Objective 6

Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

This was an interesting walk through of Splunk. Splunk is a tool that I have never quite got my head around as to how to get any useful data. However, this objective showed that it was possible.

As I have run out of time for the write-up this I will just summarise my answers to the walk-through:

Training Questions

  1. What is the short host name of Professor Banas' computer?

Done

Answer: sweetums

Comment: This is in the chat

  1. What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)

Done

Answer: C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt

Search: index=main cbanas Santa

  1. What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)

Done

Answer: 144.202.46.214.vultr.com

Search: index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3 | top dest

References: https://www.splunk.com/en_us/blog/security/a-salacious-soliloquy-on-sysmon.html

  1. What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)

Done

Answer: 19th Century Holiday Cheer Assignment.docm

Search: index=main sourcetype=WinEventLog EventCode=4688 | eval hex_convert_pid=tonumber(New_Process_ID,16) | search hex_convert_pid = 6268

  1. How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)

Done

Answer: 21

Search: index=main sourcetype=stoq results{}.workers.smtp.subject = "Holiday Cheer Assignment Submission" | table results{}.workers.smtp.from

Reference: https://stoq.punchcyber.com/

  1. What was the password for the zip archive that contained the suspicious file?

Done

Answer: 123456789

Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.body

  1. What email address did the suspicious file come from?

Done

Answer: bradly.buttercups@eifu.org

Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.from

Challenge Question

What was the message for Kent that the adversary embedded in this attack?

 Search:
 index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"| eval results = spath(_raw, "results{}") 
 | mvexpand results
 | eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename 
 | search fullpath!="" 
 | table filename,fullpath

This shows a list of files, but the one that I am interested in is the core.xml

/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml

Now, browsing to http://elfu-soc.s3-website-us-east-1.amazonaws.com/?prefix=stoQ%20Artifacts/home/ubuntu/archive/f/f/1/e/a/ causes core.xml to download

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties
    xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:dcterms="http://purl.org/dc/terms/"
    xmlns:dcmitype="http://purl.org/dc/dcmitype/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dc:title>Holiday Cheer Assignment</dc:title>
  <dc:subject>19th Century Cheer</dc:subject>
  <dc:creator>Bradly Buttercups</dc:creator>
  <cp:keywords></cp:keywords>
  <dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
  <cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy>
  <cp:revision>4</cp:revision>
  <dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
  <cp:category></cp:category>
</cp:coreProperties>

So the answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”

Congratulations

Answer

The Answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”