TryHackMe: Splunk 2 Walkthrough (splunk2gcd5)

Onur Alp Akin
12 min readApr 13, 2023

--

Check out Splunk 2 room on TryHackMe

Based on version 2 of the Boss of the SOC (BOTS) competition by Splunk.

Original Publish Date: Dec 31, 2022

100 Series Questions

The first objective is to find out what competitor website she visited. What is a good starting point?

When it comes to HTTP traffic, the source and destination IP addresses should be recorded in logs. You need Amber’s IP address.

I start with a simple query to find Amber’s IP address

index="botsv2" sourcetype="pan:traffic" amber
Found it

After adding it to the search and changing source type to HTTP, room wants us to add some keywords to our query. More specifically, one to remove duplicate entries and one to list as a table.

Looking at the reference and searching inside the page, we can easily find our related keywords

Final query would be

index="botsv2" sourcetype="stream:HTTP" "10.0.2.101" 
| dedup site
| table site

To continue with the room, we have to find competitor website out of these.

And room says you can use industry, which Frothly is in. It’s an imaginary company, thus you won’t get anything by searching online :)

Tried to find in page, but in vain. Then I searched inside HTML with developer tools and found what we are looking for.

1 — Amber Turing was hoping for Frothly to be acquired by a potential competitor, which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?

www.berkbeer.com

2 — Amber found the executive contact information and emailed him. What image file displayed the executive’s contact information? Answer example: /path/image.ext

Query is now

index="botsv2" sourcetype="stream:HTTP" "10.0.2.101" berkbeer.com

Just guessed that filename would include the abbreviation CEO in it.

So our answers is

/images/ceoberk.png

Now to find email related answers, we need to change source type to SMTP.

index="botsv2" sourcetype="stream:smtp" berkbeer.com

We found Amber’s email. Now we can add that to our search

index="botsv2" sourcetype="stream:smtp" berkbeer.com "aturing@froth.ly"

We got 4 results. It’s quite manageable.

3 — What is the CEO’s name? Provide the first and last name.

In order to search every data column, I clicked all 4 “show as raw text” buttons and searched [space]berk in the page.

If it were more than a dozen, it would be a good idea to search with regex, however I didn’t bother here.

We found it

Answer is:

Martin Berk

4 — What is the CEO’s email address?

We can see an email right under the name which is

mberk@berkbeer.com

5 — After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

If we were to pay attention to the data column “receiver” under one of four packets, we can find the email in question.

hbernhard@berkbeer.com

6 — What is the name of the file attachment that Amber sent to a contact at the competitor?

We can utilize Interesting Fields

Saccharomyces_cerevisiae_patent.docx

7 — What is Amber’s personal email address?

After spending 10 to 15 minutes searching various email regexes, I couldn’t find anything and decided to look at the hint which says look for encrypted data.

After the hint, I returned to the aforementioned 4 packets because one of them included lots of inconspicuous base64 data.

Using CyberChef to decode the longest looking base64 and searching for @ character, we can find an email.

ambersthebest@yeastiebeastie.com

200 Series Questions

Starting with the query that we are given.

index="botsv2" amber tor

1 — What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

Because there are more than 300 results, I’ve decided to take a look at interesting fields one by one.

Et voilà! Answer is:

7.0.4

2 — What is the public IPv4 address of the server running www.brewertalk.com?

To find the IP, we can start simple.

index="botsv2" brewertalk.com

Because most of the destination port is 80 I’m including that in the search.

index="botsv2" brewertalk.com dest_port=80

By doing so, we now have only 2 IPs

The IP we are looking for would be the 2nd

52.42.208.228

3 — Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

If we think about it simply, scan would send lots of packages, and we should look for the IP that has sent the most packages.

Searching

index="botsv2" www.brewertalk.com

Again, utilizing interesting fields, the answer is:

45.77.65.211

4 — The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

Base query is

index="botsv2" src_ip="45.77.65.211"

It returned lots of results. Once again, interesting fields come to our aid.

URI path field is most likely to reveal attacked path

You would expect one of the top results would be the answer. And because we know the answer format, anything but the first result seems unlikely because the second one is a search page.

5 — What SQL function is being abused on the URI path from the previous question?

As per our recent findings now our query looks like this:

index="botsv2" src_ip="45.77.65.211" uri_path="/member.php"

Looking at the first item’s ‘form data’ field, we can see the utilized function:

updatexml
Form data field

Questions 6 & 7

Awesome, thus far, you have identified Amber downloaded Tor Browser (you even know the exact version). You identified what URI path and the SQL function attacked on brewertalk.com.

Your task now is to identify the cookie value that was transmitted as part of an XSS attack. The user has been identified as Kevin.

Before diving right in, get some details on Kevin. This is the first time you hear of him.

Command:

index="botsv2" kevin

Ok, now you have Kevin’s first and last name. Time to figure out the cookie value from the XSS attack.

As before, you can start with a simple keyword search.

You know that you’re looking for events related to Kevin’s HTTP traffic with an XSS payload, and you’re focused on the cookie value.

Honestly, you should be able to tackle this one on your own as well. Use the previous search queries as your guide.

After you executed the search query that yields the events with the answer, you can identify the username used for the spear phishing attack.

Based on the question hint, you can perform a keyword search query here as well.

6 — What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

Suggested by question info we start with:

index="botsv2" kevin

And we learn his last name, which is lagerfield

Searching with the last name didn’t give me much to work with, so I continue with just the name.

We know from the “story” that stream should be HTTP.

index="botsv2" kevin sourcetype="stream:http"

And using our knowledge from the previous queries, we know brewertalk.com uses PHP, so it would be a good assumption to say the attacked endpoint would include PHP in its URI path.

And to top it off, we can include script or document keywords.

So, final query would be:

index="botsv2" kevin sourcetype="stream:http" (script OR document) uri_path="*\.php"

We must not forget we are looking for a cookie value :)

Peeking through the cookie field (all digits, first one)

1502408189

7 — What brewertalk.com username was maliciously created by a spear phishing attack?

Our results from the previous query is manageable enough, so I’m just going to search in page for username :)

You can see clearly barring ‘kevin’ only username is:

kIagerfield

300 Series Questions

Upward and onwards! Time to tackle some of the 300 series questions.

As with the 100 series questions, there are extra questions in this task that are not from the BOTS2 dataset.

Questions 1 & 2

The questions start with an individual named Mallory, her MacBook, and some encrypted files.

As per the previous tasks, you can start with a keyword search to see what events are returned that are associated with Mallory.

1 — Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

Starting with a simple keyword:

index="botsv2" mallory

We found the hostname and or query should include file extension for PowerPoint.

Microsoft documentation for PowerPoint extensions

Now our query looks like this:

index="botsv2" host="MACLORY-AIR13" (*.pptx OR *.pptm OR *.ppt)

So the answer is:

Frothly_marketing_campaign_Q317.pptx.crypt

2 — There is a ‘Games of Thrones’ movie file that was encrypted as well. What season and episode is it?

We know encrypted file extension which is .crypt

Now assuming the file would contain the series’ name, our query would be:

index="botsv2" host="MACLORY-AIR13" (got OR game OR thrones) crypt

And the answer is:

S07E02

3 — Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

Start query is:

index="botsv2" kutekitten

But it gives over 6k results. To reduce the number, I add USB keyword.

index="botsv2" kutekitten usb

While looking at the columns, I see tag column that has USB value too. So I select that. And I add vendor keyword too.

index="botsv2" kutekitten usb tag=usb vendor

Now that we have both vendor and device ID, we can look it up.

Alcor Micro Corp.

4 — What programming language is at least part of the malware from the question above written in?

First, we have got to get back to our first query, which is:

index="botsv2" kutekitten

Looking at the osquery results, I notice something suspicious under /Users which is mkraeusen user. And after adding the username as a keyword looking at interesting field names, something looks peculiar.

So now our query is:

index="botsv2" kutekitten mkraeusen name=file_events

Et voilà! We have a file hash.

And searching for the hash on virustotal.com, we got our result:

perl

5 — When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD

Still on virustotal, under details tab:

2017-01-17

6 — The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?

Relations tab:

eidk.duckdns.org

7 — From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?

eidk.hopto.org

400 Series Questions

1 — A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?

Now, because we are dealing with emails here, it makes sense to filter results to SMTP packets. After source filter, we still have lots to deal with. So adding ‘attachment’ keyword and zip extension also makes sense.

The final query would look like this:

index="botsv2" sourcetype="stream:smtp" attachment *.zip

And the answer is:

invoice.zip

2 — What is the password to open the zip file?

Same email, content body includes the password.

912345678

3 — The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.

For this question, you will need the attacker’s IP. Remember, there was an IP address scanning brewertalk.com.

Starting with the query including IP address and SSL keyword

index="botsv2" SSL 45.77.65.211

Interesting field > ssl_issuer gives the answer:

C = US

4 — What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?

Initial query:

index="botsv2" winsys32.dll

From there we can see ftp client running. We change our source to ftp stream.

index="botsv2" sourcetype="stream:ftp"

Now we can select loadway key from interesting fields. We are looking for downloads.

index="botsv2" sourcetype="stream:ftp" loadway=Download
나는_데이비드를_사랑한다.hwp
We found the filename

5 — What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith

Use the following links to examine the execution of the malware contained within the aforementioned zip file.

Hybrid Analysis
VirusTotal
Any.run

Ryan Kovar

6 — Within the document, what kind of points is mentioned if you found the text?

CyberEastEgg

7 — To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html

Starting with:

index="botsv2" schtasks.exe

We know the account domain should be Frothly.

index="botsv2" schtasks.exe Account_Domain=FROTHLY

Looking at the results we can see couple of powershell executions that are conspicuous (we know that they utilize powershell but for the sake of the hunt we will discard that information and look for oddness manually.)

Now we know registry key.

Searching for

index="botsv2" \\Software\\Microsoft\\Network

WinRegistry looks worth while.

There are 4 items with base64 encoded text. Decoding them one by one we can deduct the answer which is:

process.php

We have completed Splunk Boss of the Soc 2 (BOTS2) competition dataset to increase our capabilities using Splunk.

That was it! Thank you for reading. :)

--

--