[研究]Splunk練習-Boss Of The SOC v1 心得筆記
2023-01-02
Splunk練習,網站共有3題(V1、V2、V3)可下載對應對應頁面的壓縮檔
-練習網站:https://cyberdefenders.org/search/labs/?q=splunk
-壓縮檔都是ova檔,匯入vm後查看vm的IP
-在本機用 http://x.x.x.x(vm的IP):8000,就可以練習了
-3題壓縮檔密碼都是: cyberdefenders.org
- 作業系統帳號/密碼: vagrant / vagrant
場景:
場景 1(APT):
本動手實驗的重點是 APT 場景和勒索軟件場景。您假設 Alice Bluebird 的角色,最近受僱保護和保護 Wayne Enterprises 免受各種形式的網絡攻擊的分析師。
在這種情況下,下圖的報告來自您的用戶社區,當他們訪問 Wayne Enterprises 網站時,其中一些報告引用了“P01s0n1vy”。如果您不知道,P01s0n1vy 是一個以 Wayne Enterprises 為目標的 APT 組織。作為愛麗絲,你的目標是調查污損,著眼於通過洛克希德馬丁殺傷鏈重建攻擊。
場景 2(勒索軟件):
在第二種情況下,您的一位用戶在 Windows 桌面上看到這張圖片,聲稱系統上的文件已加密,必須付費才能取回文件。Wayne Enterprises 的一台機器似乎感染了 Cerber 勒索軟件,您的目標是調查勒索軟件並著眼於重建攻擊。
參考:
Cyberdefenders.org Boss of the SOC v1 Walkthrough - YouTube
https://www.youtube.com/watch?v=AlD-eJFEaqM
(2) Splunk Boss of The SOC v1 | INE Incident Response Lab 💻 #splunk #ine - YouTube
https://www.youtube.com/watch?v=q4LmktgWsRE
如果是 VMware Workstation,可用 VM 的 Guest IP 連,例如:
http://192.168.128.134:8000/zh-TW/
注意,是 http,不是 https,如果使用 VirtualBox,則用 http://127.0.0.1:8000/ 連,不是用 localhost 或 VM Guset IP 連。
VirtaulBox 版的 v1, v2, v3 都使用 127.0.0.1,所以3台 VM 請不要一起啟動。
********************************************************************************
https://cyberdefenders.org/blueteam-ctf-challenges/15
Q1
This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
這是一個讓您熟悉提交答案的簡單問題。 製作您在本次比賽中使用的軟件的公司名稱是什麼? 只是一個沒有標點符號的六個字母的單詞。
Ans : splunk
********************************************************************************
Q2
What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
來自 Po1s0n1vy 組的某個人掃描 imreallynotbatman.com 以查找 Web 應用程序漏洞的可能 IP 地址是什麼?
imreallynotbatman => I'm really not batman. 我真的不是蝙蝠俠。
sourcetype=stream:http | stats count by src_ip, dest_ip | sort -count
(下圖) 對來源 IP 統計,次數最多的最可疑。
Q2 Ans : 40.80.148.42
********************************************************************************
Q3
What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")
Po1s0n1vy 使用哪家公司的 Web漏洞掃描器? 鍵入公司名稱。 (例如,“Microsoft”或“Oracle”)
Q2得知駭客掃描來源IP 40.80.148.42,被掃描網域 imreallynotbatman.com
index="botsv1" imreallynotbatman.com src_ip="40.80.148.42"
Acunetix Web Vulnerability Scanner (WVS) 非常有名的弱點掃描工具。
Ans : acunetix
********************************************************************************
Q4
What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
imreallynotbatman.com 可能使用什麼內容管理系統? (請不要在您的回答中包含諸如 . , ! ? 之類的標點符號。我們只查找字母字符。)
Hints for question #4
Hint #1:
Look for successful (http status code of 200) GET requests from the scanning IP address (identified previously) and inspect the fields related to URL/URI for clues to the CMS in use.
(下圖)
index="botsv1" src_ip="40.80.148.42" 200
| stats count by uri
| sort - count
| head 10
然後點 uri ( 或直接在查詢中加上 stats count by uri )
Q4 Ans : joomla
********************************************************************************
Q5
What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").
破壞 imreallynotbatman.com 網站的文件的名稱是什麼? 請僅提交帶有擴展名的文件名(例如,“notepad.exe”或“favicon.ico”)。
Hints for question #5Total points: 250
Hint #1:
First find the IP address of the web server hosting imreallynotbatman.com. You may have found this IP during the course of answering the previous few questions.-50
Hint #2:
Revealing sourcetypes include stream:http, fgt_utm, and suricata.-100
Hint #3:
The key here is searching for events where the IP address of the web server is the source. Because it's a web server, we most often see it as a destination but in this case the intruder took control of the server and pulled the defacement file from an internet site.-100
Q2得知駭客掃描來源IP 40.80.148.42,被掃描網域 imreallynotbatman.com
( 這筆實際上是 stream:http,src_ip=192.168.250.70,dest_ip: 23.22.63.114 )
********************************************************************************
Q7
What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Po1s0n1vy 將哪個 IP 地址綁定到預先準備攻擊 Wayne Enterprises 的域?
Q2得知駭客掃描來源IP 40.80.148.42,被掃描網域 imreallynotbatman.com
Q5知道 imreallynotbatman.com 為 192.169.250.70
(下圖) index="botsv1" imreallynotbatman.com 找 src_ip
或
index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST"
| stats count by src_ip
結果3個,40.80.148.42是已知的,192.169.250.70 是自己,所以額外的來源 (也就是答案) 是23.22.63.114
Q7 Ans :23.22.63.114
********************************************************************************
Q8
Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
根據從這次攻擊中收集的數據和常見的域名開源情報來源,最有可能與 Po1s0n1vy APT 組織相關聯的電子郵件地址是什麼?
Hints for question #8
Hint #Malicious IP addresses, like the one in the last question are examples of attacker infrastructure. Infrastructure is often reused by the same group. Use a service like www.robtex.com to determine other domains that are or have been associated with this attacker infrastructure (IP address).:
Malicious IP addresses, like the one in the last question are examples of attacker infrastructure. Infrastructure is often reused by the same group. Use a service like www.robtex.com to determine other domains that are or have been associated with this attacker infrastructure (IP address).
Hint #Use the whois lookup on domaintools.com to iterate through domains associated with this IP and visually search for suspicious email addresses. Your knowledge of Batman will help you here!:
Use the whois lookup on domaintools.com to iterate through domains associated with this IP and visually search for suspicious email addresses. Your knowledge of Batman will help you here!
提示說可去下面網址查
(下圖) 用 23.22.63.114 去 VirusTotal 找,點 SEARCH,點 RELATIONS,
點 po1s0n1vy.com 後,到下面網址
https://www.virustotal.com/gui/domain/po1s0n1vy.com/details
網頁下方看到 lillian.rose@po1s0n1vy.com
或直接 Google "email @po1s0n1vy.com" 可找到 lillian.rose@po1s0n1vy.com
直接 Google "@po1s0n1vy.com" 不行
Q8 Ans : lillian.rose@po1s0n1vy.com
********************************************************************************
Q9
What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
Hint #1:
Login attempts will use the HTTP POST method, and they will include some obvious fields in the form_data field of stream:http events.-50
(下圖)目的網址 imreallynotbatman.com,暴力破解 sourcetype="stream:http" http_method=POST
index="botsv1" imreallynotbatman.com sourcetype="stream:http" http_method=POST
| stats count by src, form_data, status
Q9 Ans : 23.22.63.114
********************************************************************************
Q10
What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")
Hints for question #10
Hint #1:
File uploads to web forms use the HTTP POST method.
Hint #2:
The question mentions and executable. Search for common executable filename extensions on Windows systems.
(下圖) index="botsv1" sourcetype="stream:http" dest="192.168.250.70" "multipart/form-data"
有1筆,網頁搜尋 filename,找到 3791.exe
(下圖) dest="192.168.250.70" filename .exe
Q10 Ans : 3791.exe
********************************************************************************
Q11
What is the MD5 hash of the executable uploaded?
Hints for question #11Total points: 250
Hint #1:
Search for the file name in a different data source to find evidence of execution, including file hash values.-100
Hint #2:
This is an ideal use case for Microsoft Sysmon data. Determine the sourcetype for Sysmon events and search them for the executable.
(下圖)搜尋 3791.exe md5
********************************************************************************
Q12
GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
GCPD 報告說,如果初始妥協失敗,Po1s0n1vy APT 組織的常見 TTP(戰術、技術、程序)是發送一封帶有自定義惡意軟件的魚叉式網絡釣魚電子郵件,附加到他們的目標。 該惡意軟件通常連接到 Po1s0n1vy 的初始攻擊基礎設施。 使用研究技術,提供此惡意軟件的 SHA256 哈希值。
Hint #1:
You need to pivot outside of Splunk to answer this question. Use the IP address discovered earlier to search for malware that has been associated with it in the past.-200
Hint #2:
Experienced analysts know to use sites like www.threatminer.org to search for malware associated with the malicious IP address, but if all alse fails, Google it!
www.threatminer.org 網站測試已經死掉。
(下圖) 連 VirusTotal 網站,找 Files 相關,點 MirandaTateScreensaver.scr.exe,點 DETAILS
https://www.virustotal.com/gui/ip-address/23.22.63.114/relations
Q12 Ans : 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
********************************************************************************
Q13
What is the special hex code associated with the customized malware discussed in question 12? (Hint: It's not in Splunk)
與問題 12 中討論的定制惡意軟件相關的特殊十六進制代碼是什麼? (提示:它不在 Splunk 中)
Q13 Ans : 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
********************************************************************************
Q14
One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.
Po1s0n1vy 的暫存域之一有一些雜亂無章的“唯一”whois 信息。 將兩個代碼連接在一起並將它們作為一個答案提交。
Hint #1:
Use a service like www.threatcrowd.org to determine other domains that are or have been associated with the attacker's infrastructure (IP address).-100
Hint #2:
Use a high quality whois site like https://www.whoxy.com/whois-history/demo.php to perform whois lookups against these domains until you see a hex code where you were expecting text. Warning not all whois sites show you all fields!-150
Hint #3:
Use https://www.whoxy.com/whois-history/demo.php with the "waynecorinc.com" domain. The answer is "31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74"
(下圖)
https://www.whoxy.com/whois-history/demo.php
Q14 Ans : 31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74
********************************************************************************
Q15
What was the first brute force password used?
Hints for question #15Total points: 250
Hint #1:
Login attempts will use the HTTP POST method, and they will include some obvious fields that you can search for in the form_data field of stream:http events.-100
Hint #2:
By default, Splunk will put the most recent events at the top of the list. You can use the "reverse" SPL command to show you least recent first.
(下圖)教學的方法太累,敝人用此法
Q15 Ans : 12345678
********************************************************************************
Q16
One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?
暴力破解中的密碼之一是 James Brodsky 最喜歡的 Coldplay 歌曲。 提示:我們正在尋找一個關於這個的六個字符的詞。 是哪個?
Hint #1:
If you have not done so already, try to extract the attempted password into a new field using the "rex" SPL command and a regular expression. Having the password attempt in its own field will serve you well for the next several questions!-100
Hint #2:
It's not hard to get a list of songs by the artist. Once you have that,use the "len()" function of the "eval" SPL command. For Splunk style points, use a lookup table to match the password attempts with songs.
(下圖)撈出一堆6個字的密碼,但哪一個是歌曲除非有聽他的歌 or 逐一去 Google
index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<pw>\w*)"
| eval lenpword = len(pw)
| search lenpword=6
| stats count by pw
| table pw
Q16 Ans : yellow
********************************************************************************
Q17
What was the correct password for admin access to the content management system running "imreallynotbatman.com"?
管理員訪問運行“imreallynotbatman.com”的內容管理系統的正確密碼是什麼?
Hint #From the previous questions, you should know how to extract the password attempts. You should also know what IP is submitting passwords. Are any other IP addresses submitting passwords?:
From the previous questions, you should know how to extract the password attempts. You should also know what IP is submitting passwords. Are any other IP addresses submitting passwords?
(下圖)
index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<pw>\w*)"
| stats count by src_ip
Q17 Ans : batman
********************************************************************************
Q18
What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")
密碼暴力破解嘗試中使用的平均密碼長度是多少? (四捨五入到最接近的整數。例如“5”不是“5.23213”)
(下圖)
index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<pw>\w*)"
| eval pwlength=len(pw)
| stats avg(pwlength) as avglen
| eval avg_count=round(avglen,0)
| table avg_count
Q18 Ans : 6
********************************************************************************
Q19
How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.
從暴力破解密碼掃描識別出正確的密碼到登錄被盜之間經過了多少秒? 四捨五入到小數點後兩位。
Hints for question #19Total points: 500
Hint #1:
You'll note from previous answers that one of the passwords was attempted twice. You need to calculate the duration of time between those two attempts.-200
Hint #2:
Need more help? Write a search that returns only the two events in questions, then use either "| delta _time" or "| transaction <extracted-pword-attempt>" SPL commands.-300
********************************************************************************
Q20
How many unique passwords were attempted in the brute force attempt?
Hint #1:
Be sure you are extracting the password attempts correctly, then use a stats function to count unique (not total) attempts.
(下圖)
index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<pw>\w*)"
| dedup pw
| stats count
Q20 Ans : 412
********************************************************************************
Q21
What was the most likely IP address of we8105desk in 24AUG2016?
we8105desk 在 24AUG2016 最有可能的 IP 地址是什麼?
Hint #1:
Keep it simple and just search for the hostname provided in the question. Try using the stats command to get a count of events by source ip address to point you in the right direction.
(下圖)
24AUG2016 => 2016-08-24 => 24 AUG 2016
Q21 Ans : 192.168.250.100
********************************************************************************
Q22
Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)
在檢測到 Cerber 惡意軟件的 Suricata 簽名中,哪個簽名發出的警報次數最少? 僅提交簽名 ID 值作為答案。 (沒有標點符號,只有 7 個整數。)
Hint #1:
Keep it simple and start your search by looking at only the sourcetype associated with Suricata and maybe even the name of the malware in question. The field containing the signature ID should be obvious. Use stats to create a count by the field containing the signature ID.
(下圖)
index=botsv1 sourcetype="suricata" cerber
Suricata是基於開源的入侵檢測系統和入侵防禦系統。
Q22 Ans : 2816763
********************************************************************************
Q23
What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
什麼完全限定的域名 (FQDN) 使 Cerber 勒索軟件在其加密階段結束時嘗試將用戶定向到?
Hint #1:
Search stream:dns data for A queries coming from the infected workstation IP on the date in question. Try and narrow your search period.-100
Hint #2:
Perform a shannon entropy analysis on the query{} field using URL toolbox by adding this to the end of the search: |`ut_shannon(query{})` | stats count by ut_shannon, query{} | sort -ut_shannon
(下圖) Q21知道 we8105desk 的 IP 是 192.168.250.100
index=botsv1 src_ip="192.168.250.100" sourcetype="stream:dns" NOT query=*.local AND NOT query=*.arpa AND NOT query=*.microsoft.com AND query=*.*
| stats count by query
| sort by _timer asc
Q23 Ans : cerberhhyed5frqa.xmfir0.win
********************************************************************************
Q24
What was the first suspicious domain visited by we8105desk in 24AUG2016?
we8105desk 在 2016 年 8 月 24 日訪問的第一個可疑域是什麼?
Hint #1:
Search stream:dns data for A queries coming from the infected workstation IP on the date in question.-0
Hint #2:
Use the "| reverse" SPL command to show oldest events first.-100
Hint #3:
Eliminate domain lookups that you can explain, question the first one you cannot.-150
Hint #4:
Go and git some IOCs on Cerber. Then compare to the DNS Data
(下圖) 看不懂
sourcetype="stream:dns" src_ip="192.168.250.100" AND NOT query=*.arpa AND NOT query=*.local AND query=*.* AND NOT query=*.microsoft.com
| reverse
| stats count by query
類似作法
Q24 Ans : solidaritedeproximite.org
********************************************************************************
Q25
During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?
在最初的 Cerber 感染期間,運行了一個 VB 腳本。 可以在 Splunk 的一個字段中找到此執行的整個腳本,以啟動 .exe 的名稱為前綴。 該字段值的字符長度是多少?
Hint #1:
Keep it simple. Start by looking at sysmon data for the infected device on the date in question. Calculate the length of the command line using the "len()" function of the "eval" SPL command, and give your eyes a break by using the splunk table command.
(下圖)
index="botsv1" .vbs cmd.exe we8105desk
| eval length=len(cmdline)
| table _time, cmdline, length
Q25 Ans : 4490
********************************************************************************
Q26
What is the name of the USB key inserted by Bob Smith?
Bob Smith 插入的 USB 密鑰的名稱是什麼?
Hint #1:
Tough question. Perhaps you should give http://answers.splunk.com a try.
(下圖)
index="botsv1" sourcetype="winregistry" friendlyname
Q26 Ans : MIRANDA_PRI
********************************************************************************
Q27
Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?
Bob Smith 的工作站 (we8105desk) 在勒索軟件爆發期間連接到文件服務器。 文件服務器的IP地址是多少?
Hint #1:
Search for SMB (Windows file sharing protocol) traffic from the infected device on the date in question. The "stats" SPL command can be used to count the most common destination IP for the SMB protocol.
index="botsv1" *.pdf sourcetype="wineventlog" dest="we9041srv.waynecorpinc.local" Source_Address="192.168.250.100" dest="we9041srv.waynecorpinc.local"
(下圖)
index="botsv1" sourcetype="stream:smb" src_ip=192.168.250.100
| stats count by path
Q27 Ans : 192.168.250.20
********************************************************************************
Q28
How many distinct PDFs did the ransomware encrypt on the remote file server?
勒索軟件在遠程文件服務器上加密了多少個不同的 PDF?
Hint #1:
Don't use SMB this time - it's a trap! Windows event logs are the way to go for this one. Focus on the event types that deal with windows shares and narrow the search by looking for distinct filenames for the extension in question.
(下圖)
index="botsv1" *.pdf sourcetype="wineventlog" dest="we9041srv.waynecorpinc.local" Source_Address="192.168.250.100"
| stats dc(Relative_Target_Name)
Q28 Ans : 257
********************************************************************************
Q29
The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?
問題 25 中發現的 VBScript 啟動 121214.tmp。 此初始啟動的 ParentProcessId 是什麼?
Hint #1:
Embrace your sysmon data. Search for a command issued by the infected device on the date in question referencing the filename in question, and use the process_id, ParentProcessId, CommandLine, and ParentCommandLine, to track down the parent process id of them all.
找 121214.tmp ParentProcessId,找最下方的一筆。
Q29 Ans : 3968
********************************************************************************
Q30
The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
Cerber 勒索軟件加密位於 Bob Smith 的 Windows 配置文件中的文件。 它加密了多少個 .txt 文件?
Hint #1:
Sysmon to the rescue again. Focus on the infected machine as well as the user profile while searching for the filename extension in question.-100
Hint #2:
In Sysmon events, EventCode=2 indicates file creation time has changed. Watch out for duplicates!
Q30 Ans : 406
********************************************************************************
Q31
The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?
該惡意軟件會下載一個包含 Cerber 勒索軟件加密代碼的文件。 該文件的名稱是什麼?
Hint #1:
When looking for potentially malicious file, start your search with the Suricata data. Narrow your search by focusing on the infected device. Remember malware does not always have to begin as an executable file.
index="botsv1" sourcetype="suricata" src_ip="192.168.250.100" solidaritedeproximite.org
Q31 Ans : mhtr.jpg
********************************************************************************
Q32
Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?
現在您知道勒索軟件的加密文件的名稱,它可能使用什麼混淆技術?
Q32 Ans : steganography
steganography => 隱寫術
********************************************************************************
(完)
相關
Splunk 正規表示式、正規運算式 About Splunk regular expressions
https://docs.splunk.com/Documentation/Splunk/9.0.3/Knowledge/WhatisSplunkknowledge
https://docs.splunk.com/Documentation/Splunk/9.0.3/Knowledge/AboutSplunkregularexpressions
沒有留言:
張貼留言