Learn to use Splunk for incident handling through interactive scenarios.
Room: https://tryhackme.com/r/room/splunk201
Learning Objectives and Pre-requisites
Before going through this room, it is expected that the participants will have a basic understanding of Splunk. If not, consider going through this room, Splunk 101 (https://tryhackme.com/jr/splunk101).
- Learn how to leverage OSINT sites during an investigation
- How to map Attacker's activities to Cyber Kill Chain Phases
- How to utilize effective Splunk searches to investigate logs
- Understand the importance of host-centric and network-centric log sources
Task 1 Introduction: Incident Handling
Q: Read the above and continue to the next task.
Answer: No answer needed
Task 2 Incident Handling - Life Cycle
Q: Ccontinue to the Next task.
Answer: No answer needed
Task 3 Incident Handling: Scenario
Q: Continue with the lab
Answer: No answer needed
Task 4 Reconnaissance Phase
Q1: One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?
Answer: CVE-2014-6271
Q2: What is the CMS our web server is using?
Answer: joomla
Q3: What is the web scanner, the attacker used to perform the scanning attempts?
Answer: acunetix
Q4: What is the IP address of the server imreallynotbatman.com?
Answer: 192.168.250.70
Task 5 Exploitation Phase
Q1: What was the URI which got multiple brute force attempts?
Answer: /joomla/administrator/index.php
Q2: Against which username was the brute force attempt made?
Answer: admin
Q3: What was the correct password for admin access to the content management system running imreallynotbatman.com?
</strong>
Answer: batman
Q4: What IP address is likely attempting a brute force password attack against imreallynotbatman.com
Answer: 23.22.63.114
Q5: After finding the correct password, which IP did the attacker use to log in to the admin panel?
Answer: 40.80.148.42
Task 6 Installation Phase
Q1: Sysmon also collects the Hash value of the processes being created. What is the MD5 HASH of the program 3791.exe?
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0
Q2: Looking at the logs, which user executed the program 3791.exe on the server?
Answer: NT AUTHORITY\IUSR
Q3: Search hash on the virustotal. What other name is associated with this file 3791.exe?
Answer: ab.exe
Task 7 Action on Objectives
Q1: What is the name of the file that defaced the imreallynotbatman.com website ?
Answer: poisonivy-is-coming-for-you-batman.jpeg
Q2: Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?
Answer: HTTP.URI.SQL.Injection
Task 8 Command and Control Phase
Q1: This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?
Answer: prankglassinebracket.jumpingcrab.com
Task 9 Weaponization Phase
Q1: What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Answer: 23.22.63.114
Q2: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?
Answer: lillian.rose@po1s0n1vy.com
Task 10 Delivery Phase
Q1: What is the HASH of the Malware associated with the APT group?
Answer: c99131e0169171935c5ac32615ed6261
Q2: What is the name of the Malware associated with the Poison Ivy Infrastructure?
Answer: MirandaTateScreensaver.scr.exe
Task 11 Conclusion
Q4: Read the above.
Answer: No answer needed