• Donald Ashdown

Boss of the Soc - Splunk

Pre-amble

The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.

In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference "P01s0n1vy." In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.



#1

This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.


The answer here is quite simple. "Splunk"


#2

What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?


From here we simply search for the target domain and we can see immediately we have an IP address from 40.80.148.42 sending requests to our internal IP address of


We see a suspicious query which appears to resemble local file inclusion to reveal the win.ini folder paired with a legitimate query. The destination IP is our internal IP for Imreallybatman.com.



We can also see that the header information reads "Acunetix Web Vulnerability Scanner"




#3

What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")


We found the answer in the previous image "Acunetix".


#4

What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)


Again looking in the photos we see it is "Joomla".


#5

What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").


The answer here is quite simple.



#6

This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?


We can see the host resolved as prankglassinebracket.jumpingcrab.com in the packet making the get request for the jpeg image used to deface the website.


#7

What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?


We can see in the same packet that the dest_ip is 23.22.63.114. This is the IP hosting the image over port 1337.


#8

Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?


I just ran a who is on the Po1s0n1vy domain for this. We can see it is illian@po1s0n1vy


That did not work, so further investigation revealed another email which did work.


#9

What IP address is likely attempting a brute force password attack against imreallynotbatman.com?


With some playing around in the splunk search filters I finally found a sign of bruteforcing. Drilling down into the events showed the host was 23.22.63.114.



#10

What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")




#11

What is the MD5 hash of the executable uploaded?


I really struggled with this and referenced this Splunk document here.

MD5 hash of an uploaded file - Splunk Lantern



3791.exe AND sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" AND md5


#12

GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.


Running the ip address 23.22.63.114 on virus total provides the malicious files which have been documented in the public domain.


#13

What is the special hex code associated with the customized malware discussed in question 12? (Hint: It's not in Splunk)


This answer was found in the community tab on virus total.

53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21


17 views0 comments