Skip to main content

Boss Of The SOC v1

indexsourcetypecount
botsv1fgt_event57
botsv1fgt_traffic55279
botsv1fgt_utm25586
botsv1iis22615
botsv1nessus:scan65
botsv1stream:dhcp16
botsv1stream:dns7434
botsv1stream:http23936
botsv1stream:icmp12858
botsv1stream:ip62083
botsv1stream:ldap344
botsv1stream:mapi7025
botsv1stream:sip12
botsv1stream:smb151568
botsv1stream:snmp12
botsv1stream:tcp28291
botsv1suricata125584
botsv1wineventlog:application113
botsv1wineventlog:security87430
botsv1wineventlog:system182

Artifact

hostIPexe
we1149srv192.168.250.70
23.22.63.114 Host: prankglassinebracket.jumpingcrab.com:13373791

40.80.148.42

Q1: This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.

Q2: Web Defacement: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

sourcetype=* "http.hostname"="imreallynotbatman.com" và tìm http.url

joomla

Q3: Web Defacement: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

sourcetype=suricata AND http.hostname="imreallynotbatman.com" event_type=alert alert.signature=scan

192.168.250.70 -splunk-02

Vì trước đó ta phát hiện hacker sử dụng cmd.exe để thực hiện hành vi. Như vậy phải có tiến trình gọi cmd đó. Ta dùng câu query sau

index="botsv1" source="wineventlog:microsoft-windows-sysmon/operational" EventCode=1 Image="*cmd.exe" ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" | table _time host ParentImage CommandLine | sort _time

2016-08-10 21:58:23we1149srvC:\inetpub\wwwroot\joomla\3791.exeC:\Windows\system32\cmd.exe

C:\Program Files (x86)\PHP\v5.5\php-cgi.exe liên tục gọi cmd.exe.

  • Bản chất: php-cgi.exe là tiến trình xử lý mã PHP của máy chủ web. Trong điều kiện bình thường, tiến trình này chỉ xử lý code PHP trả về HTML. Nó không bao giờ tự động mở Command Prompt (cmd.exe) để gõ lệnh hệ thống.
  • Kết luận: Hacker đã khai thác thành công một lỗ hổng RCE (Remote Code Execution - Thực thi mã từ xa) hoặc tải lên thành công một Web Shell (một tệp PHP độc hại đóng vai trò như một cửa hậu).

Q4: Web Defacement: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")

Acunetix

Q5: Web Defacement: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

23.22.63.114

Trong log chỉ có 2 ip thì khong phải 40.80.148.42 phải là thằng này mà thôi

Q6: Web Defacement: What was the first brute force password used?

Đi tìm ở suricata thì không thấy log đâu hết vì chỉ lưu metadata

sourcetype=stream:http dest_ip=192.168.250.70 src_ip=23.22.63.114 http_method=POST 
| sort _time 
|  table _time src_ip http_user_agent form_data

Q7: Web Defacement: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")

..%E0%80%AF../..%E0%80%AF../winnt/system32/cmd.exe?/c dir directory traversal Trong 14 gói tin này, hacker không hề upload (đăng tải) một file nào lên máy chủ cả. Những chữ .exe mà Splunk vớt được (như shtml.exe, cmd.exe, le_check_v3.exe) t

40.80.148.42

sourcetype="stream:http" http_method=GET dest_ip=23.22.63.114 | table timestamp http_method uri dest_ip site

Tìm trên sourcetype nên phải dùng sysmon

Q8: Web Defacement: What is the MD5 hash of the executable uploaded?

Dùng eventiD 1 ta tìm được

index="botsv1" source="wineventlog:microsoft-windows-sysmon/operational" EventCode=1 Image="*3791.exe" host="we1149srv" Image="C:\inetpub\wwwroot\joomla\3791.exe”

MD5=AAE3F5A29935E6ABCC2C2754D12A9AF0

ta phát hiện đây là meterpreter của Cobalt Strike - Rozena

Kiểm tra xem 3791.exe đã làm những gì

index="botsv1" source="wineventlog:microsoft-windows-sysmon/operational" Image=*3791.exe host="we1149srv" | table _time EventCode Image CommandLine | sort _time | dedup EventCode

8/10/16

9:56:19.000 PM

kết nối tới 23.22.63.114 port 3791

index="botsv1" source="wineventlog:microsoft-windows-sysmon/operational" Image=*3791.exe host="we1149srv" EventCode=7 | table _time host ImageLoaded

Q9: Web Defacement: What was the correct password for admin access to the content management system running "imreallynotbatman.com"?

hacker đã chạy những lệnh sau

index="botsv1" source=stream:http src_ip=192.168.250.70 | table _time uri site

8/10/16

10:13:46.915 PM

Q10: Web Defacement: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").

từ câu 9 ở trên Ta tìm thấy kết quả cho câu 10 poisonivy-is-coming-for-you-batman.jpeg

Q11: Web Defacement: This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

Q12: Web Defacement: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Q13: Web Defacement: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

Q14: Web Defacement: GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Q15: Web Defacement: What is the special hex code associated with the customized malware discussed in the previous question? (Hint: It's not in Splunk)

Q16: Web Defacement: One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.

Q17: Web Defacement: One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Q18: Web Defacement: What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")

Q19: Web Defacement: How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

Q20: Web Defacement: How many unique passwords were attempted in the brute force attempt?

Q21: Ransomware: What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Q22: Ransomware: What was the most likely IP address of we8105desk in 24AUG2016?

Q23: Ransomware: Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Q24: Ransomware: The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?

Q25: Ransomware: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

Q26: Ransomware: The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?

Q27: Ransomware: Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?

Q28: Ransomware: What is the name of the USB key inserted by Bob Smith?

Q29: Ransomware: Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

Q30: Ransomware: How many distinct PDFs did the ransomware encrypt on the remote file server?

Q31: Ransomware: The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?

Q32: Ransomware: What was the first suspicious domain visited by we8105desk in 24AUG2016?