Open in app

Sign in

Write

Sign in

Incident handling with Splunk — [Writeup] —

Ramazan Salman
10 min readFeb 28, 2023

--

This room covers an incident Handling scenario using Splunk. An incident from a security perspective is “Any event or action, that has a negative consequence on the security of a user/computer or an organization is considered a security incident.” Below are a few of the events that would negatively affect the environment when they occurred:

  • Crashing the system
  • Execution of an unwanted program
  • Access to sensitive information from an unauthorized user
  • A Website being defaced by the attacker
  • The use of USB devices when there is a restriction in usage is against the company’s policy

This exercise will investigate a cyber attack in which the attacker defaced an organization’s website. This organization has Splunk as a SIEM solution setup. Our task as a Security Analysis would be to investigate this cyber attack and map the attacker’s activities into all 7 of the Cyber Kill Chain Phases. It is important to note that we don’t need to follow the sequence of the cyber kill chain during the Investigation. One finding in one phase will lead to another conclusion that may have mapped into some other phase.

Cyber Kill Chain

We will follow the Cyber kill Chain Model and map the attacker’s activity in each phase during this Investigation. When required, we will also utilize Open Source Intelligence (OSINT) and other findings to fill the gaps in the kill chain. It is not necessary to follow this sequence of phases while investigating.

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command & Control
  • Actions on Objectives

Scenario

A Big corporate organization Wayne Enterprises has recently faced a cyber-attack where the attackers broke into their network, found their way to their web server, and successfully defaced their website http://www.imreallynotbatman.com. Their website is now showing the trademark of the attackers with the message YOUR SITE HAS BEEN DEFACED as shown below.

They have requested “US” to join them as a Security Analyst and help them investigate this cyber attack and find the root cause and all the attackers’ activities within their network.

The good thing is, that they have Splunk already in place, so we have got all the event logs related to the attacker’s activities captured. We need to explore the records and find how the attack got into their network and what actions they performed.

This Investigation comes under the Detection and Analysis phase.

During our investigation, we will be using Splunk as our SIEM solution. Logs are being ingested from the webserver/firewall/Suricata/Sysmon etc. In the data summary tab, we can explore the log sources showing visibility into network and host-centric activities. To get the complete picture of the hosts and log sources being monitored in Wayne Enterprise, please click on the Data Summary and navigate the available tabs to get the information.

Interesting log Sources

Some of the interesting log sources that will help us in our Investigation are:

Note: All the event logs that we are going to investigate are present in index=botsv1

Now that we know what hosts we have to investigate, and what sources and the source types are, let’s connect to the lab and start Investigating.

Task 4Reconnaissance Phase

One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?

Step: Go all the way down till you see 17 more fields.

Add signature field

Answer: CVE-2014–6271

What is the CMS our web server is using?

I had to look up what is joomla. I was a bit stuck on this one.

What is the web scanner, the attacker used to perform the scanning attempts?

Most of the scanning tools are logged under the user agent

Answer: acunetix

What is the IP address of the server imreallynotbatman.com?

Answer: 192.168.250.70

Task 5 Exploitation Phase

The attacker needs to exploit the vulnerability to gain access to the system/server.

In this task, we will look at the potential exploitation attempt from the attacker against our web server and see if the attacker got successful in exploiting or not.

To begin our investigation, let’s note the information we have so far:

  • We found two IP addresses from the reconnaissance phase with sending requests to our server.
  • One of the IPs 40.80.148.42 was seen attempting to scan the server with IP 192.168.250.70.
  • The attacker was using the web scanner Acunetix for the scanning attempt.

What IP address is likely attempting a brute-force password attack against imreallynotbatman.com?

Search Query: index=botsv1 sourcetype=stream:http dest_ip=”192.168.250.70" http_method=POST form_data=*username*passwd* | rex field=form_data “passwd=(?<creds>\w+)” |table _time src_ip uri http_user_agent creds

23.22.63.114

What was the URI which got multiple brute force attempts?

/joomla/administrator/index.php

Against which username was the brute force attempt made?

admin

What was the correct password for admin access to the content management system running imreallynotbatman.com?

batman

How many unique passwords were attempted in the brute force attempt?

412 attempts

After finding the correct password, which IP did the attacker use to log in to the admin panel?

40.80.148.42

Task 6 Installation Phase

Once the attacker has successfully exploited the security of a system, he will try to install a backdoor or an application for persistence or to gain more control of the system. This activity comes under the installation phase.

In the previous Exploitation phase, we found evidence of the webserver iamreallynotbatman.com getting compromised via brute-force attack by the attacker using the python script to automate getting the correct password. The attacker used the IP" for the attack and the IP to log in to the server. This phase will investigate any payload / malicious program uploaded to the server from any attacker's IPs and installed into the compromised server.

To begin an investigation, we first would narrow down any http traffic coming into our server 192.168.250.70 containing the term “.exe.” This query may not lead to the findings, but it’s good to start from 1 extension and move ahead.

Sysmon also collects the Hash value of the processes being created. What is the MD5 HASH of the program 3791.exe?

index=botsv1 “3791.exe” CommandLine=”3791.exe”

Hash: AAE3F5A29935E6ABCC2C2754D12A9AF0

Looking at the logs, which user executed the program 3791.exe on the server?

Search hash on the virustotal. What other name is associated with this file 3791.exe?

Search hash on the virustotal.

ab.exe

Task 7 Action on Objectives

As the website was defaced due to a successful attack by the adversary, it would be helpful to understand better what ended up on the website that caused the defacement.

As an analyst, our first quest could be to figure out the traffic flow that could lead us to the answer to this question. There can be a different approach to finding the answer to this question. We will start our investigation by examining the Suricata log source and the IP addresses communicating with the webserver 192.168.250.70.

What is the name of the file that defaced the imreallynotbatman.com website?

index=botsv1 src=192.168.250.70 sourcetype=suricata dest_ip=23.22.63.114

poisonivy-is-coming-for-you-batman.jpeg

Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?

index=botsv1 src_ip=”40.80.148.42" sourcetype=fortigate_utm

Task 8 Command and Control Phase

The attacker uploaded the file to the server before defacing it. While doing so, the attacker used Dynamic DNS to resolve a malicious IP. Our objective would be to find the IP that the attacker decided the DNS.

To investigate the communication to and from the adversary’s IP addresses, we will be examining the network-centric log sources mentioned above. We will first pick fortigate_utm to review the firewall logs and then move on to the other log sources.

This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?

index=botsv1 sourcetype=stream:http dest_ip=23.22.63.114 “poisonivy-is-coming-for-you-batman.jpeg” src_ip=192.168.250.70

prankglassinebracket.jumpingcrab.com:1337

Task 9 Weaponization Phase

In the weaponization phase, the adversaries would:

  • Create Malware / Malicious documents to gain initial access / evade detection etc.
  • Establish domains similar to the target domain to trick users.
  • Create a Command and Control Server for the post-exploitation communication/activity etc.

We have found some domains / IP addresses associated with the attacker during the investigations. This task will mainly look into OSINT sites to see what more information we can get about the adversary.

So far, we have found a domain prankglassinebracket.jumpingcrab.com associated with this attack. Our first task would be to find the IP address tied to the domains that may potentially be pre-staged to attack Wayne Enterprise.

In the following exercise, we will be searching the online Threat Intel sites for any information like IP addresses/domains / Email addresses associated with this domain which could help us know more about this adversary.

What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Reference: https://threatcrowd.org/ip.php?ip=23.22.63.114

23.22.63.114

Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?

https://www.virustotal.com/gui/domain/po1s0n1vy.com/details

lillian.rose@po1s0nvy.com

Task 10 Delivery Phase

Attackers create malware and infect devices to gain initial access or evade defenses and find ways to deliver it through different means. We have identified various IP addresses, domains and Email addresses associated with this adversary. Our task for this lesson would be to use the information we have about the adversary and use various Threat Hunting platforms and OSINT sites to find any malware linked with the adversary.

Threat Intel report suggested that this adversary group Poison lvy appears to have a secondary attack vector in case the initial compromise fails. Our objective would be to understand more about the attacker and their methodology and correlate the information found in the logs with various threat Intel sources.

OSINT sites

  • Virustotal
  • ThreatMiner
  • Hybrid-Analysis

What is the HASH of the Malware associated with the APT group?

https://www.threatminer.org/host.php?q=23.22.63.114

c99131e0169171935c5ac32615ed6261

What is the name of the Malware associated with the Poison Ivy Infrastructure?

search hash on virus total = c99131e0169171935c5ac32615ed6261

MirandaTateScreensaver.scr.exe

Conclusion:

In this fun exercise, as a SOC Analyst, we have investigated a cyber-attack where the attacker had defaced the website ‘imreallynotbatman.com’ of the Wayne Enterprise. We mapped the attacker’s activities into the 7 phases of the Cyber Kill Chain. Let us recap everything we have found so far:

Reconnaissance Phase:

We first looked at any reconnaissance activity from the attacker to identify the IP address and other details about the adversary.

Findings:

  • IP Address 40.80.148.42 was found to be scanning our webserver.
  • The attacker was using Acunetix as a web scanner.

Exploitation Phase:

We then looked into the traces of exploitation attempts and found brute-force attacks against our server, which were successful.

Findings:

  • Brute force attack originated from IP 23.22.63.114.
  • The IP address used to gain access: 40.80.148.42
  • 142 unique brute force attempts were made against the server, out of which one attempt was successful

Installation Phase:

Next, we looked at the installation phase to see any executable from the attacker’s IP Address uploaded to our server.

Findings:

  • A malicious executable file 3791.exe was observed to be uploaded by the attacker.
  • We looked at the sysmon logs and found the MD5 hash of the file.

Action on Objective:

After compromising the web server, the attacker defaced the website.

Findings:

  • We examined the logs and found the file name used to deface the webserver.

Weaponization Phase:

We used various threat Intel platforms to find the attacker’s infrastructure based on the following information we saw in the above activities.

Information we had:

Domain: prankglassinebracket.jumpingcrab.com

IP Address: 23.22.63.114

Findings:

  • Multiple masquerading domains were found associated with the attacker’s IPs.
  • An email of the user Lillian.rose@po1s0n1vy.com was also found associated with the attacker's IP address.

Deliver Phase:

In this phase, we again leveraged online Threat Intel sites to find malware associated with the adversary’s IP address, which appeared to be a secondary attack vector if the initial compromise failed.

Findings:

  • A malware name MirandaTateScreensaver.scr.exe was found associated with the adversary.
  • MD5 of the malware was c99131e0169171935c5ac32615ed6261

Room link: https://tryhackme.com/room/splunk201

Hope you enjoyed it, happy learning :)

Tryhackme
Cybersecurity
Networking
Splunk
Siem

--

--

Ramazan Salman

Written by Ramazan Salman

47 Followers

Network Implementation Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams