SPLUNK BOTSv1 WRITEUP
This lab, which consists of two sections(Web Site Defacement and Ransomware), is now available on bots.splunk.com.I’ll walk you through it and show you how I utilized Splunk to look into events
PART 1:Web Site Defacement
Question 1: What is the likely IPv4 address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
This question needs a very simple query to be solved:
index=botsv1 imreallynotbatman.com
What is “botsv1” here?Each index has a different dataset of its own and in this lab we will be searching answers in this dataset.
In the left pane, I searched for any field that contains IP address information to find the answer and there was src_ip:
You can see that 40.80.148.42 has the most hits on the web server so most probably it is the attacker’s IP.But we cannot rely on this.I will extend my search by adding the IP address to it:
index=botsv1 imreallynotbatman.com src_ip=”40.80.148.42"
Now let’s look into sourcetype:
So this means we have http logs and suricata logs.Suricata is an IDS/IPS and works with signatures to detect threats.According to the question, scan is targeted on a web server, so I will look into http logs by adding the sourcetype to my search:
index=botsv1 imreallynotbatman.com src_ip=”40.80.148.42" sourcetype=”stream:http”
NOTE:“Stream is a splunk tool that can look through different records.”
But this is also not enough to help me find what kind of traffic was initiated from this IP address.Now I will use the IDS logs:
index=botsv1 imreallynotbatman.com src_ip=”40.80.148.42" sourcetype=”suricata”
We can find information from the signature field about the threat:
As you can see, some web attacks attempted from this IP.So now we can safely say that attack was originated from this IP.
Answer: 40.80.148.42
Question 2: What company created the web vulnerability scanner used by Po1s0n1vy?
Now we have to find the tool basically.Normally, the name of the scanner tool is placed in the http headers.I need to find a field for http headers.For that we need to go back to the http records.Here you can see a field named src_headers with records like this:
If you are familiar with the popular web scanning tools, you can see that attacker used Acunetix in the Product header.
Answer: Acunetix
Queston 3: What content management system is imreallynotbatman.com likely using?
This question can be solved with the above query as well, but again if you are not familiar with CMS, you will need to google it.
Answer: joomla
Question 4: What is the name of the file that defaced the imreallynotbatman.com website?(Come to this question after finding password and parentprocess in further questions)
index=botsv1 sourcetype=stream:http src_ip=192.168.250.70
You can see the confusion because this IP address is the web server’s IP and it normally does not originate the traffic, they receive traffic and send response.Search with this query and look for the destination IP:
These 2 addresses are the source IPs attacking our web server.Now let’s update the query:
index=botsv1 sourcetype=fgt_utm “192.168.250.70” NOT dest=”192.168.250.70" category=”Malicious Websites”
We use the firewall as sourcetype now,because we want to know why our webserver would originate the traffic to the outside and we emphasize that do not show the destination IP address.”Malicious Websites” is the one of the 2 categories.
Finally, scroll down and check for the url field:
So the attacker defaced the website with this image.
Answer: Poisonivy-is-coming-for-you-batman.jpeg
Question 5: This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?
index=botsv1 sourcetype=fgt_utm “192.168.250.70” NOT dest=”192.168.250.70" category=”Malicious Websites”
Again using this query and in url field, you can find the answer:
Answer: Prankglassinebracket.jumpingcrab.com
Question 6: What IPv4 address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
The query is the same, this time dstip gives us the clue:
Answer: 23.22.63.114
QUESTION 7 DOES NOT EXIST
Question 8: What IPv4 address is likely attempting a brute force password attack against imreallynotbatman.com?
It is known that brute force attack is conducted using http post requests.So I will change the source type to http and add the destination IP which is web server’s IP to my search.
NOTE:Web server’s IP is the one with the highest number of hits which is 192.168.250.70
Now I will look for anything related to form, because every bruteforce attack has a pattern, to be successful you have to insert arbitrary values in a form.I will also filter it for only POST method.
index=botsv1 imreallynotbatman.com dest_ip=”192.168.250.70" sourcetype=”stream:http” http_method=POST
Now in the form_data field, you can see the username password pattern for the attack.
But this is still not enough, because a lot of fields contain forms in a website.So I will filter the form data to extract username and password only.
index=botsv1 imreallynotbatman.com dest_ip=”192.168.250.70" sourcetype=”stream:http” http_method=POST form_data=”*username*passwd*”
In source IP field there are only 2 IPs and obviously, the one with the 99% is our attacker’s IP
Answer: 23.22.63.114
Question 9: What is the name of the executable uploaded by Po1s0n1vy?
I will look for both domain name and IP addres to not miss anything and look for the all exe files first:
index=botsv1 sourcetype=suricata (dest=imreallynotbatman.com OR dest=192.168.250.70) http.http_method=POST .exe
You can see in the filename field there are two exe files,now we need to make sure of the answer.I will investigate the suspicious file furthermore
index=botsv1 3791.exe sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=1
Basically, I am looking into win event logs for file creation and I got some results.So now I want to dig deeper.
index=botsv1 3791.exe CommandLine=3791.exe
Using this query, I ask splunk to give me the usage of this file in command line and i got one result:
So this is the proof of this question.
Answer: 3791.exe
Question 10: What is the MD5 hash of the executable uploaded?
Using the same query, in the left pane there is a field named MD5 with only 1 value:
Answer: aae3f5a29935e6abcc2c2754d12a9af0
Question 11:GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vys initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
I searched the IP address (23.22.63.114) in threatminer.org and there were three different md5s:
I tried them all in virustotal and the third one was related with the malware:
Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Question 12: What special hex code is associated with the customized malware discussed in question 11?
This is a little absurd but, you can find the answer in the community section of the virustotal:
Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
QUESTION 13 DOES NOT EXIST
Question 14: What was the first brute force password used?
To answer this question, we need to write a regex expression for the password field.In Question 8, the query we used can help us to see the password structure and form a regex:
For that splunk has rex function and it actually automatically completes it:
index=botsv1 imreallynotbatman.com dest_ip=”192.168.250.70" sourcetype=”stream:http” http_method=POST form_data=”*username*passwd*”
|rex field=form_data “passwd=(?<Password>\w+)”
|table Password src
|reverse
This is the final query to find the first attempted password.
Answer: 12345678
Question 15: One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. We are looking for a six character word on this one. Which is it?
This is also an absurd question for me but anyway,for this question we need to use diffent functions.I will explain them via the query:
index=botsv1 sourcetype=”stream:http” http_method=POST form_data=”*username*passwd*”
|rex field=form_data “passwd=(?<Password>\w+)”
|eval lenpword=len(Password)
|search lenpword=6
|eval pass=lower(Password)
|lookup coldplay.csv song as pass OUTPUTNEW song
|search song=*
|table song
Note:The .csv file was already included.
Answer: yellow
Question 16: What was the correct password for admin access to the content management system running “imreallynotbatman.com”?
Think like this:If the bruteforce attack finally matches a password what would the attacker do? Go and try it.So in this scenario looking for a password that was tried twice for admin account will give us the answer.
index=botsv1 sourcetype=”stream:http” http_method=POST form_data=”*username*passwd*”
|rex field=form_data “passwd=(?<Password>\w+)”
|stats count values(src) by Password
|sort — count
Answer: batman
Question 17: What was the average password length used in the password brute forcing attempt?
Splunk has many useful function for such types of questions and one of them is avg:
index=botsv1 sourcetype=”stream:http” http_method=POST form_data=”*username*passwd*”
|rex field=form_data “passwd=(?<Password>\w+)”
|search Password=*
|eval mylen=len(Password)
|stats avg(mylen) as avg_len_http
|eval avg_len_http=round(avg_len_http,0)
Answer: 6
Question 18: How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login?
What is meant in this question is that the time between bruteforce attack matches the correct password and attacker trying it for admin account in the system.
index=botsv1 sourcetype=stream:http
|rex field=form_data “passwd=(?<Password>\w+)”
|search Password=batman
|transaction Password
|table duration
transaction will find the first and last event of admin password and duration basically calculates time duration.
Answer: 92.17
Question 19: How many unique passwords were attempted in the brute force attempt?
index=botsv1 sourcetype=stream:http form_data=*username*passwd*
|rex field=form_data “passwd=(?<Password>\w+)”
|stats dc(Password)
This one is also can be handled simply by just using stats.
Answer: 412
PART 2: Ransomware
After the excitement of yesterday, Alice has started to settle into her new job. Sadly, she realizes her new colleagues may not be the crack cybersecurity team that she was led to believe before she joined. Looking through her incident ticketing queue she notices a “critical” ticket that was never addressed. Shaking her head, she begins to investigate. Apparently on August 24th Bob Smith (using a Windows 10 workstation named we8105desk) came back to his desk after working-out and found his speakers blaring (click below to listen), his desktop image changed (see below) and his files inaccessible.
Alice has seen this before… ransomware. After a quick conversation with Bob, Alice determines that Bob found a USB drive in the parking lot earlier in the day, plugged it into his desktop, and opened up a word document on the USB drive called “Miranda_Tate_unveiled.dotm”. With a resigned sigh she begins to dig into the problem…
Question 1: What was the most likely IPv4 address of we8105desk on 24AUG2016?
First question is actually easy, doing the first thing that comes to mind, which is just searching the hostname and index:
Answer: 192.168.250.100
Question 2:Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times?
Here we need to find signature field in left pane.If you dont see it directly, click on more field and search for alert or signature.But nothing shows up.
index=”botsv1" sourcetype=”suricata” alert.signature=*cerber*
So add cerber in the search field.Suricata IDS detected the malware so malware must be mentioned in the logs.Don’t forget that we need to find signature ID.Checking the left pane again, we see a field named suricata_signature_id.All of those signature alerted the presence of ransomware.So here we need to use stats to find the one that alerted fewest times.
Answer: 2816763
Question 3: What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
index=”botsv1" sourcetype=”stream:dns” src_ip=”192.168.250.100" record_type=A
This will give us all of the domain names originated from this IP address.
We will use a whitelist to narrow down our search result
index=”botsv1" sourcetype=”stream:dns” src_ip=”192.168.250.100" record_type=A NOT (query{}=*.microsoft.com OR query{}=*.waynecorpinc.local OR query{}=*.bing.com OR query{}=*.isatap OR query{}=*.wpad OR query{}=*.windows.com OR query{}=*.msftncsi.com )
| table _time, query{} src dest
The answer is the last visited domain name which is the victim to pay ransom.
Answer: cerberhhyed5frqa.xmfir0.win
Question 4: What was the first suspicious domain visited by we8105desk on 24AUG2016?
To answer this question we can use the previous question’s query and the first dns name in the result.
Answer: solidaritedeproximite.org
Question 5: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length of the value of this field?
We need to search through executed processes.To find info about the processes we need to find the sysmon field to include in our search as sourcetype
Answer: 4490
Question 6:What is the name of the USB key inserted by Bob Smith?
Here we will search for winregistry in sourcetype, bcz win registry can contain information about flash disk or usb stick.In win registry, to find usb name, you need to look for the “FriendlyName” field.You will see it eveyrtime you plug a usb or hardware.
Answer: MIRANDA_PRI
Question 7: Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IPv4 address of the file server?
We will keep looking at the sysmon events, because sysmon events can also include network activity.Normally, in win event logs or sysmon logs, it is better to use host names instead of IP addresses bu I will try both to see which one works better.
First I’ll add the src_host to my search.
Dest field shows me the hostname but I am not sure that it is for file server.So, I will extend my search.
What I did here is to look for the destination IP that got most hits from the infected host.In the result I have 2 IPs that have many requests from the same src.I will edit my query again to make sure of the answer.
I changed the sourcetype to search in win registry and also directly searched for fileshare.In the result I got 1 entry for 192.168.250.20 (which was the one that had highest number of requests) on the right referencing fileshare and it is repeated in the events.So here I can conclude that it is the IP of the file server.
Answer: 192.168.250.20
Question 8:How many distinct PDFs did the ransomware encrypt on the remote file server?
So I now know that ransomware communicated with remote server and performed some actions.That means change the sourcetype to win event logs.This is the search query for starter to see what i can get:
index=botsv1 sourcetype=*win* pdf
Furthermore, I add the file server and source IP to my search:
Now, to find the number of distinct pdfs, I will use the “Relative Target Name” which I found in the events, and use the stats to count:
I used Relative_Target_Name, because that is the field name you can find in the left pane.
Answer: 257
Question 9: The VBscript found in question 204 launches 121214.tmp. What is the ParentProcessId of this initial launch?
Here I will again look in the win events,i.e. sysmon logs and directly search for the asked tmp file.Also, I will use CommandLine here to look for PID.
index=botsv1 sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” 121214.tmp CommandLine=*
After making sure my query works, I will sort the results for process IDs:
Here the answer is 3968 because the first infection is the .vbs file
Answer: 3968
Question 10: The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?
So I need to find the statistical information about the ransomware inflicted on machine.It will help to look at eventcode that are related to files.
index=botsv1 sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” host=we8105desk
Here we have 2 which references to file creation, so I will add it to my search.Now i have some interesting fields for file type
I will add it too to my search by taking an example filename and modify it:
index=botsv1 sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” host=we8105desk EventCode=2 TargetFilename=”C:\\Users\\bob.smith.WAYNECORPINC\*.txt”
As I was asked to find the number, I will add stats function to my search.But you can still see it in the Events when you search.
Answer: 406
Question 11:The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?
Here I am looking for downloads, which means i will change my sourcetype to stream:http.I want to see the URLs and how many times they were visited.
mhtr.jpg could be the answer bcz we know from prev questions the visited url but i need to make sure
I will change the sourcetype to suricata which will show me the IDS logs.
We can see some correlation in the results.The same hostname that was queried when the first infection happened.
Answer: mhtr.jpg
Question 12:Now that you know the name of the ransomware’s encryptor file, what obfuscation technique does it likely use?
In the previous question, I found that the encryptor file is an jpg file and that references the technique here used is steganography!
Answer: Steganography
