Splunk2

100 Series questions

Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?

Answer: www.berkbeer.com
Context: Follow the steps provided and you should end up with the following Splunk query

index=botsv2 10.0.2.101 sourcetype="stream:HTTP" "beer" | dedup site | table site

Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext

Answer: /images/ceoberk.png
Context: Modifying the previous Splunk query and and using the field uri_path to build a table you will get a list of all images from the http request. Looking at each of the image names, ceoberk.png stands out to be an executive (CEO).

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" "www.berkbeer.com" | table uri_path

What is the CEO’s name? Provide the first and last name.

Answer: Martin Berk
Context: Looking at the sourcetype “stream.smtp” and the keyword “*berkbeer.com” You will get 6 results and one of them will be an email sent from mberk@berkbeer.com. If you recall the file name ceoberk.jpg it’s a very strong indicator that this is a match. You will just need to expand the content_body field and you will find that in Martin’s reply he signs the email with “Martin Berk”.

Splunk query I used: index="botsv2" sourcetype="stream:smtp" "*berkbeer.com"

What is the CEO’s email address?

Answer: mberk@berkbeer.com
Context: As per the previous question the answer is located in the same Splunk log

After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

Answer: hbernhard@berkbeer.com
Context: When you read the content of the reply from the CEO, he mentions the name of the employee. Adjust your Splunk query to search for “*bernhard*” example: index="botsv2" sourcetype="stream:smtp" "*bernhard*"

What is the name of the file attachment that Amber sent to a contact at the competitor?

Answer: Saccharomyces_cerevisiae_patent.docx
Context: Filter the query by “attach_filename{}. Example: index="botsv2" sourcetype="stream:smtp" "amber" "attach_filename{}"="Saccharomyces_cerevisiae_patent.docx"

What is Amber’s personal email address?

Answer: ambersthebest@yeastiebeastie.com
Context: Look at the email reply to the employee, under content_body, it’s encoded using base64 as per the field content_transfer_encoding, if you use a tool like https://www.base64decode.org/ and copy and paste the content body, you will see Amber’s reply, where she gives her personal email address.


200 Series questions

What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

Answer: 7.0.4
Context: Search for “Amber” and Tor.exe then look at the process field and you will see and event showing the tor.exe installation file name which has the version ID torbrowser-install-7.0.4_en-US.exe. Splunk search index="botsv2" amber tor.exe process="torbrowser-install-7.0.4_en-US.exe"

What is the public IPv4 address of the server running www.brewertalk.com?

Answer: 52.42.208.228
Context: Searching in source=”stream:http” using the keyword “www.brewertalk.com” and then looking into the dest_ip, you will find 2 IP addresses where the majority of the traffic is coming from 172.31.4.249 and 52.42.208.228. You will want to try these 2 IPs for the answer.

Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

Answer: 45.77.65.211
Context: Using the same query in the previous question, look at the src_ip field and it will be the one making the most requests. If you want to take a bit further, look into the form_data for this IP and you will see some sql injection attempts.

The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

Answer: /member.php
Context: Looking at the results for the IP address from the previous answer, look at the URI path.

What SQL function is being abused on the URI path from the previous question?

Answer: updatexml
Context: Look closely at the form_data parameters and at the end of it you will find updatexml which is an injection attempt.

What brewertalk.com username was maliciously created by a spear phishing attack?

Answer: kIagerfield
Context: If you use the following query index="botsv2" "www.brewertalk.com" "kevin" and then look up the token provided by the hint 1bc3eab741900ab25c98eee86bf20feb you will find the cookie value 1502409359 that matches the username kIagerfield used when looking at the last event of the search.


300 Series questions

Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

Answer: Frothly_marketing_campaign_Q317.pptx.crypt
Context: Run the query index="botsv2" mallory host="MACLORY-AIR13" (*.ppt OR *.pptx)

There is a Games of Thrones movie file that was encrypted as well. What season and episode is it? 

Answer: S07E02
Context: Run the query index="botsv2" host="MACLORY-AIR13" "GOT*" GOT = Game Of Thrones.

Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

Answer: Alcor Micro Corp
Context: This one is not an easy one and will require you to use outside source to identify the USB Vendor. First, when you run the query index="botsv2" "kutekitten" look closely at the events and you will find one eventtype=nix_usb which indicates some sort of USB, if you look on the first page, you will find one of the results in raw format that occurred at 8/3/17 6:07:28.000 PM and if you look closely at this result, it contains the USB information "columns":{"model":"Mass Storage","model_id":"6387","removable":"1","serial":"849083BA","usb_address":"1","usb_port":"1","vendor":"Generic","vendor_id":"058f"},"action":"added"}. With this information you can go to https://devicehunt.com/ and select USB, enter the Vendor_ID and and model_ID. It will then return Alcor Micro Corp as the vendor.

What programming language is at least part of the malware from the question above written in?

Answer: Perl
Context: Working of the query before where you located the USB driver details and looking at the timestamps you now know that the USB driver was added multiple times between at 6:07:28 PM and 6:18:10 PM. This means that Kevin must have uploaded the file within this timeframe plus giving him a minute or so more to run the file. So you can do a broad search using the query index="botsv2" "kutekitten" to search between 6:07 PM and 6:20 PM. Closely look at the results for the event Name and you will find name=file_events. Look at the first file_events entry and you will find the MD5 hash that you can search in https://www.virustotal.com/ that will give you the details of the file including the programming language (file type)

When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD

Answer: 2017-01-17
Context: Take a look a the details for the file in Virus Total

The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?

answer: eidk.duckdns.org
Context: Looking at total virus details you will see a list DNS resolution domains listed. You will just need to to query each until you get a result (in this case eidk.duckdns.org) . As per the question it also stated that this occurred shortly after the installation of the malware, so you will want to use that to narrow it down.

From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?

Answer: eidk.hopto.org
Context: Same as the above, it’s just the second DNS resolver that was contacted.


400 Series questions

A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?

Answer: invoice.zip
Context: Your query should look like index="botsv2" sourcetype="stream:smtp" *.zip since we know is an email so we are looking at the SMTP stream and also that the file a zip. Now look at fields and look at attach_filename{} there will be only single .zip file.

What is the password to open the zip file?

Answer: 912345678
Context: Using the previous query add the keyword “password” and in the results you will want to look at the body of the email which will contain the email provided by the malicious actor.

The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.

Answer: C = US
Context: You will need to go back to 200 Series question for the IP address of the attacker and then using using the query index="botsv2" sourcetype="stream:TCP" 52.42.208.22 you will want to look at the SSL issuer field that will show C = US, ST = CA, L = San Francisco, O = Splunk, CN = SplunkCommonCA, emailAddress = support@splunk.com Just take the first part of the value c = US . C is for the country.

What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?

Answer: 나는_데이비드를_사랑한다.hwp
Context : Search for the dll file index="botsv2" winsys32.dll you will find in that the command line event shows C:\Windows\system32\ftp.exe" -i -s:winsys32.dll this tells us FTP was used. With that information if you look a list of the FTP commands here RETR will be the method to retrieve the file. You will want to query splunk for the FTP stream and the method sourcetype="stream:ftp" method=RETR . The question gives a tip that it would be an unusual file and most likely the language. If you look at the first result on the list, the file name is in another language.

What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith

Answer: Ryan Kovar
Context: Look into the total virus link provided here. Look at the author next to the “magic/description”

Within the document, what kind of points is mentioned if you found the text?

Answer: cybereasteggs
Context: take a look at the link provided here and read the text.