Splunk练习 Boss of the SOC V1

1. What is the likely IPv4 address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

（1）“imreallynotbatman.com”

（2）漏扫 => 可能被墙拦截，sourcetype选防火墙，action=blocked

index=botsv1  imreallynotbatman.com sourcetype=fgt_utm action=blocked

Answer: 40.80.148.42

2. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name.

搜索条件不变，查看msg。

Answer: acunetix

3. What content management system is imreallynotbatman.com likely using?

查看URL 字段。

Answer: joomla

4. What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with extension?

确定“192.168.250.70”是受害服务器，搜索http记录：

index=botsv1 "192.168.250.70" source="stream:http"

发现一个dest_IP只有两条记录，可能是普通用户的访问，添加搜索，request中找到访问文件：

index=botsv1 "192.168.250.70" source="stream:http" dest_ip="23.22.63.114"

Answer: poisonivy-is-coming-for-you-batman.jpeg

5. This attack used dynamic DNS to resolve the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?

应该是受害服务器请求解析，src_ip=192.168.250.70

index=botsv1 sourcetype=stream:http src_ip=192.168.250.70

Answer: prankglassinebracket.jumpingcrab.com

6. What IPv4 address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Answer: 23.22.63.114

8. What IPv4 address is likely attempting a brute force password attack against imreallynotbatman.com

提交密码，一般用post，目的地址是192.168.250.70。再用stats:

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST 
| stats count by src_ip, uri

前三个访问量高，可能有密码爆破攻击。分别查看

/joomla/index.php/component/search/    应该是搜索用，没发现输入用户名和密码

/joomla/index.php     邮件相关

第三个/joomla/administrator/index.php ，form_data是注入的数据，stats集中查看下：

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST uri="/joomla/administrator/index.php" | stats count by form_data

Answer: 23.22.63.114

9. What is the name of the executable uploaded by Po1s0n1vy?

可能是.exe文件，试一下

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST  *.exe

发现shtml.exe（FrontPage服务器扩展的组件之一）和3791.exe。

10. What is the MD5 hash of the executable uploaded?

搜索3791.exe + windows sysmon日志：

index=botsv1 3791.exe  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

signature有四种：

• Image Load → 监控DLL/驱动加载，防注入。

• Process Create → 追踪新进程，检测恶意执行。

• Network Connect → 发现恶意外联流量。

• Process Terminate → 识别攻击者清理痕迹行为。

选择Process Create, 再查看cmdline:

选择3791.exe，查看MD5:

Answer:  aae3f5a29935e6abcc2c2754d12a9af0

11. GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vys initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

在VirusTotal网站上检查发现23.22.63.114有关联文件：

答案是25-07-03这个 MirandaTateScreensaver.scr.exe

Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

12. What special hex code is associated with the customized malware discussed in question 11?

VirusTotal  “Community” 页面有答案

Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21 

13. What was the first brute-force password used?

index=botsv1  source="stream:http" dest_ip="192.168.250.70" POST uri="/joomla/administrator/index.php"  | stats count by form_data, timestamp |  sort timestamp asc

Answer: 12345678

14 . One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. We are looking for a six-character word on this one. Which is it?

酷玩最火的歌，应该是yellow，搜索试一下

index=botsv1  source="stream:http" dest_ip="192.168.250.70" POST uri="/joomla/administrator/index.php" yellow

找到一条记录：

Answer: Yellow

15. What was the correct password for admin access to the content management system running “imreallynotbatman.com”?

Step 1 — A correct password for admin access is status code 200 in which I used to filter it out in which I couldn’t find.

Step 2 — I then erased the stats code of 200 and the table I decided o narrow the search.

Step 3 — I narrowed down the search by having a table court the amount password occurrences that were used to authenticate.

正确做法是找次数：

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri=/joomla/Administrator/index.php
| rex field=form_data "passwd=(?<password>\w+)"
| stats count by password
| sort -count

Answer: batman

16. What was the average password length used in the password brute forcing attempt?

练习用eval和stats 

index=botsv1  source="stream:http" uri="/joomla/administrator/index.php"  POST | rex field=form_data "passwd=(?<password>\w+)"  | stats count by password | eval x=len(password) | stats avg(x) as result

Answer: 6

17. How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login?

标准答案：

index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd  | rex field=form_data "passwd=(?<passwd>\w+)"  | search passwd=batman 
| transaction passwd 
| eval dur=round(duration, 2)
| table dur

真麻烦，不如两条找出来时间减一下得了
Answer: 92.17

18. How many unique passwords were attempted in the brute force attempt?

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST form_data=usernamepasswd*
| rex field=form_data "passwd=(?<creds>\w+)"
| table _time src_ip uri http_user_agent creds
| stats dc(creds) as unique_password_attempts

Answer: 412