Splunk BOTSv3 Web & OneDrive
The past week I’ve been spending most of my time trying to complete a Splunk learning path to gain an understanding of different detection and incident handling approaches when it comes to various attack vectors. Today I will be completing two quick CTFs that I need to complete to finish the learning path.?These were both extremely easy and I didn't know that when I began to document them to post later.
Webserver Challenge?
I’m working for a brewing company that has had some trouble with malicious activity on their server. My first task is to gather information about the system's hardware, specifically the CPU.??
Search string:? sourcetype=”hardware” cpu?
Now they would like me to search for the number of packages and dependencies that are installed by the EC2 instance cloud script when executed.??
Search string:? sourcetype="cloud-init-output" packages?
The organization has been having some trouble with brute force attacks against its webserver.? They want me to find the source IP and the country of origin using the iplocations function. (This function was not working, so I had to use outside OSINT sources)?
Search string: sourcetype=linux_secure "Failed password" OR "Invalid user"?
领英推荐
Compromised OneDrive Challenge?
In this challenge, a group of North Korean hackers have compromised the brewing company's Microsoft OneDrive and it is my duty to thwart their nefarious activities. My first task is to locate a malicious file that was uploaded to the organization's OneDrive account.??
Search string:? sourcetype="*o365*" .lnk?
We’ve located the .lnk file, but we need to know how many unique user IP addresses had access to the file??
Search string:? sourcetype="*o365*" *.lnk? Operation=AnonymousLinkUsed ClientIP="*"?
The file was quarantined by the AV, but not before multiple hosts were compromised. Find the hosts that were affected.?
Search string: sourcetype="WinEventLog:Application" *.lnk?
That’s a wrap for now. These were very easy, but practice makes perfect, and I was able to breeze through them in a few minutes. I have 3 more Splunk CTFs to finish that will wrap up the Splunk learning path that I've been working on. Until next time!?