CyberDefenders: Boss Of The SOC v1
- This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
- Splunk
2. What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
- The question already hint that the group is scanning for website so we can search in splunk with http stream
- Lets search index=”botsv1" sourcetype=”stream:http” imreallynotbatman.com|stats counts by src_ip because we already know the domain name.lets see the result.
- As we can see there one IP which count more then 20932. The answer is 40.80.148.42.
3. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)?
- As we see the question 2 result when we look into more closer in event we found one of the URL which contains the company name Acunetix. See in below image.
- We clearly see the details of the company name.
4. What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
- We want a content management of website in this cases we see the http request is 200 (ok). It shows the content of the pages. When we filter the http logs with request = http 200 ok like below:
- When we filter with this query and scroll down and see the src_content we found Joomla is the content for this website. Answer is joomla.
5) What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).
- for this answer we need to check the communication of the compromise server. For that I first need to check the events of the server.
- index=”botsv1" imreallynotbatman.com src_ip =40.80.148.42. When you run this query you get the details highest communication of the server to which IP.
- we get the the IP 40.80.148.42 was highest communication to the 192.168.250.70.
- now see IP 192.168.250.70 which type of data or files send to the server using uri.
- sourcetype=”stream:http” c_ip=192.168.250.70 | stats count by uri
- we see only one file we are found in this result name poisonivy-is-coming-for-you-batman.jpeg.
- answer is poisonivy-is-coming-for-you-batman.jpeg.
6) This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
- we already know that Attacker Compromise the server. And attacker pu;;ing so many image files in the server for download. When we search with the attackers website “imreallynotbatman.com” with Query “index=”botsv1" imreallynotbatman.com” we will get the below Results.
we get one of the IP 192.168.250.70 is highly used requested. Now we want the URL behind this IP for the DNS answer. In splunk one field C_IP works like true & false and we now use to match this with IP.
- we run this query= “index=”botsv1" c_ip=”192.168.250.70" | stats count by url” in splunk.we get the details as below:
- we can see the DNS name behind this IP is
- http://prankglassinebracket.jumpingcrab.com.
7) What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
As we are already found the DNS name in Q-6 we want to IP that DNS. So, lets Click on that and view the event in details.
the IP is 23.22.63.114. We also see the details in virustotal that this IP is related with po1s0n1vy.com.
8) Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
->in treatcrowd.org when we search with IP of malicious communication. I found one of the Email= lillian.rose@po1s0n1vy.com.
->answer is lillian.rose@po1s0n1vy.com.
9) What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
->for that answer we need to first maximum count of the request which Is attempt by the attacker.an brute force attack was perform that we received multiple requests. So we search in splunk by count by c_ip & form data. As we already know attacker was trying to brute force the website so only post method was used for form data so lets search below query for this.
- index=”botsv1" sourcetype=stream:http imreallynotbatman http_method = POST | stats count by c_ip, form_data
- the IP is clearly visible 23.22.63.114.
10) What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)
-> the question itself says that attacker was uploading the file. In PHP only POST request & forma data is used for uploading any file to any server.so let’s search the below query for the result:
- index=”botsv1" sourcetype=stream:http “multipart/form-data”
- file name is 3791.exe
11) What is the MD5 hash of the executable uploaded?
->for perfect hash value of the file 3791.exe we have to see the other sourcetype because the exe is parsing using the form data so first see the which sourcetype for that. So lets search first with exe name because we have the name already.
Query= index=”botsv1" 3791.exe
->we see the sourcetype now lets search with this in query. Lets search below query for the perfect results.
-> index=”botsv1" 3791.exe sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” CommandLine=3791.exe | table MD5
- we select the sourcetype & in that log if we CommandLine = 3791.exe then its display in table format.
- md5 is =AAE3F5A29935E6ABCC2C2754D12A9AF0
12) GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
->As this question is related to research base if we want to the malware SGA256 value we used some only threat intelligence to get that.
->we already have the attackers malicious IP we can search Virus Total, Threatminer.org etc. platform for any malware related with this IP or not. Let’s search.
- when I searched in Threatminer.org I found something which is below.
- with this malicious IP I found 3 malware samples which is related with them.
- when I was tried each and every sha256 hash and in the last I found one of the 3rd sample is match with answer.
- the MD5 = c99131e0169171935c5ac32615ed6261 & SHA256= 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
- answer is = 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
13) What is the special hex code associated with the customized malware discussed in question 12? (Hint: It’s not in Splunk)?
->As the Question is said this is not related to splunk.
->we already found the SHA256 hash I search in virustotal and in community I found on user is comment the malicious HEX code of this malware which is below.
- 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
14) One of Po1s0n1vy’s staged domains has some disjointed “unique” whois information. Concatenate the two codes together and submit them as a single answer.
- in question already mention that we need the whois information. So we first need the malicious domain name. We have the malicious IP lets search in Virus total.
- we found the domain name of this IP waynecorinc.com.
- lets search this domain in Whois History API in whoxy.com. I get the below details in JSON file with combine this two vaalues company name & mailing_address we got the answer.
15) What was the first brute force password used?
->for that answer we need to check the form data logs in splunk. In form data in field of passwd contains the password which was used for the attacker as bruteforce.
- search the query= index=”botsv1" sourcetype=”stream:http” imreallynotbatman http_method = POST “passwd=*” | stats count by _time, form_data. In splunk you get the events for that.
- we need the first password which is attempted by the attacker in brute force attack. The password was= 12345678.
16) One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?
->As this question was very tricky when I searched google for Coldplay songs, I found one of the pages where list out the all the Coldplay songs.
->As hint provide in the question that the song name is 6-character word.
->I found 5 names which are 6 characters “clocks”, “oceans”, “sparks”, “shiver”, “yellow”.
->I run the query for the same & I set the regex in passwd field in form data.
->the query like this
index=”botsv1" sourcetype=”stream:http” “imreallynotbatman.com” http_method=”POST” form_data=”*username=*passwd=*”
| rex field=form_data “&passwd=(?<pass>[\w\d]+)”
| eval wordl = len(pass)
| search wordl = 6
| where pass in (“clocks”, “oceans”, “sparks”, “shiver”, “yellow”)
| table src, pass
- I get the result below.
->Answer is Yellow
17) What was the correct password for admin access to the content management system running “imreallynotbatman.com”?
->for the finding brute force attempt which was doing by the attacker. Lets find from the form data where we see the username & password.
->using the stream:http & form data we are finding the username & password as below query.
-> index=botsv1 sourcetype=stream:http form_data=*username*passwd*
| rex field=form_data “passwd=(?<userpassword>\w+)”
| stats count by src_ip
->we already know bruteforce attampted IP was 23.22.63.114 which is not successfully done when we see the other IP & see the password. It was a successful login attempt.
- the password which was used by them is below:
-> password was = batman.
18) What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example “5” not “5.23213”)
->this question was very tricky & give some extra level of Splunk query knowledge. As we want to Avg of the count which was used for the brute force.
->for the Avg of the count we used the Eval command of the Splunk & what result we are getting we store the results in new field.
->Query= index=”botsv1" sourcetype=”stream:http” “imreallynotbatman.com” http_method=”POST” form_data=”*username=*passwd=*”
| rex field=form_data “&passwd=(?<pass>[\w\d]+)”
| eval length=len(pass)
| stats avg(length)
- we get the avg of the count of the result was 6.
19) How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.
->we want to the time duration between the correct password which was attempted in Brute force by the Attacker so in this case the transaction command was help as to finding correct answer.
->an transaction command in splunk is used for the time duration between two events. I used this command for the result lets see the below query.
-> index=”botsv1" sourcetype=stream:http imreallynotbatman http_method=POST “passwd=”
| rex “passwd=(?<passwd>[^&\”]+)[\”&]”
| search passwd=batman
| transaction passwd
| table duration
-> the answer was 92.17.
20) How many unique passwords were attempted in the brute force attempt?
->as we want to the unique passwords of the count which was used by the attacker. In Splunk the DC command distinct count us used for the count of unique values. So, we used that command & use of Eval command.
-> index=”botsv1" sourcetype=stream:http imreallynotbatman http_method=POST “passwd=”
| rex “passwd=(?<passwd>[^&\” ]+)[\”&]”
| eval passwd_length = len(passwd)
| stats dc(passwd)
-> answer is 412.
21) What was the most likely IP address of we8105desk in 24AUG2016?
->for this question answer we see the host we8105desk details before the 24aug2016 count by src_ip.
- we8105desk | stats count by src_ip.
- highest count of the IP was 192.168.250.100.
22) Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)
->As question was related the suricata we set the sourcetype as suricata and event_type as an alert.
-> sourcetype=”suricata” event_type = alert alert.signature=*cerber*
| stats count by alert.signature_id
-> as question was need fewest number we can see the 2816763 signature_id only 1 alert.
->so the answer was 2816763.
23) What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
->I am searching the DNS logs where I trying to find the domain name was used for the ransomware.
->when I was search there are lots of files related arpa so I don’t required that type of files so I make query AND NOT query=*.arpa. And I add AND NOT condition as I see the .net site also not required.
->in the last my query look like this= index=”botsv1" src_ip = 192.168.250.100 sourcetype=”stream:dns” NOT query=*.local AND NOT query=*.arpa AND NOT query=*.com AND NOT query=*.net
| stats count by query
| sort by count asc
-> I found in the one of the record which was cerberhhyed5frqa.xmfir0.win. And this was the answer.
24) What was the first suspicious domain visited by we8105desk in 24AUG2016?
-> As in question 23 we already search of DNS logs we put the same query but do some time changes and see the query in.
-> index=”botsv1" src_ip = 192.168.250.100 sourcetype=”stream:dns” NOT query=*.local AND NOT query=*.arpa AND NOT query=*.com AND query=*.*
| table _time, query
| sort _time desc
-> we can see thar are only three DNS which was used and the answer is solidaritedeproximite.org
25) During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?
->for this question I search first all the .vbs files. So first run the query below.
- index=”botsv1" “*.vbs”
->I was found C:\Windows\System32\WScript.exe process commandline. I clearly understand that user was target from one malicious document file.
->when I see the Wscript.exe in first place I run the command and find the length of that exe from below query.
-> index=”botsv1" “*.vbs” app=”C:\\Windows\\SysWOW64\\wscript.exe”
| eval length=len(ParentCommandLine)
| table length
->the length was 4490
26) What is the name of the USB key inserted by Bob Smith?
->this question is related to windows forensics. Like if we attached the USB in any laptop or Desktop in that time the windows registry note down the details in the HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\USB.
->lets search with winregistry query in the splunk.
- index=”botsv1" sourcetype=”winregistry” friendlyname
->MIRANDA_PRI name found in data field.
27) Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?
->for this question we see the network logs which ip or system was connected with infected machine so SMB protocol is the protocol which is used for the sharing the files in the network .
->lets search the query with this protocol.
-> index=”botsv1" sourcetype=”stream:smb” login=”bob.smith”
| table dest_ip
->192.168.250.20 machine.
28) How many distinct PDFs did the ransomware encrypt on the remote file server?
->in this question first we need to find the server which was infected and its file was encrypted.
->for that we need to see the wineventlogs file write events.
- lets search the query = index=”botsv1" *.pdf sourcetype=”wineventlog” | stats count by dest
->we can see the we8105desk.waynecorpinc.local Host is infected higest time.
- when I Open for events for this I see the raletive_target_name field contain the highest .pdf data which was encrypted.
- so now we have the field name, Host which was infected & in source ip we set the machine which was first infected & after other machine infexcted in network.
- lets run the query = index=”botsv1" *.pdf sourcetype=”wineventlog” dest=”we9041srv.waynecorpinc.local” Source_Address=192.168.250.100
- | stats dc(Relative_Target_Name)
- answer is 257.
29) The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?
->in question 25 we already search the parentcommandline it means we only see the processId for the result of the search which was get into the 25 question.
- lets search the query again and see the events of that.
- processid is 3968.
30) The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?
->for the answer this question we first see the sysmon logs which is help to get this details.
->in Microsoft windows sysmon events are store this Microsoft-Windows-Sysmon/Operational location so let’s put the sourcetype as this.
->in question we see the we want to user Bob Smith’s profile how many .txt files encrypt. So in targetfilename we use this user location.
->now lets put the query =
index=”botsv1" sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” TargetFilename=”C:\\Users\\bob.smith.WAYNECORPINC\\*.txt”
| stats dc(TargetFilename)
->answe is 406
31) The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?
->in 24 question we got the DNS record which was first visited.
->for this domain name we search which file first come into the picture which is malicious.
- lets search the with query = index=”botsv1" src_ip=”192.168.250.100" “solidaritedeproximite.org” http_method=”GET”
- we can see the related this Domin name one file mhtr.jpg was display.
- this file was malicious code. Answer is mhtr.jpg
32) Now that you know the name of the ransomware’s encryptor file, what obfuscation technique does it likely use?
-> As we found the .jpg file which is malicous and contain the crypto code. It means that attacker use the obfuscation method to hiding the code insider the .jpg file and in steganography method we used that.because the steganography technique used for hinding data in Text,image etc files.