Splunk 2 – Boss of the SOC - TryHackMe

TRY HACK ME

Brandon Nerios

7 min read

This lab will be a walkthrough of the Splunk "Boss of the SOC" lab on tryhackme, In this lab I will use the dataset BOTSv2 to answer the questions provided for each section. In this exercise, I will assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly (a beer company) to assist them with their recent issues.

BOTSv2 Dataset:

The data included in this app was generated in August of 2017 by members of Splunk's Security Specialist team - Dave Herrald, Ryan Kovar, Steve Brant, Jim Apger, John Stoner, Ken Westin, David Veuve and James Brodsky. They stood up a few lab environments connected to the Internet. Within the environment they had a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders were configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment included a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS.

100 Series Questions:

The first section focuses on Amber Turing and her communication with a competitor.

Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through but visited their website to find contact information for their executive team. What is the website domain that she visited?

The first thing we will want to get is Ambers IP address. We can use the following command ( index="botsv2" sourcetype="pan:traffic" amber ) to get all the Palo Alto Network traffic specific to amber. IP = 10.0.2.101

Now we can go back to the query and search for her HTTP traffic by using the command (index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" ) when we type in that query there are over a 1000 entries to narrow it down let's try being specific. Let's try the command (index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" beer | dedup site | table site) since they are in the beer industry we will try to use that as a filter as well as putting the information into a table and removing the duplicates.

Amber found the executive contact information and sent him an email. What image file displayed the executive's contact information? Answer example: /path/image.ext

Since we know ambers IP address and the website, we can run a more specific query to look at the HTTP traffic from ambers computer to the competitor’s website. We will want to use the following command ( index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" www.berkbeer.com )

What is the CEO's name? Provide the first and last name.

From the image we have the CEO last name, but we still need his first name. Let's take a look at Amber's communication with him via SMTP using the query ( index="botsv2" sourcetype="stream:smtp" amber ) we can narrow down ambers email from the logs now.

After we have Amber's email we can do a more specific search to find her communication with the CEO using their domain ( index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berkbeer.com )

What is the CEO's email address?

Looking through the raw text we can find this as well.

After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?

Looking at the logs we can see that the CEO looped in Mr. Bernhard

What is the name of the file attachment that Amber sent to a contact at the competitor?

We will want to look at the logs for where amber was the sender and look at the first few lines to see the attachments.

What is Amber's personal email address?

From looking at the communication with Amber and the competitor we can see there was a part of their message encoded in Base64. We will need to decode that via cyber chef.

200 Series Questions:

In this section we will be investigating SQL detections and XSS Web Application attacks.

What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

We will begin by using the query ( index="botsv2" amber tor ) from this query we will look at the Sysmon events. Which leads us to the following interesting fields. In the image section we can find the answer.

What is the public IPv4 address of the server running www.brewertalk.com?

We will take the domain of the website and clear off our query to search for events with just the domain (index="botsv2" brewertalk.com)

Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

For this one we will want to look at the source IPs and look at the IPs with high traffic since running a web vulnerability scan will produce high traffic.

The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

We will use the following query ( index="botsv2" brewertalk.com sourcetype="stream:http" src_ip="45.77.65.211" ) to look at the interesting fields to see the URL path being attacked.

What SQL function is being abused on the URI path from the previous question?

Using the query (index="botsv2" brewertalk.com sourcetype="stream:http" src_ip="45.77.65.211" uri_path="/member.php" | dedup form_data | table form_data) we can look at the form data to see what is being request

What was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

We will first want to see if we can find http traffic on Kevin using the query (index="botsv2" kevin sourcetype="stream:http") since we know it was an XSS attack we can add the tag error to the query ( index="botsv2" kevin sourcetype="stream:http" tag=error ) now we can put this all in a table to look at.

What brewertalk.com username was maliciously created by a spear phishing attack?

For this one we had to use the hint (The attacker stole Kevin's CSRF token (1bc3eab741900ab25c98eee86bf20feb) and performed a trick from domain squatters by using a homograph attack.) having the CSRF token we can now use that in our query ( index="botsv2" 1bc3eab741900ab25c98eee86bf20feb sourcetype="stream:http" brewertalk.com )

300 Series Questions:

In this section we will investigate a USB ransomware attack. The questions start with an individual named Mallory, her MacBook, and some encrypted files.

Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

We will want to do a basic search for Mallory to see if we can find her computer name ( index="botsv2" mallory ) from this search we can find Mallory’s MacBook. Now that we know Mallory’s MacBook we can add it to the search and search for only PowerPoint files (index="botsv2" host="MACLORY-AIR13" (*.ppt OR *.pptx))

There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?

Since we know the files encrypted end with .crypt from her PowerPoint file we can use a query to search for other files similar. (index="botsv2" host="MACLORY-AIR13" *.crypt )

Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory's personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

Using the query (index=botsv2 kutekitten "/Users") we can find her home directory /users/mkraeusen now we will need to search the OS query events using the following ( index=botsv2 host="kutekitten" "\\/Users\\/mkraeusen")

Splunk 2 – Boss of the SOC - TryHackMe

BOTSv2 Dataset:

100 Series Questions:

The first section focuses on Amber Turing and her communication with a competitor.

Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through but visited their website to find contact information for their executive team. What is the website domain that she visited?

The first thing we will want to get is Ambers IP address. We can use the following command ( index="botsv2" sourcetype="pan:traffic" amber ) to get all the Palo Alto Network traffic specific to amber. IP = 10.0.2.101

After we have Amber's email we can do a more specific search to find her communication with the CEO using their domain ( index="botsv2" sourcetype="stream:smtp" aturing@froth.ly berkbeer.com )

200 Series Questions:

In this section we will be investigating SQL detections and XSS Web Application attacks.

300 Series Questions:

We can then take the hash of that file to see if it is malicious

Now that we know the file is malicious, we can search for the USB. When filtering in USB to the search we are brought the following logs

We can now use this information to look up the vendor.