Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
This was an interesting walk through of Splunk. Splunk is a tool that I have never quite got my head around as to how to get any useful data. However, this objective showed that it was possible.
As I have run out of time for the write-up this I will just summarise my answers to the walk-through:
Training Questions
- What is the short host name of Professor Banas' computer?
Done
Answer: sweetums
Comment: This is in the chat
- What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)
Done
Answer: C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
Search: index=main cbanas Santa
- What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)
Done
Answer: 144.202.46.214.vultr.com
Search: index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3 | top dest
References: https://www.splunk.com/en_us/blog/security/a-salacious-soliloquy-on-sysmon.html
- What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)
Done
Answer: 19th Century Holiday Cheer Assignment.docm
Search: index=main sourcetype=WinEventLog EventCode=4688 | eval hex_convert_pid=tonumber(New_Process_ID,16) | search hex_convert_pid = 6268
- How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)
Done
Answer: 21
Search: index=main sourcetype=stoq results{}.workers.smtp.subject = "Holiday Cheer Assignment Submission" | table results{}.workers.smtp.from
Reference: https://stoq.punchcyber.com/
- What was the password for the zip archive that contained the suspicious file?
Done
Answer: 123456789
Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.body
- What email address did the suspicious file come from?
Done
Answer: bradly.buttercups@eifu.org
Search: index=main sourcetype=stoq results{}.payload_meta.extra_data.filename="19th Century Holiday Cheer Assignment.docm" | table results{}.workers.smtp.from
Challenge Question
What was the message for Kent that the adversary embedded in this attack?
Search:
index=main sourcetype=stoq "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath
This shows a list of files, but the one that I am interested in is the core.xml
/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml
Now, browsing to http://elfu-soc.s3-website-us-east-1.amazonaws.com/?prefix=stoQ%20Artifacts/home/ubuntu/archive/f/f/1/e/a/ causes core.xml
to download
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties
xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:dcterms="http://purl.org/dc/terms/"
xmlns:dcmitype="http://purl.org/dc/dcmitype/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title>Holiday Cheer Assignment</dc:title>
<dc:subject>19th Century Cheer</dc:subject>
<dc:creator>Bradly Buttercups</dc:creator>
<cp:keywords></cp:keywords>
<dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
<cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy>
<cp:revision>4</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
<cp:category></cp:category>
</cp:coreProperties>
So the answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”
Answer
The Answer is “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”