[研究]Splunk練習-Boss Of The SOC v2心得筆記
2022-12-28
Splunk練習,網站共有3題(V1、V2、V3)可下載對應對應頁面的壓縮檔
-練習網站:https://cyberdefenders.org/search/labs/?q=splunk
-壓縮檔都是ova檔,匯入vm後查看vm的IP
-在本機連http://x.x.x.x(vm的IP):8000,就可以練習了
-3題壓縮檔密碼都是: cyberdefenders.org
- 作業系統帳號/密碼: vagrant / vagrant
參考:
(2) Cyberdefenders.org - Boss of the SOCv2 Walkthrough - YouTube
https://www.youtube.com/watch?v=7q7UV6KolbI
v2 的 VM 目前只支援 Oracle VirtualBox,不支援 VMware Workstation Pro 7.0 (已經是目前最新版)。
虛擬機開機後用 http://127.0.0.1:8000/ 連上,不可用 Host IP 或 Guest IP 去連。
注意,是 http,不是 https,另外實際測試用 http://localhost:8000/ 也連不上。
https://cyberdefenders.org/blueteam-ctf-challenges/16
注意,送出沒有通過,可能答案錯誤,或者 Session Time Out 了,要重新登入。
練習的 VM 用太久,撈出的東西比影片少,可能要考慮 VM PowerOff,再 Power On。
********************************************************************************
Q1 This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Answer guidance: A six-letter word with no punctuation.
#1 這是一個讓您熟悉提交答案的簡單問題。製作您在本次比賽中使用的軟件的公司名稱是什麼?答案指導:一個沒有標點符號的六個字母的單詞。
ANS : splunk
********************************************************************************
Q2 Amber Turing was hoping for Frothly to be acquired by a potential competitor who fell through, but they visited their website to find contact information for their executive team. What is the website domain that she visited? Answer guidance: Do not provide the FQDN. Answer example: google.com
Amber Turing 希望 Frothly 被失敗的潛在競爭對手收購,但他們訪問了他們的網站以查找其執行團隊的聯繫信息。 她訪問的網站域是什麼? 回答指導:不要提供 FQDN。 答案示例:google.com
(下圖)
index=botsv2 amber sourcetype="pan:traffic" 左邊 src_ip 只有一個 10.0.2.101
index=botsv2 amber sourcetype="stream:http" src_ip="10.0.2.101" 找不到
index=botsv2 sourcetype="stream:http" (拿掉 amber) 左邊 site
index=botsv2 amber sourcetype="stream:http" src_ip="10.0.2.101"
| dedup site
| table site
列出一堆 FQDN hostname
因為一堆是未知或不常見,所以最後選了 www.berkbeer.com,其網域是 berkbeer.com
Ans :berkbeer.com
https://ivanitlearning.wordpress.com/2020/06/15/hunting-with-splunk-botsv2-qns-1xx/
********************************************************************************
Q3 Amber found the executive contact information and sent him an email. What is the CEO's name? Provide the first and last name.
Q3 Amber 找到了高管的聯繫信息,並給他發了一封電子郵件。首席執行官的名字是什麼?提供名字和姓氏。
(下圖)
********************************************************************************
Q4 After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?
Q4 在與 CEO 初步接觸後,Amber 聯繫了該競爭對手的另一名員工。該員工的電子郵件地址是什麼?
(下圖)
index=botsv2 sourcetype="stream:smtp" amber 得知 sender: Amber Turing <aturing@froth.ly>
找寄信、收信者 amber 的
index=botsv2 sourcetype="stream:smtp"
| search sender_email ="aturing@froth.ly" OR receive_email{} ="aturing@froth.ly"
| table sender_email, receiver_email
有3封,寄件者都 amber ;receiver_email似乎不能這樣查
點開,再點開 receiver_email,發現3封信件收件者都是 hbernhard@berkbeer.com
ANS:hbernhard@berkbeer.com
********************************************************************************
Q5 What is the name of the file attachment that Amber sent to a contact at the competitor?
Q5 Amber 發送給競爭對手聯繫人的文件附件的名稱是什麼?
(下圖)
index=botsv2 sourcetype="stream:smtp" Amber sender_email ="aturing@froth.ly" attachment
點「顯示維原始文字」(show as raw text)
ANS: Saccharomyces_cerevisiae_patent.docx
********************************************************************************
Q6 What is Amber's personal email address?
Q6 Amber 的個人電子郵件地址是什麼?
index=botsv2 sourcetype="stream:smtp" amber
點 receiver_email 全都是 forth.ly 的 Email (公司信箱);
點 sender_email 扣掉 forth.ly 的 Email;
surveys@vindale.com 7 43.75%
abungstein@froth.ly 1 6.25%
hbernhard@berkbeer.com 1 6.25%
mberk@berkbeer.com 1 6.25%
逐一進去看
sender: "Vindale Research" <surveys@vindale.com>
subject: Heinz Bernhard Contact Information
sender: hbernhard@berkbeer.com
sender: mberk@berkbeer.com
私人信件可能在 .docx 或其他中,
index=botsv2 sourcetype="stream:smtp" Amber sender_email ="aturing@froth.ly" attachment
點「顯示維原始文字」(show as raw text)
找 base64,逐段貼到 https://www.base64decode.org/ 中解碼。
ANS:ambersthebest@yeastiebeastie.com (Splunk 無法直接找到)
********************************************************************************
Q7 What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiters.
Q7 Amber 安裝了什麼版本的 TOR 來混淆她的網頁瀏覽?回答指南:帶有一個或多個分隔符的數字。
下圖)
找 index=botsv2 torbrowser -install
ANS:7.0.4
********************************************************************************
Q8 What is the public IPv4 address of the server running www.brewertalk.com?
Q8 運行 www.brewertalk.com 的服務器的公共 IPv4 地址是什麼?
(下圖)
D:\>ping www.brewertalk.com
Ping www.brewertalk.com [96.47.230.69] (使用 32 位元組的資料):,不是答案
****************************************
D:\>nslookup
預設伺服器: dns.hinet.net
Address: 168.95.1.1
> www.brewertalk.com
伺服器: dns.hinet.net
Address: 168.95.1.1
未經授權的回答:
名稱: www.brewertalk.com
Address: 81.171.28.46,不是答案
****************************************
index=botsv2 sourcetype="stream:dns" www.brewertalk.com
ANS:52.42.208.228
********************************************************************************
Q9 Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
Q9 提供用於對 www.brewertalk.com 運行 Web 漏洞掃描的系統的 IP 地址。
index=botsv2 www.brewertalk.com sourcetype="stream:http" dest_ip="52.42.208.228"
| stats count by src_ip
- 10.0.2.109 84次
- 172.31.10.10 383次 <=不是答案
index=botsv2 www.brewertalk.com sourcetype="stream:http"
| stats count by src_ip
- src_ip count
- 10.0.2.109 90
- 136.0.0.125 7
- 136.0.2.138 24
- 172.31.10.10 303
- 174.209.13.154 86
- 45.77.65.211 9707 <=答案
- 52.40.10.231 634
- 71.39.18.125 165
ANS:45.77.65.211
額外測試
index=botsv2 src_ip="45.77.65.211" sourcetype="stream:http"
| stats count by dest_ip
dest_ip count
172.31.4.249 9708
www.brewertalk.com 的外部 Public IP 已經是 52.42.208.228,
Web弱點掃描似乎紀錄 NAT 後 Private IP 172.31.4.249
10.0.0.0 ~ 10.255.255.255 (10.0.0.0/8 prefix)
172.16.0.0 ~ 172.31.255.255 (172.16.0.0/12 prefix)
192.168.0.0 ~ 192.168.255.255 (192.168.0.0/16 prefix)
********************************************************************************
Q10 A likely different piece of software is also using the IP address from question 9 to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php
Q10 一個可能不同的軟件也在使用問題 9 中的 IP 地址來攻擊 URI 路徑。URI 路徑是什麼?答案指南:在答案中包含前導正斜杠。不要包含查詢字符串或 URI 的其他部分。答案示例:/phpinfo.php
index=botsv2 src_ip="45.77.65.211" sourcetype="stream:http"
| stats count by uri_path
| sort - count
uri_path count
/member.php 1188 <=== 次數多,可疑
/search.php 328
/ 92
/index.php 8
/admin/ 6
********************************************************************************
Q11 What SQL function is being abused on the URI path from question 10?
Q11 在問題 10 的 URI 路徑上濫用了什麼 SQL 函數?
index=botsv2 src_ip="45.77.65.211" sourcetype="stream:http" uri_path="/member.php"
| table form_data
regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit Registration!&question_id=makman' and updatexml(NULL,concat (0x3a,(SUBSTRING((SELECT password FROM mybb_users ORDER BY UID LIMIT 2,1), 32, 31))),NULL) and '1
貼到 Notepad++,把 & 換成 \n\r
regcheck1=
regcheck2=true
username=makman
password=mukarram
password2=mukarram
email=mak@live.com
email2=mak@live.com
referrername=
imagestring=F7yR4
imagehash=1c1d0e6eae9c113f4ff65339e4b3079c
answer=4
allownotices=1
receivepms=1
pmnotice=1
subscriptionmethod=0
timezoneoffset=0
dstcorrection=2
regtime=1416039333
step=registration
action=do_register
regsubmit=Submit Registration!
question_id=makman' and updatexml(NULL,concat (0x3a,(SUBSTRING((SELECT password FROM mybb_users ORDER BY UID LIMIT 2,1), 32, 31))),NULL) and '1
ANS:updatexml
********************************************************************************
Q12 What is Frank Ester's password salt value on www.brewertalk.com?
Q12 Frank Ester 在 www.brewertalk.com 上的密碼鹽值是多少?
index="botsv2" "45.77.65.211" *ester*
<dd>1105 - XPATH syntax error: ':frankesters47@gmail.com'</dd>
帳戶是 frankesters47@gmail.com
index="botsv2" "45.77.65.211" sourcetype="stream:http" uri_path="/member.php"
| reverse
| table dest_content
然後搜尋 frankesters47@gmail.com,再改搜尋 XPATH syntax error 的內容,長度是8,而 gGsxysZL 剛好符合。
<dd>1105 - XPATH syntax error: ':frankesters47@gmail.com'</dd>
<dd>1105 - XPATH syntax error: ':8'</dd>
<dd>1105 - XPATH syntax error: ':gGsxysZL'</dd>
ANS:gGsxysZL
********************************************************************************
Q13 What is user btun's password on brewertalk.com?
Q13 brewertalk.com 上用戶 btun 的密碼是什麼?
index=botsv2 src_ip="45.77.65.211" sourcetype="stream:http" uri_path="/member.php" btun
找到2筆,sername=makman&password=mukarram&password2=mukarram
但 mukarram 不是
index="botsv2" sourcetype="stream:http" "45.77.65.211" uri_path="/member.php" btun
同上,加減5秒,
index=botsv2 sourcetype="stream:http" "45.77.65.211" uri_path="/member.php" dest_content=*
| reverse
| table dest_content
有23筆,找到 btun,改用 XPATH syntax error: 找
<dd>1105 - XPATH syntax error: ':f91904c1dd2723d5911eeba409cc0d1'</dd>
疑似 Password Hash
用 Kali Linux 的 hashcat 或 https://www.cmd5.org/
f91904c1dd2723d5911eeba409cc0d1 和 Type: auto 或 md5(hash) 解碼得到 123456
ANS:123456
https://ivanitlearning.wordpress.com/2020/06/12/hunting-with-splunk-botsv2-qns-2xx/
********************************************************************************
Q14 What are the characters displayed by the XSS probe? Answer guidance: Submit answer in the native language or character set.
Q14 XSS 探針顯示的字符是什麼?答題指導:以母語或字符集提交答題。
index=botsv2 sourcetype="stream:http" "<script>"
| dedup form_data
| eval decoded=urldecode(form_data)
| table _time decoded form_data
ANS:대동
********************************************************************************
Q15 What was the value of the cookie that Kevin's browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
Q15 作為 XSS 攻擊的一部分,Kevin 的瀏覽器傳輸到惡意 URL 的 cookie 的值是多少?回答指導:全數字。不是 cookie 名稱或等號之類的符號。
index=botsv2 sourcetype="stream:http" "kevin" "<script>"
ANS: 1502408189
********************************************************************************
Q16 The brewertalk.com website employed Cross-Site Request Forgery (CSRF) techniques. What was the value of the anti-CSRF token stolen from Kevin Lagerfield's computer and used to help create an unauthorized admin user on brewertalk.com?
Q16 brewertalk.com 網站採用了跨站請求偽造 (CSRF) 技術。從 Kevin Lagerfield 的計算機上竊取並用於幫助在 brewertalk.com 上創建未經授權的管理員用戶的反 CSRF 令牌的價值是多少?
index=botsv2 sourcetype="stream:http" CSRF
找到 INDEED_CSRF_TOKEN=UIMp0cydB3DWsFijL6UYqQZ4wyZ2P5Us;
但 UIMp0cydB3DWsFijL6UYqQZ4wyZ2P5Us 不是答案
***
index=botsv2 sourcetype="stream:http" "kevin" "<script>"
點時間,選 +/-5秒,
index=botsv2 sourcetype="stream:http"
| reverse
| search "<input type="hidden""
剩下2筆,都是 <input type="hidden" name="my_post_key" value="1bc3eab741900ab25c98eee86bf20feb" />
index=botsv2 sourcetype="stream:http" 1bc3eab741900ab25c98eee86bf20feb
| reverse
| eval decoded=urldecode(form_data)
| table _time decoded form_data
usergroup=4 means the user is an admin
ANS : 1bc3eab741900ab25c98eee86bf20feb
********************************************************************************
Q17 What was brewertalk.com username maliciously created by a spearphishing attack?
Q17 魚叉式網絡釣魚攻擊惡意創建的 brewertalk.com 用戶名是什麼?
index=botsv2 sourcetype="stream:http" brewertalk.com "<script>"
ANS : kIagerfield
********************************************************************************
Q18 What episode of Game of Thrones is Mallory excited to watch? Answer guidance: Submit the HBO title of the episode.
Q18 馬洛里很想看《權力的遊戲》的哪一集?回答指南:提交劇集的 HBO 標題。
index=botsv2 "mallory" "got"
點 attach_filename[]3
複製GoT.S7E2.BOTS.BOTS.BOTS 去 Google 查影片名稱
最後發現是 Stormborn
ANS : Stormborn
https://ivanitlearning.wordpress.com/2020/06/20/hunting-with-splunk-botsv2-qns-3xx/
********************************************************************************
Q19 Considering the threat list you found in the question above and related data, what protocol often used for file transfer is actually responsible for the generated traffic?
Q19 考慮到您在上述問題中找到的威脅列表和相關數據,通常用於文件傳輸的協議實際上對生成的流量負責?
index=botsv2 sourcetype="pan:traffic"
ANS : bittorrent
********************************************************************************
(影片23題目)
Q20 Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. At what hour, minute, and second does this actually happen? Answer guidance: Provide the time in PDT. Use the 24h format HH:MM:SS, using leading zeroes if needed. Do not use Splunk's _time (index time).
Q20 8 月 18 日,馬洛里 (Mallory) 在她的 MacBook 上發布的重要 PowerPoint 演示文稿被勒索軟件加密。這實際上是在什麼時、分、秒發生的?答題指導:提供PDT時間。使用 24 小時格式 HH:MM:SS,必要時使用前導零。不要使用 Splunk 的 _time(索引時間)。
index=botsv2 "*Documents*" ("*.ppt" OR "*.pptx")
| reverse
共6筆,時間都是 17/08/18 21:50:43.000,21:50:43系統說不是答案
找到 ctime: 1503093022
https://www.epochconverter.com/
GMT => PDT,減少8小時,但影片中是減少7小時,變成 14:50:22,並且驗證通過 <= 答案 (怪)
https://www.worldtimebuddy.com/gmt-to-pdt-converter
ANS : 實際上 14:50:22 驗證通過。
********************************************************************************
(影片24題目)
Q21 How many seconds elapsed when the ransomware executable was written to disk on MACLORY-AIR13 and the first local file encryption? Answer guidance: Use the index times (_time) instead of other timestamps in the events.
Q21 將勒索軟件可執行文件寫入 MACLORY-AIR13 磁盤並進行首次本地文件加密時經過了多少秒?回答指導:使用索引時間(_time)代替事件中的其他時間戳。
index=botsv2 host="MACLORY-AIR13" "*.crypt"
| reverse
第一筆檔案是 /Users/mallorykraeusen/Downloads/GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent.crypt
時間 17/08/18 21:50:40.060
index=botsv2 host="MACLORY-AIR13" "/Users/mallorykraeusen/Downloads/GoT.S07E02.BOTS.BOTS.BOTS.mkv.crypt"
|reverse
共6筆,最上面 17/08/19 5:46:18.000,最下面 17/08/18 21:50:43.000,7:55:35 = 28535s => 不對
前面相近的幾筆,時間差0秒
***************
但影片中
index=botsv2 host="MACLORY-AIR13" "*.app"
| reverse
把「清單(List)」換成「原始(Raw)」,找到一筆 Office 2016 的 calendar time
calendarTime":"Fri Aug 18 21:48:31 2017 UTC,應該差 02:09.940 約 130 秒,但影片說差 132秒
The executable run was “Office 2016 Patcher.app”, which is likely the ransomware binary. Note the timestamp is 8/18/17 2:48:31.000 PM With the two timestamps, the elapsed interval is 2 min 12s or 132
ANS : 實際送出 132過關。
********************************************************************************
Q22 Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory's personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.
Q22 Kevin Lagerfield 使用 USB 驅動器將惡意軟件轉移到 Mallory 的個人 MacBook kutekitten 上。她運行了惡意軟件,該惡意軟件在執行過程中會自我混淆。提供 Kevin 可能使用的 USB 驅動器的供應商名稱。回答指導:利用時間相關性來識別U盤。
USB kutekitten added vendor
| reverse
Generic 看不出廠商,設法用 0x058F 查。
https://the-sz.com/products/usbid/index.php
0x058F 找到 Alcor Micro, Corp.
********************************************************************************
Q23 What programming language is at least part of the malware from the question above written in?
Q23 上面問題中的惡意軟件至少有一部分是用什麼編程語言編寫的?
index=botsv2 kutekitten Downloads 得到 5 筆,點左邊 columns_sha256,只有一筆 befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
到 https://www.virustotal.com/gui/home/upload ,點 SEARCGH,輸入該值
ANS : perl
********************************************************************************
Q24 The malware from the two questions above appears as a specific process name in the process table when it is running. What is it?
Q24 上述兩個問題的惡意軟件在運行時在進程表中顯示為特定的進程名稱。它是什麼?
直接 Google 找 befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
在
Splunk 找 kutekitten Java 有 6筆ANS : Java
********************************************************************************
Q25 The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully qualified domain name (FQDN) of the first (alphabetically) of these destinations?
Q25 感染 kutekitten 的惡意軟件在安裝後不久使用動態 DNS 目的地與兩個 C&C 服務器通信。這些目的地的第一個(按字母順序)的完全限定域名 (FQDN) 是什麼?
https://www.hybrid-analysis.com/sample/befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271?environmentId=300ANS : eidk.duckdns.org
********************************************************************************
Q26 From the question above, what is the fully qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?
Q26 從上面的問題來看,第二個(按字母順序)聯繫的 C&C 服務器的完全限定域名 (FQDN) 是什麼?
ANS : eidk.hopto.org
********************************************************************************
(影片32題)
Q27 A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
Q27 一家聯邦執法機構報告稱,Taedonggang 經常使用必須使用密碼打開的 zip 文件對受害者進行魚叉式網絡釣魚。惡意 Taedonggang 演員發送給 Frothly 的附件名稱是什麼?
Taedonggang Frothly zip 得到0個
Frothly zip 一開始0個,等一會有13萬個
ANS : invoice.zip
********************************************************************************
(影片33題)
Q28 The Taedonggang APT group encrypts most of their traffic with SSL. What is the "SSL Issuer" that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
Q28 Taedonggang APT 組織使用 SSL 加密他們的大部分流量。他們用於大部分流量的“SSL Issuer”是什麼?回答指導:準確複製字段,包括空格。
Taedonggang 搜不到,APT "Issuer" 搜不到,APT 228個,sourcetype="stream:https" SSL Issuer 搜不到,sourcetype="stream:https" 搜不到,sourcetype="stream:http" SSL 324個,
ssl_issuer 5萬多,點左邊ssl_issuer,第一個是Splunk,第二個當答案送出成功。
ANS : C = US
********************************************************************************
(影片31題,目前對應不到)
index=botsv2 kutekitten
index=botsv2 jpg sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
index=botsv2 jpg sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval lenx=len(TargetFilename)
| table TargetFilename, lenx
********************************************************************************
(影片34題,01:08:33,影片直接給答案 160.153.91.7,看不懂)
Q29 Threat indicators for a specific file triggered notable events on two distinct workstations. What IP address did both workstations have a connection with?
Q29 特定文件的威脅指示器在兩個不同的工作站上觸發了顯著事件。兩個工作站都連接到哪個 IP 地址?
ANS : 160.153.91.7
左邊點host
值 數量 %
jupiter 3,705 71.65% (有多個 src_ip 和 dest_ip )
growler 1,466 28.35%
********************************************************************************
(影片35題,01:09:07)
Q30 Based on the IP address found in question 30, what domain of interest is associated with that IP address?
Q30 根據問題 30 中找到的 IP 地址,與該 IP 地址相關聯的興趣域是什麼?
index=botsv2 sourcetype="stream:dns" "160.153.91.7"
點左邊 name[]
ANS : hildegardsfarm.com
********************************************************************************
(影片36題,01:10:02)
Q31 What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
Q31 winsys32.dll 導致下載到 Frothly 環境中的是什麼異常文件(對於一家美國公司而言)?
index=botsv2 sourcetype="stream:ftp"
| reverse
點左邊 method,選 RETR;點左邊 filename
有一個名稱很怪的 나는_데이비드를_사랑한다.hwp
ANS : 나는_데이비드를_사랑한다.hwp
********************************************************************************
(影片37題,01:13:09)
Q32 What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim's workstation? Answer example: John Smith
Q32 在第一個受害者的工作站上執行 PowerShell Empire 的文件的元數據中牽涉到可憐的無辜傻瓜的名字和姓氏是什麼?答案示例:John Smith
ANS : Ryan Kovar
影片之前有下在和解碼檔案,所以在 Linux 可以用 file invoice.zip 查。Splunk 直接查 Ryan Kover 是查不到的。
********************************************************************************
(影片38題,01:13:52)
Q33 What is the average Shannon entropy score of the subdomain containing UDP-exfiltrated data? Answer guidance: Cut off, not rounded, to the first decimal place. Answer examples: 3.2 or 223234.9
Q33 包含 UDP 洩露數據的子域的平均香農熵得分是多少?回答指導:截斷,不四捨五入,保留到小數點後第一位。答案示例:3.2 或 223234.9
Shannon 只有一筆
invoice.zip
index=botsv2 sourcetype="stream:dns" dest_port=53
| stats count by dest_ip
| sort - count
**********
dest_ip count
8.8.8.8 802
10.0.1.100 452
172.31.0.2 353
4.4.4.4 74
208.109.255.42 4
216.69.185.42 3
192.175.48.42 1
192.175.48.6 1
193.221.113.53 1
208.78.71.21 1
**********
index=botsv2 sourcetype="stream:dns" (dest_ip=216.69.185.42 OR dest_ip=208.109.255.42) query=*
| table dest_ip query
**********
index=botsv2 sourcetype="stream:dns" (dest_ip=216.69.185.42 OR dest_ip=208.109.255.42) query=*
| rex field=query "(?<subdom>\w+).hildegardsfarm.com"
| table dest_ip subdom
https://www.splunk.com/en_us/blog/security/random-words-on-entropy-and-dns.html
tag=dns
| `ut_parse(query)`
| lookup FP_entropy_domains domain AS ut_domain
| search NOT FP_entropy=*
| `ut_shannon(ut_domain)`
| search ut_shannon > 4.0
| stats count by query ut_shannon
**********
index=botsv2 sourcetype="stream:dns" (dest_ip=216.69.185.42 OR dest_ip=208.109.255.42) query=*
| rex field=query "(?<subdom>\w+).hildegardsfarm.com"
| `ut_shannon(ut_domain)`
| stats avg(ut_shannon) by dest_ip
奇怪,數量沒算出
**********
ANS : 3.6
********************************************************************************
(影片39題,01:17:36)
Q34 To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer guidance: Remove the path and type a single value with an extension. Answer example: index.php or images.html
Q34 為了在 Frothly 網絡中保持持久性,Taedonggang APT 配置了幾個計劃任務以向其 C2 服務器發送信標。這些計劃任務最常聯繫哪個網頁?回答指南:刪除路徑並鍵入帶有擴展名的單個值。答案示例:index.php 或 images.html
index=botsv2 source="WinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*schtasks.exe*
| table _time host CommandLine ParentCommandLine
index=botsv2 source="WinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*schtasks.exe* ParentCommandLine="\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\" /service"
| table _time host CommandLine ParentCommandLine
index=botsv2 source=WinRegistry \\Software\\Microsoft\\Network 影片有找到,實際找不到
解題者頗費工夫解此題,要用到 https://gchq.github.io/CyberChef/ 網站
要把 . 取代移除掉
ANS : process.php
********************************************************************************
(影片40題,01:24:52)
Q35 The APT group Taedonggang is always building more infrastructure to attack future victims. Provide the IPV4 IP address of a Taedonggang controlled server that has a completely different first octet to other Taedonggang controlled infrastructure. Answer guidance: 4.4.4.4 has a different first octet than 8.4.4.4
Q35 APT 組織 Taedonggang 一直在建設更多的基礎設施來攻擊未來的受害者。提供 Taedonggang 控制的服務器的 IPV4 IP 地址,該服務器的第一個八位字節與其他 Taedonggang 控制的基礎設施完全不同。答案指導:4.4.4.4 的第一個八位字節與 8.4.4.4 不同
index=botsv2 sourcetype="stream:tcp" "45.77.65.211"
點 ssl_cert_md5
只有一個 671DFE1D4F15C5A05F21DDB66D3B7815
Censys: Attack Surface Management and Data Solutions
https://search.censys.io/
( 此網站要註冊才能用 )
搜 671DFE1D4F15C5A05F21DDB66D3B7815
tvf13178@xcoxc.com
TP@ssw0rd
看不懂 104.238.159.19 突然迸出。
ANS : 104.238.159.19
********************************************************************************
(影片41題,01:27:07)
Q36 The Taedonggang group had several issues exfiltrating data. Determine how many bytes were successfully transferred in their final, mostly successful attempt to exfiltrate files via a method using TCP, using only the data available in Splunk logs. Use 1024 for byte conversion.
Q36 Taedonggang 小組在洩露數據方面遇到了幾個問題。通過使用 TCP 的方法,僅使用 Splunk 日誌中可用的數據,確定在他們最後一次(大部分成功嘗試)中成功傳輸了多少字節。使用 1024 進行字節轉換。
根據前面 Taedonggang 傳了 invoice.zip
ssl_issuer : C = US
Server : 104.238.159.19
index=botsv2 sourcetype="stream:ftp" method=STOR
找到最後一筆 File successfully transferred
index=botsv2 sourcetype="stream:ftp" method=STOR
|stats count by flow_id
f4703a87-9b70-43d1-af73-344db697a9bf <== 數量最多
index=botsv2 sourcetype="stream:ftp" method=STOR reply_content="*successfully transferred*"
| table _time reply_content
index=botsv2 sourcetype="stream:ftp" method=STOR reply_content="*successfully transferred*"
| rex field=reply_content "(?<period>[0-9]{1,11}\.[0-9]{3}?) seconds \(measured here\), (?<spd>[0-9]{1,11}\.[0-9]{2}) (?<size>M|K)bytes per second"
| table _time reply_content period spd size
| table _time reply_content duration speed data_size
index=botsv2 sourcetype="stream:ftp" method=STOR reply_content="*successfully transferred*"
| rex field=reply_content "(?<period>[0-9]{1,11}\.[0-9]{3}?) seconds \(measured here\), (?<spd>[0-9]{1,11}\.[0-9]{2}) (?<size>M|K)bytes per second"
| eval data_multiplier = case (size == "M", 1048576, data_size == "K", 1024)
| eval totalbytes = period * spd * data_multiplier
| stats sum (totalbytes) by flow_id
找到 f4703a87-9b70-43d1-af73-344db697a9bf 那筆 1394847505
ANS : 1394847505
********************************************************************************
(影片42題,01:32:04)
Q37 Individual clicks made by a user when interacting with a website are associated with each other using session identifiers. You can find session identifiers in the stream:http sourcetype. The Frothly store website session identifier is found in one of the stream:http fields and does not change throughout the user session. What session identifier is assigned to dberry398@mail.com when visiting the Frothly store for the very first time? Answer guidance: Provide the value of the field, not the field name.
Q37 用戶在與網站交互時進行的單次點擊使用會話標識符相互關聯。您可以在流中找到會話標識符:http sourcetype。Frothly 商店網站會話標識符位於 stream:http 字段之一,並且在整個用戶會話期間不會更改。第一次訪問 Frothly 商店時,分配給dberry398@mail.com的會話標識符是什麼?回答指導:提供字段的值,而不是字段名。
index=botsv2 sourcetype="stream:http" "dberry398@mail.com"
index=botsv2 sourcetype="stream:http" "dberry398@mail.com"
| reverse
| table cookie
index=botsv2 sourcetype="stream:http" "dberry398@mail.com"
| eval decoded=urldecode(cookie)
| table decoded
form_key=lwh9Ql7oUbnJUqxR
ANS : lwh9Ql7oUbnJUqxR
********************************************************************************
https://ivanitlearning.wordpress.com/2020/06/30/hunting-with-splunk-botsv2-qns-5xx/
(影片43題,01:33:56)
Q38 How many unique user ids are associated with a grand total order of $1000 or more?
Q38 有多少唯一用戶 ID 與 1000 美元或更多的總訂單相關聯?
index=botsv2 sourcetype="stream:http" dest_content=* grand_total
index=botsv2 sourcetype="stream:http" dest_content=* grand_total url="http://store.froth.ly/magento2/checkout/"
index=botsv2 sourcetype="stream:http" dest_content=* grand_total url="http://store.froth.ly/magento2/checkout/"
| table dest_content
網頁內容搜尋 total
index=botsv2 sourcetype="stream:http" dest_content=* grand_total url="http://store.froth.ly/magento2/checkout/"
| rex field=dest_content "\"USD\",\"grand_total\":\"(?<grandtotal>\w+).\S+\","
| where grandtotal >= 1000
| table dest_content
index=botsv2 sourcetype="stream:http" dest_content=* grand_total url="http://store.froth.ly/magento2/checkout/"
| rex field=cookie "PHPSESSID=\S+; form_key=(?<session_id>\w+);"
| dedup session_id
| table session_id form_data
index=botsv2 sourcetype="stream:http" dest_content=* grand_total url="http://store.froth.ly/magento2/checkout/"
| rex field=dest_content "\"USD\",\"grand_total\":\"(?<grandtotal>\w+).\S+\","
| rex field=cookie "PHPSESSID=\S+; form_key=(?<session_id>\w+);"
| dedup session_id
| table session_id form_data
影片上只有8個結果,敝人測試 148 個,後面做不下去 (下面僅列3個)
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
form_data=* ((P5QjF09iujN41DsK) OR (ef0uBsQsX0fvOlCX) OR (ENmUAfOVUXrt2Je0))
| rex field=cookie "PHPSESSID=\S+; form_key=(?<session_id>\w+);"
| table session_id form_data
結果有7個
ANS : 7
參考
How to use subsearch without a field name? (but just with field value)
Change the format of subsearch results
https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
Using "search"
********************************************************************************
(影片44題,01:40:29)
Q39 Which user, identified by their email address, edited their profile before placing an order over $1000 in the same clickstream? Answer guidance: Provide the user ID, not other values found from the profile edit, such as name.
Q39 哪個用戶(通過他們的電子郵件地址識別)在同一點擊流中下訂單超過 1000 美元之前編輯了他們的個人資料?回答指南:提供用戶 ID,而不是從個人資料編輯中找到的其他值,例如姓名。
index=botsv2 sourcetype="stream:http" uri="*/magento2/customer/account/editPost/"
找 form_data
根據上一題,本題應該是 bkildcare@yandex.com
ANS :
********************************************************************************
(影片45題,01:41:48)
Q40 What street address was used most often as the shipping address across multiple accounts, when the billing address does not match the shipping address? Answer example: 123 Sesame St
Q40 當賬單地址與送貨地址不匹配時,哪個街道地址最常被用作跨多個帳戶的送貨地址?答案示例:芝麻街 123 號
index=botsv2 sourcetype="stream:http" (src_content="*address*" AND src_content="*shipping*" AND src_content="*billing*")
| table src_content
ANS : 影片也找不到答案
********************************************************************************
(影片46題,01:43:33)
Q41 What is the domain name used in email addresses by someone creating multiple accounts on the Frothly store website (http://store.froth.ly) that appear to have machine-generated usernames?
Q41 某人在 Frothly 商店網站 (http://store.froth.ly) 上創建多個帳戶(似乎具有機器生成的用戶名)的電子郵件地址中使用的域名是什麼?
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/" form_data=*
| dedup form_data
| table url form_data
看到
form_key=Ic2XxXm6FidnzkuV&login[username]=geoffr@gmail.com&login[password]=Vdw2HR47Fdvt6QA~PGp&send=
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
| rex field=form_data "&login\[username\]=(?<usrname>\S+)@(?<domain>[\w\.]*)&login\[password\]"
| table _time usrname domain
_time usrname domain
2017-08-30 20:14:51.908 hager comcast.net
2017-08-30 19:50:58.908 osrin yahoo.ca
2017-08-30 19:40:11.908 rtanter yahoo.ca
2017-08-30 19:19:56.908 shrapnull yahoo.ca
2017-08-30 19:01:29.908 starstuff icloud.com
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
| rex field=form_data "&login\[username\]=(?<usrname>\S+)@(?<domain>[\w\.]*)&login\[password\]"
| `ut_shannon(usrname)`
| table _time usrname domain ut_shannon
| sort -ut_shannon
_time usrname domain ut_shannon
2017-08-04 03:34:30.166 michael.jackson.phd yahoo.com 3.826874881864639
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
| rex field=form_data "&login\[username\]=(?<usrname>\S+)@(?<domain>[\w\.]*)&login\[password\]"
| `ut_shannon(usrname)`
| stats avg(ut_shannon) count by domain
最高 elude.in
ANS: elude.in
********************************************************************************
(影片47題,01:46:07)
Q42 Which user ID experienced the most logins to their account from different IP addresses and user agent combinations? Answer guidance: The user ID is an email address.
Q42 哪個用戶 ID 從不同的 IP 地址和用戶代理組合登錄到他們的帳戶最多?回答指南:用戶ID是一個電子郵件地址。
To solve this we just need to know the login URL. It appears to be http://store.froth.ly/magento2/customer/account/loginPost/. Then we just need to extract the username from form_data field. For good measure I extracted the password as well.
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
| rex field=form_data "&login\[username\]=(?<username>\S+@\S+)&login\[password\]"
| stats list(src_ip), list(http_user_agent) count by username
| sort - count
ANS : Tom2014@msn.com
********************************************************************************
(影片48題,01:47:06)
Q43 What is the most popular coupon code being used successfully on the site?
Q43 在網站上成功使用的最受歡迎的優惠券代碼是什麼?
index=botsv2 sourcetype="stream:http" coupon
檢視 dest_content 改成
index=botsv2 sourcetype="stream:http" http_method=PUT
| table _time request dest_content
改成
index=botsv2 sourcetype="stream:http" http_method=PUT dest_content=true
| table _time request dest_content
_time request dest_content
2017-08-21 05:18:49.406 PUT /magento2/rest/default/V1/carts/mine/coupons/WINTER2017 HTTP/1.1 true
2017-08-20 06:01:02.406 PUT /magento2/rest/default/V1/carts/mine/coupons/WINTER2017 HTTP/1.1 true
2017-08-19 07:19:49.406 PUT /magento2/rest/default/V1/carts/mine/coupons/WINTER2017 HTTP/1.1 true
Just 3 coupons are used and they’re all the same.
ANS : WINTER2017
********************************************************************************
(影片49題,01:48:36)
Q44 Several user accounts sharing a common password are usually a precursor to an undesirable scenario orchestrated by a fraudster. Which password is being seen most often across users logging into http://store.froth.ly.
Q44 共享一個共同密碼的多個用戶帳戶通常是欺詐者精心策劃的不良情況的先兆。登錄 http://store.froth.ly 的用戶最常看到哪個密碼。
Since we already know the login URL is http://store.froth.ly/magento2/customer/account/loginPost/ from previous questions, we can just specify that and extract the password from form_data with regex. Then do a stats count by password
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/customer/account/loginPost/"
| rex field=form_data "&login\[username\]=(?<username>\S+@\S+)&login\[password\]=(?<pwd>\S+)&send="
| stats values(username) count by pwd
| sort - count
最高 HardwareBasedEasterEggs2017
ANS : HardwareBasedEasterEggs2017
********************************************************************************
Q45 Which HTML page was most clicked by users before landing on http://store.froth.ly/magento2/checkout/ on August 19th? Answer guidance: Use earliest=1503126000 and latest=1503212400 to identify August 19th. Answer example: http://store.froth.ly/magento2/bigbrew.html
Q45 在 8 月 19 日登陸 http://store.froth.ly/magento2/checkout/ 之前,哪個 HTML 頁面被用戶點擊最多?回答指導:使用earliest=1503126000和latest=1503212400來標識8月19日。答案示例:http://store.froth.ly/magento2/bigbrew.html
index=botsv2 sourcetype="stream:http" url="http://store.froth.ly/magento2/checkout/" earliest=1503126000 latest=1503212400
左邊點 http_referrer
http://store.froth.ly/magento2/mens-frothly-tee.html 5 83.333%
http://store.froth.ly/magento2/frothly-beer-stein.html 1 16.667%
ANS : http://store.froth.ly/magento2/mens-frothly-tee.html
********************************************************************************
Q46 Which HTTP user agent is associated with a fraudster who appears to be gaming the site by unsuccessfully testing multiple coupon codes?
Q46 哪個 HTTP 用戶代理與一個似乎通過不成功地測試多個優惠券代碼來玩網站遊戲的欺詐者相關聯?
Coupon,發現 Coupon code is not valid
Coupon code is not valid
ANS : Mozilla/5.0 (Windows NT 6.333; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
(完)
沒有留言:
張貼留言