter for sites :

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | table site

But this query returned many values, so we need to exclude duplicates and non relevant entries :

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" NOT(site=*.microsoft.com OR site=*.windowsupdate.com OR site=*.bing.com OR site=*.digicert.com OR site=*.akamaized.net OR site=*msn.com OR site=*.adnxs.com OR *office.net OR *symcd.com OR site=*gvt1*)
| dedup site 
| table site

From the list, Berkbeer website seems to be the right answer !

Answer : www.berkbeer.com

Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext

An interesting field is URI_PATH for this request. And the executive may be resume by searching ceo somewhere :

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" www.berkbeer.com *ceo*

Looking the uri_path give us the answer.

Answer : /images/ceoberk.png

What is the CEO’s name? Provide the first and last name.

I firstly search the CEO email adress before his name.

Just looking the content of the result from next question and filtering with :

index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berk*

Answer : Martin Berk

What is the CEO’s email address?

I began to search for Amber informations like her email. This following query give me that email : aturing@froth.ly

index="botsv2" sourcetype="stream:smtp" amber

Then adding some extra information like the domain Amber is looking for :

index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berkbeer*

This returned me 2 emails : mberk@berkbeer.com and hbernhard@berkbeer.com

When reading the content of the result, mberk seems to be the CEO.

Answer : mberk@berkbeer.com

After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

Answer : hbernhard@berkbeer.com

What is the name of the file attachment that Amber sent to a contact at the competitor?

Looking for the attachment_filename field the query returning the conversation between Amber and Bernhard :

index="botsv2" sourcetype="stream:smtp" aturing@froth.ly hbernhard@berkbeer.com

Answer : Saccharomyces_cerevisiae_patent.docx

What is Amber’s personal email address?

This one was quite trials and error by decoding the base64 content from the previous results between Benhard and Amber.

Answer : ambersthebest@yeastiebeast.com

TASK 4 : 200 series questions

What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

Search for tor.exe and Amber kewords :

index="botsv2" amber tor.exe

Then i looked through the interesting fields and found in the process field the answer :

TOR Browser

Answer : 7.0.4

What is the public IPv4 address of the server running www.brewertalk.com?

I searched for the website in the destination ip field :

index="botsv2" www.brewertalk.com

Brewertalk IP

The answer must be a public IP address so it could not be 172.31.X.X

Answer : 52.42.208.228

Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

In the same query, i found the IP for the system used to run a scan in the source IP :

Source IP

Answer : 45.77.65.211

The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

Adding the IP from Q2 in the last query :

index="botsv2" www.brewertalk.com 52.42.208.228

Then looking the uri_path for sensitive informations and i found a PHP page : /member.php

URI Path

Answer : /member.php

What SQL function is being abused on the URI path from the previous question?

The attack is from the source IP address, so let’s change the query and set up the uri_path found the searching about form_data :

index="botsv2" brewertalk.com src_ip="45.77.65.211" uri_path="/member.php" 
| dedup form_data 
| table form_data

updatexml

Answer : updatexml

What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

Let search for Kevin with a sourcetype in http stream. Then adding the hint (tag=”error”) and looking to cookie field :

index="botsv2" kevin sourcetype="stream:http" tag="error"
| table cookie

Cookie

Answer : 1502408189

What brewertalk.com username was maliciously created by a spear phishing attack?

Checking the hint give us the stolen CSRF token (1bc3eab741900ab25c98eee86bf20feb). let’s search about this and looking for unique result. Form_data seems good. I table this request then :

index="botsv2" 1bc3eab741900ab25c98eee86bf20feb 
| table form_data

Malicious Username

This give me the username.

Answer : kIagerfield

TASK 5 : 300 series questions

Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

Let’s begin with the keyword search as usual :

index="botsv2" mallory

This gives me the hostname of Mallory’s Mac Air : MACLORY-AIR13

Then adding this information to the query and searching for powerpoint :

index="botsv2" mallory host="MACLORY-AIR13" (*.ppt OR *.pptx)

Filename

Answer : Frothly_marketing_campaign_Q317.pptx.crypt

There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?

I use the following query to find the answer :

index="botsv2" got (*.crypt)

GoT

Answer : S07E02

Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

Searching for keyword given like kutekitte and usb then checked the usefull field and found in name the “pack_hardware_usb_devices” which seems good.

index="botsv2" kutekitten usb name="pack_hardware-monitoring_usb_devices"

This request shows up the following informations :

USB Device

Let’s google this vendor ID for USB drives :

USB Vendor

Answer : Alcor Micro Corp.

What programming language is at least part of the malware from the question above written in?

First, i search :

index="botsv2" kutekitten "\\/Users*"

Then in the field, i check extra users and Splunk gives me “decorations.username”=mkraeusen. So let’s add this to the query :

index="botsv2" kutekitten "\\/Users*" "decorations.username"=mkraeusen

I note and interesting field : columns.md5 so i click on it :

index="botsv2" kutekitten "\\/Users*" "decorations.username"=mkraeusen "columns.md5"=72d4d364ed91dd9418d144a2db837a6d

Now copy paste this md5 hash to Virustotal :

Virustotal

Answer : Perl

When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD

Virustotal First seen

Also from Virustotal.

Answer : 2017-01-17

The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?

From destination tab on Virustotal for this hash :

Domain

Answer : eidk.duckdns.org

From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?

Answer : eidk.hopto.org

TASK 6 : 400 series questions

A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?

Relevant keyword : frothly, *.zip then filter on sourcetype “wineventlog”

index="botsv2" frothly *.zip sourcetype=wineventlog

Attachment

Answer : invoice.zip

What is the password to open the zip file?

Searching into the body of the mail by adding the password keyword :

index="botsv2" invoice.zip password 
| spath "content_body{}" | table "content_body{}"

Password

Answer : 912345678

The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.

Querying ssl from splunk :

index="botsv2" ssl

Then checking then interesting fields : ssl_issuer :

ssl_issuer

Answer : C = US

What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?

First query gives me a protocol use for file transfert : FTP

index="botsv2" winsys32.dll 

A second query gives me the method : RETR

index="botsv2" sourcetype="stream:ftp" | stats count by method

The last query show the answer :

index="botsv2" sourcetype="stream:ftp" method="RETR"

stream:ftp

Anser :

나는_데이비드를_사랑한다.hwp

What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith

Using the links given :

Victim

Answer : Ryan Kovar

Within the document, what kind of points is mentioned if you found the text?

idem.

invoice.doc

Answer : CyberEastEgg

To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html

Using the query :

index="botsv2" \\Software\\Microsoft\\Network sourcetype=WinRegistry

Checking the most use data and decode from base64 :

process.php

Answer : process.php

TASK 7 : Conclusion

You leveled up your Splunk-fu thanks to the BOTSv2 dataset.

No Answer.