Learn to use Splunk for incident handling through interactive scenarios.

Room: https://tryhackme.com/r/room/splunk201

Learning Objectives and Pre-requisites

Before going through this room, it is expected that the participants will have a basic understanding of Splunk. If not, consider going through this room, Splunk 101 (https://tryhackme.com/jr/splunk101).

  • Learn how to leverage OSINT sites during an investigation
  • How to map Attacker's activities to Cyber Kill Chain Phases
  • How to utilize effective Splunk searches to investigate logs
  • Understand the importance of host-centric and network-centric log sources
Task 1 Introduction: Incident Handling

Q: Read the above and continue to the next task.
Answer: No answer needed

Task 2 Incident Handling - Life Cycle

Q: Ccontinue to the Next task.
Answer: No answer needed

Task 3 Incident Handling: Scenario

Q: Continue with the lab
Answer: No answer needed

Task 4 Reconnaissance Phase

Q1: One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?
Answer: CVE-2014-6271

Q2: What is the CMS our web server is using?
Answer: joomla

Q3: What is the web scanner, the attacker used to perform the scanning attempts?
Answer: acunetix

Q4: What is the IP address of the server imreallynotbatman.com?
Answer: 192.168.250.70

Task 5 Exploitation Phase

Q1: What was the URI which got multiple brute force attempts?
Answer: /joomla/administrator/index.php

Q2: Against which username was the brute force attempt made?
Answer: admin

Q3: What was the correct password for admin access to the content management system running imreallynotbatman.com?

</strong>
Answer: batman

Q4: What IP address is likely attempting a brute force password attack against imreallynotbatman.com
Answer: 23.22.63.114

Q5: After finding the correct password, which IP did the attacker use to log in to the admin panel?
Answer: 40.80.148.42

Task 6 Installation Phase

Q1: Sysmon also collects the Hash value of the processes being created. What is the MD5 HASH of the program 3791.exe?
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0

Q2: Looking at the logs, which user executed the program 3791.exe on the server?
Answer: NT AUTHORITY\IUSR

Q3: Search hash on the virustotal. What other name is associated with this file 3791.exe?
Answer: ab.exe

Task 7 Action on Objectives

Q1: What is the name of the file that defaced the imreallynotbatman.com website ?
Answer: poisonivy-is-coming-for-you-batman.jpeg

Q2: Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?
Answer: HTTP.URI.SQL.Injection

Task 8 Command and Control Phase

Q1: This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?
Answer: prankglassinebracket.jumpingcrab.com

Task 9 Weaponization Phase

Q1: What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Answer: 23.22.63.114

Q2: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?
Answer: lillian.rose@po1s0n1vy.com

Task 10 Delivery Phase

Q1: What is the HASH of the Malware associated with the APT group?
Answer: c99131e0169171935c5ac32615ed6261

Q2: What is the name of the Malware associated with the Poison Ivy Infrastructure?
Answer: MirandaTateScreensaver.scr.exe

Task 11 Conclusion

Q4: Read the above.
Answer: No answer needed