For this question, I first thought about the protocol that comes with CMS which is of course over HTTP/s. I thin filtered for results related to imreallynotbatman and http as seen in the query below.

imreallynotbatman sourcetype="stream:http"

We can see the CMS in the first search result, in the src_content below.

You might be wondering how you may determine this has you not known joomla was a CMS. The href tag in src_content is a reference pointer to CMS content.

Starting off our query with our website name, we are looking for indicators of scanning on the website. There are a few common patterns you will see when scanning a website, this includes a large volume of GET requests. UDP protocols, and a large number of overall packets.

While we could narrow down based on the above, it is best practice in Splunk to visualize our data. Our sourcetype is of course http since this is a web application being scanned. Visualizing data volume will be our next step. While this lab has relatively few machines talking to our webserver, it could be the case were standard production operations are sending more traffic than an attacker performing web application scanning. For this reason, we will want to measure not only the amount of data from each host to our target, but the amount of data sent back. Finally we evaluate this and sort within a table as seen below.

The query used is below.

• Count: Keeps the count of events.

• Distinct Paths: Adds a distinct count of uri_path to see how many unique URLs are accessed.

• Total Bytes In/Out: Sums up the bytes_in and bytes_out to get a total amount of data transferred.

• Total Bytes: Calculates the total data transferred (sum of bytes in and bytes out).

• Sort: Sorts the results by count in descending order.

• Table: Displays the results in a table format with the selected fields.

The final answer is 40.80.148.42 as seen in the above screenshot with the largest total of bytes in and out.

For this question, I wanted to focus on looking at user agent strings, as it is quite common for vulnerability scanners to identify themselves in the user agent strings, when performing web application vulnerability scanning. The query was quite similar to the previous one.

For this question I want to focus on the hosts that are making large amount of GET requests. Stats will help us see the top IP address making GET requests, and formatting this into a table we can see the first 2 IP addresses are tied to our attacker and our web server which we learned from earlier questions. The 3rd IP made the next largest amount of requests and is indeed our culprit. This can of course be confirmed by diving deep into the GET requests made by this IP and you will see the user names and 404 server responses.

This challenge will lead us to look at POST requests to our known webserver and we can determine the high volume of requests are going to the below URI. From here we use the rex field command to check form data for the password string, followed by some house cleaning via sort_time and then a dedup on the source IP. Finally we make a table of output and see out answer.

The regex which is expressed as rex field can be broken down in the following.

• rex: This is the command used to extract fields from the data.

• field=form_data: This specifies the field from which to extract the data. In this case, it is form_data.

• "passwd=(?<password>\w+)": This is the regular expression pattern used to extract the desired data.

Let's break down the regular expression:

• passwd=: This matches the literal string passwd=.

• (?<password>\w+): This is a named capture group in the regular expression. Here’s what each part means:

• (?<password>...): This defines a named capture group called password. The part of the string that matches the pattern inside the parentheses will be extracted and stored in a new field named password.

• \w+: This matches one or more word characters (letters, digits, and underscores). The \w+ will match the actual password value following passwd= in the form_data field.

In summary, this line of the query extracts the value that follows passwd= in the form_data field and assigns it to a new field called password. For example, if form_data contains passwd=mysecretpassword, the value mysecretpassword will be extracted and stored in the password field.

4o

We can see our first password was 12345678.

This question was a chance to utilize the rare command in Splunk. In the case of a file upload it would be uncommon for the malicious file as apart of the kill chain to be repeatedly uploaded in a standard operating context. I kept this query simple looking for only POST requests. While it is possible the file was uploaded through an application over and encrypted tunnel, we have established the use of HTTP protocol to our server.

Clicking into the 3791.exe file reveals the known attacker of 40.80.148.42. Have a look in the image below.

This question had me thinking about what type of operation would generate an MD5 hash within local logging. I built my query around the file name, and whether the string MD5 was present. This was not sufficient as the MD5 hash value was appearing for many parent processes that called 3791.exe as a child process. I then pivoted to signature_ID's of which only 2 were present and I filtered by the signature with only 1 count.

This question had me thinking back to our list of initial URL's we uncovered from question 2. With the likely URL in our search query, a good next step is to look at POST requests that did not return 404 (Or whatever the invalid credential server response is). Because we are working on HTTP we do not have to worry about encryption/decryption.

Referencing our query in Question 6 we can see the answer. I did remove the dedup command append an exclusion for the original IP, since the answer was not the first IP address in the list as we already used this to answer Question 6.

This question was technically answered but we can challenge ourselves to write a query to list all domains involved. This query shows us all domains tied with the original attacking domain and we can see the below attacker is tied to the pre-staged domains.

Looking at the table from question 12, I started working through the domains.

Looking up 71.39.18.126 within Robtex https://www.robtex.com/ip-lookup/71.39.18.126. Reveals several subdomains tied to this IP. The PTR record is a reverse DNS lookup resolution for this IP address. Keep in mind an IP address can have many PTR records, leading to different domains on the same host.

Researching waynecorpinc.com was a red herring. I then realized I could try searching for the string Po1s0n1vy and sure enough it returned the domain and email associated with. https://www.whoxy.com/po1s0n1vy.com

I also missed some low hanging fruit when searching up the attackers IP on virus total. 23.22.63.114

You are immediately presented with the suspicious domains that lead back to the owner lillian.

This challenge took us over to threat miner, an open source data mining tool. Entering the IP address reveals several files associated with this IP address. Drilling down in the file hash reveals this is malware disguised as a screen saver.

Pass the attacker IP address 23.22.63.114 to ThreatMiner.org and you will see the below files.

Clicking into this hash value reveals the associated malicious file. Passing this hash to hybrid analysis reveals more information if you are interested in diving a little deeper.

This question was revealed in the community tab on virus total, when you search of the sha256 from the previous question. https://www.virustotal.com/gui/file/9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8/detection

I couldn't figure this one out.

Starting back with the basics, we search up the attackers IP address on virus total.

waynecorinc.com

This challenge was solved by taking the query from Question 6 and appending regular expression to only return strings with alphanumeric characters of length 6. We then had to create to a search case to match our results against known Coldplay songs of length 6. index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri=/joomla/Administrator/index.php

| rex field=form_data "passwd=(?<password>[a-zA-Z]{6})"

| sort _time

| search password IN (yellow, clocks)

| dedup password

| table _time src_ip password

This question was tricky and required us to improve upon our Splunk query adding logic to evaluate password length, and then incorporating the avg flag along with stats we were able to visualize this data.

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri=/joomla/Administrator/index.php

| rex field=form_data "passwd=(?<password>\w+)"

| eval password_length = len(password)

| stats avg(password_length) as avg_password_length

| table avg_password_length

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri=/joomla/Administrator/index.php

| rex field=form_data "passwd=(?<password>\w+)"

| search password="batman"

| transaction password

| eval timetaken=round(duration, 2)

| table timetaken

This question was really difficult and we had to incorporate the transaction command to group together the timestamps of all events containing password. We then called eval on round with a 2 decimal duration and pop it into a table.

This was a relaxing question in which we simply trimmed down our initial query.

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri="/joomla/Administrator/index.php"

| rex field=form_data "passwd=(?<password>\w+)"

| dedup password

| table password

index=botsv1 sourcetype=stream:dns "query_type{}"=A "query{}"!="demo-01" "query{}"!="*microsoft*" "query{}"!="*windows*"

| dedup query{}

| table query{}

| sort +query{}

we8105desk

earliest="8/24/2016:10:00:00" latest="8/24/2016:23:00:00"

cerber AND alert AND 192.168.250.100

I started off with a simple query, since we knew the file name I paired the CommandLine strings and then proceeded to review the parent images. We know that the malware was a vbscript. Wscript.exe is a windows based interpreter for VB and JSscript. 121214.tmp AND CommandLine

Pivoting into C:\Windows\SysWOW64\wscript.exe we then capture the parent process id for our answer.

CommandLine host=we8105desk

| eval length=len(CommandLine)

| sort by -length

Pasting this script into notepad ++ provides us the overall length which is of course the answer. However it also set's off windows defender 🤣🤣🤣

index=* sourcetype=suricata http_method="GET" src_ip="192.168.250.100" earliest="8/24/2016:10:00:00" latest="8/24/2016:23:00:00"

| stats sum(bytes) as bytes by http.url

| table bytes, http.url

| sort -bytes

This was one was second nature to me from participating in CTFs. Steganography is a common theme and challenge format in CTFS.

index=botsv1 sourcetype=WinRegistry friendlyname

| eval usb_activity=if(match(registry_key_path, "USB"), "Connected", "Other Activity")

| stats count by registry_value_data,

earliest="08/24/2016:00:00:00" latest="08/24/2016:23:59:59" sourcetype="stream:dns" src_ip="192.168.250.100" dest_port="*" transport=udp "query_type{}"=A

| table query{}, timestamp

| sort timestamp