Boss of the SOC v1: Threat Hunting with Splunk
- Abhilasha
- May 24, 2024
- 4 min read
Connecting to Splunk:
Visit either of these websites: Splunk Site 1 or Splunk Site 2.
Use the login credentials: username "student1" and password "student1".
Once you log into the Splunk home page, click on searching and reporting
Introduction to Splunk & the BOTS Data:
What is Splunk?
Splunk is a versatile software platform designed to handle large volumes of machine-generated data. It allows users to search, monitor, and analyze data from various sources in real-time. Splunk's ability to turn machine data into valuable insights makes it indispensable for IT operations, security, and business analytics.
Understanding BOTS Data
BOTS, or Boss of the SOC, is a hands-on, interactive data set used for training and testing cybersecurity skills. Developed by Splunk, BOTS simulates real-world cybersecurity incidents, providing a rich dataset for learning and practice.
Reconnaissance:
In the Search box, enter index="botsv1".
Next, on the right side, click the "Last 24 hours" dropdown menu and select "All time," as highlighted in the image below.
On the left side, beneath the Search box, find "No Event Sampling" and choose "1: 100".
Finally, click the green magnifying glass icon on the right side to execute the search.
The search will take a few seconds. You will get an output containing 9,273 events (before 04/10/2018 07:44:06.000).
Look at the left side, you will find a column name "Sourcetype". Click on it and view different source types.
As per the hint given in the question, we have to view the "stream:http"
Click on stream:http in the sourcetype column.
You will get 247 events as the output of this query.
Name of Scanner used to Scan
On the left side, you will find a column as src_header.
Click on that column
You will notice a POST command.
POST /joomla/index.php/component/search/ HTTP/1.1 Content-Length: 104 Content-Type: application/x-www-form-urlencoded Cookie: ae72c62a4936b238523950a4f26f67d0=v7ikb3m59romokqmbiet3vphv3 Host: imreallynotbatman.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Acunetix-Product: WVS/10.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: /
In this POST command, you can see, a Scanner is mentioned.
Acunetix-Product: WVS/10.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: /
Answer: Acunetix Scanner
2. Attacker's IP
Search for src_ip on the left side
You will find 4 different source ip.
You can see that among the 4 IP, there is one IP which has maximum number of count and the percentage is high.
Values | Count | % |
40.80.148.42 | 227 | 90.079% |
16 | 6.349% | |
7 | 2.778% | |
192.168.250.100 | 2 | 0.794% |
Answer: 40.80.148.42
3. Web Server IP
The web server IP will be the destination IP of the source IP.
Add src_ip="40.80.148.42" in the query to get the desired result.
Check on the dest_ip on the left side.
Answer: 192.168.250.70
4. Find the name of the file used to deface the web server serving "imreallynotbatman.com".
Type this username in the query:
index="botsv1" imreallynotbatman.com
Check the src_ip column on the left. You will find that the destionation IP is also a source ip for this name. The deface of the web server can take place from web server IP. Click on that IP address or write the query:
index="botsv1" src_ip="192.168.250.70" sourcetype="stream:http"
check the src_header column on your left.
You will notice a GET method:
GET /poisonivy-is-coming-for-you-batman.jpeg HTTP/1.0 Host: prankglassinebracket.jumpingcrab.com:1337
Answer: poisonivy-is-coming-for-you-batman.jpeg
5. Find the fully qualified domain name (FQDN) used by the staging server hosting the defacement file.
Using the same information as we have searched in the above,
Answer:prankglassinebracket.jumpingcrab.com
6. In the previous queries the staging server domain name was identified (used to host the defacement file). Find that server's IP adddress.
Write the query:
index="botsv1" src_ip="192.168.250.70" sourcetype=suricata
Check on the left side, the dest_ip column
You will find 4 IP address. One of them is the attacker IP. Therefore, the second most count and percentage IP is 23.22.63.114
Answer: 23.22.63.114
7. Find the IP address performing a brute force attack against "imreallynotbatman.com"
Write the query:
index="botsv1" imreallynotbatman.com http_method=POST form_data=*username*passwd*
The reason behind using this query is when you try brute force you POST the information on the server. Therefore, we have used http_method=POST. The data which attacker has posted on the server is the credentials. That's the reason why we are using form_data=*username*passwd* as the form that is the posted as the data regarding username and password.
Check on the left side and search for src_ip column. There is only one IP displayed in the column.
Answer: 23.22.63.114
8. Find the name of the executable file the attacker uploaded to the server.
Write the query :
index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" *.exe
*.exe helps us to find all the executable files present. With the search query in place, we were searching for fields that might contain values of interest. Since we couldn't locate a file name field, we examined the missing fields and found one named part_filename{}.
Add part_filename{} to the columns and click on it. There will be two values displayed, an executable file named 3791.exe and a PHP file named agent.php.
Answer: 3791.exe
We have solved around 8 questions of this lab. In the next blog, we will try to solve more questions.
TAKE CARE!
Comments