User Tools


Splunk

Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

This was an interesting walk through of Splunk. Splunk is a tool that I have never quite got my head around as to how to get any useful data. However, this objective showed that it was possible.

As I have run out of time for the write-up this I will just summarise my answers to the walk-through:

Training Questions

1. What is the short host name of Professor Banas' computer?

 Answer: sweetums
 Comment: This is in the chat

2. What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)

 Answer: C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
 Search: index=main cbanas Santa

3. What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)

 Answer: 144.202.46.214.vultr.com
 Search: index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3 | top dest
 References: https://www.splunk.com/en_us/blog/security/a-salacious-soliloquy-on-sysmon.html

4. What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)

 Answer: 19th Century Holiday Cheer Assignment.docm
 Search: index=main sourcetype=WinEventLog EventCode=4688  | eval hex_convert_pid=tonumber(New_Process_ID,16) | search hex_convert_pid = 6268

5. How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)

 Answer: 21
 Search: index=main sourcetype=stoq results{}.workers.smtp.subject = "Holiday Cheer Assignment Submission" | table results{}.workers.smtp.from
 Reference: https://stoq.punchcyber.com/

6. What was the password for the zip archive that contained the suspicious file?

 Answer: 123456789
 Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.body

7. What email address did the suspicious file come from?

 Answer: bradly.buttercups@eifu.org
 Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.from

Challenge Question

What was the message for Kent that the adversary embedded in this attack?

 Search:
 index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"| eval results = spath(_raw, "results{}") 
 | mvexpand results
 | eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename 
 | search fullpath!="" 
 | table filename,fullpath

This shows a list of files, but the one that I am interested in is the core.xml

/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml

Now, browsing to http://elfu-soc.s3-website-us-east-1.amazonaws.com/?prefix=stoQ%20Artifacts/home/ubuntu/archive/f/f/1/e/a/ causes core.xml to download

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties
    xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:dcterms="http://purl.org/dc/terms/"
    xmlns:dcmitype="http://purl.org/dc/dcmitype/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dc:title>Holiday Cheer Assignment</dc:title>
  <dc:subject>19th Century Cheer</dc:subject>
  <dc:creator>Bradly Buttercups</dc:creator>
  <cp:keywords></cp:keywords>
  <dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
  <cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy>
  <cp:revision>4</cp:revision>
  <dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
  <cp:category></cp:category>
</cp:coreProperties>

So the answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”

The Answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”