top of page
Search
  • BlueDolphin
    • Oct 30, 2023
    • 3 min read

Incident Handling with Splunk - THM Series - Phase 1/6 Reconnaissance

Note - You can view my video writeup here ----> https://youtu.be/RuRM0PWodC8


This room covers an incident Handling scenario using Splunk. An incident from a security perspective is "Any event or action, that has a negative consequence on the security of a user/computer or an organization is considered a security incident." Below are a few of the events that would negatively affect the environment when they occurred:

  • Crashing the system

  • Execution of an unwanted program

  • Access to sensitive information from an unauthorized user

  • A Website being defaced by the attacker

  • The use of USB devices when there is a restriction in usage is against the company's policy

Learning Objective

Learn how to leverage OSINT sites during an investigation

  • How to map Attacker's activities to Cyber Kill Chain Phases

  • How to utilize effective Splunk searches to investigate logs

  • Understand the importance of host-centric and network-centric log sources


In this exercise, we will investigate a cyber attack in which the attacker defaced an organization's website. This organization has Splunk as a SIEM solution setup. Our task as a Security Analysis would be to investigate this cyber attack and map the attacker's activities into all 7 of the Cyber Kill Chain Phases. It is important to note that we don't need to follow the sequence of the cyber kill chain during the Investigation. One finding in one phase will lead to another finding that may have mapped into some other phase.



Cyber Kill Chain

Scenario

A Big corporate organization Wayne Enterprises has recently faced a cyber-attack where the attackers broke into their network, found their way to their web server, and have successfully defaced their website http://www.imreallynotbatman.com. Their website is now showing the trademark of the attackers with the message YOUR SITE HAS BEEN DEFACED as shown below.

A Big corporate organization Wayne Enterprises has recently faced a cyber-attack where the attackers broke into their network, found their way to their web server, and have successfully defaced their website http://www.imreallynotbatman.com. Their website is now showing the trademark of the attackers with the message YOUR SITE HAS BEEN DEFACED as shown below.



Reconnaissance Activity Detectino

Reconnaissance is an attempt to discover and collect information about a target. It could be knowledge about the system in use, the web application, employees or location, etc.











Answer the questions below


Please note - if you are looking for the quick answers, refer to the graphic to the left here as it has the short and sweet.




Summary Questions

  • One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?


  • What is the CMS our web server is using?


  • What is the web scanner, the attacker used to perform the scanning attempts?


  • What is the IP address of the server imreallynotbatman.com?














1. One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?

  • Select alert. Signature fields

  • Append CVE to our search query to reduce Suricata alert.signature.

This an interesting question as I do not think you could do this with the regular splunk system. I believe the suricata extension needs to be added on in order to receive a CVE feed via suricata.

When we ultimately look for the string "cve" will see the suricata engine aggregating CVE related activity.


Final Query;

index=*sourcetype=suricata src=40.80.148.42
imreallynotbatman.com AND cve 
| table alert.signature



2. What is the CMS our web server is using?

  • Clear "CVE" from the search query

  • Review the first alert with "event type = fileinfo"

  • Alternative solution is to view URI or URL strings.

The way to discover the CMS in use can be by viewing the http.url in use which will disclose the joomla directory. Alternatively, there is a "fileinfo" string that reveals the use of /joomla/ as well.


Final Query:

index=* sourcetype=suricata
 src=40.80.148.42 imreallynotbatman.com 
|  table  http.url



3, What is the web scanner, the attacker used to perform the scanning attempts?

  • Add the HTTP User Agent Field

  • Include the source IP of our attacker

This question was tricky as I had no experience with VA scanning discovery. I know some tools like Nessus, Nexpose and GreenBone can sometimes be identified by looking at their web scanning activity, and sometimes there will be a self identifying directory in a GET request. But otherwise, I felt like I would have to rely on user agent strings. I was not expecting straight forward identifiers but I saw accunetix and and went with it. I am not sure if this is normal behaviour by accunetix however.


Final Query;

index=* sourcetype=suricata
 src=40.80.148.42 imreallynotbatman.com 
|  stats count by http_user_agent



4. What is the IP address of the server imreallynotbatman.com?

  1. Check the destination IP of any event with the source ip of our attacking target

This was super simple as we had gathered all the information required in the previous three questions' allowing us to cross the finish line here.


Final Query;

index=* sourcetype=suricata
 src=40.80.148.42 imreallynotbatman.com 
|  stats count by dest_ip

The END



72 views0 comments

Recent Posts

See All
bottom of page