TL;DR Walkthrough of the Tryhackme rooms Splunk: Basics and Splunk 2, part of the Cyber Defense Pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Now that TryHackMe’s promotion for the Security Engineer Pathway is over I am back finishing up the Cyber Defense Pathway I was on. I am planning to use this one for CompTIA CEUs, but I also should learn something and get some hands on the keyboard time in. I don’t and can’t memorize everything, so I take notes as I go. I realized a long time ago that I take better notes when I post them on here, so here we go again.
I don’t have much experience with Splunk, so these two rooms were good practice. The first room gave us a JSON file to upload to Splunk and then query. I have a lot more practice with PowerShell, so I initially blew through the Splunk Basics room using that.
However I do need to learn Splunk, so I went back and ran through the questions again using it. I’ll show how to query with both PowerShell and Splunk for the first room.
I managed to get through the second room, but I am not good at Splunk and even worse at explaining it. Hence I’ll just show the queries and answers for the Splunk 2 room. If you need explanations of how to get the answers then see Onur Alp Akin’s excellent walkthrough here.
— — Splunk Basics — -
Upload the data attached to this task and create an index “VPN_Logs”. How many events are present in the log file?
PowerShell:
(Get-Content .\VPNlogs.json | Select-String “UserName”).CountSplunk:
Just upload the JSON to Splunk and it immediately see:
2862
How many log events by the user Maleena are captured?
PowerShell:
(Get-Content .\VPNlogs.json | Select-String “Maleena”).CountSplunk:
Click on the first event, click on username, sort by user
60
What is the name associated with IP 107.14.182.38?
PowerShell:
$Test = Get-Content .\VPNlogs.json | Select-String "107.14.182.38" | Select-Object -Last 1
((($Test -split ":")[1]).Split(",")[0]).Replace('"',$null)Splunk way:
source=”VPNlogs.json” host=”ip-10–10–40–195" sourcetype=”_json” Source_ip=”*”| spath Source_ip | search Source_ip=”107.14.182.38" | rare limit=20 Source_ipSmith
What is the number of events that originated from all countries except France?
PowerShell:
$Countries = Get-Content .\VPNlogs.json | Select-String "Source_Country"
$Count = 0
ForEach($Entry in $Countries)
{
$Country = (((($Entry -split ":")[3]).Split(",")[0]).Replace('"',$null)).Replace(' ','')
If($Country -ne "France")
{$Count = $Count + 1}
}
$CountAlt; Splunk way:
source=”VPNlogs.json” host=”ip-10–10–40–195" Source_Country!=”France”2814
How many VPN Events were observed by the IP 107.3.206.58?
PowerShell:
(Get-Content .\VPNlogs.json | Select-String “107.3.206.58”).CountSplunk:
source=”VPNlogs.json” host=”ip-10–10–40–195" sourcetype=”_json” Source_ip=”*”| spath Source_ip | search Source_ip=”107.3.206.58" | rare limit=20 Source_ip14
— — Splunk 2 Room — —
— — Series 100 Questions — -
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?
index=”botsv2" IPADDR sourcetype=”stream:HTTP” *beer* | dedup site | table sitewww.berkbeer.com
Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext
index=”botsv2" sourcetype=”stream:HTTP” “10.0.2.101” *beer* *ceo* site=”www.berkbeer.com"/images/ceoberk.png
This also got use Amber’s email:
aturing@froth.ly
What is the CEO’s name? Provide the first and last name.
(We found the CEO’s email first, then searched this one.)
index=”botsv2" sourcetype=”stream:SMTP” *aturing@froth.ly* *mberk@berkbeer.com*show as raw text -> Ctrl + F “ berk”:
Martin Berk
What is the CEO’s email address?
index=”botsv2" sourcetype=”stream:SMTP” *aturing@froth.ly* *beer*mberk@berkbeer.com
After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?
index=”botsv2" sourcetype=”stream:SMTP” *aturing@froth.ly* *@berkbeer.com*hbernhard@berkbeer.com
What is the name of the file attachment that Amber sent to a contact at the competitor?
index=”botsv2" sourcetype=”stream:SMTP” *aturing@froth.ly* *hbernhard@berkbeer.com*Saccharomyces_cerevisiae_patent.docx
What is Amber’s personal email address?
The query above only returned two emails. Show the first one in raw text -> Ctrl + A -> copy/paste to Notepad -> cut and paste the Base64 at the top to a new *.txt and copy/paste that to Base64decode.org and we get:
Thanks for taking the time today, As discussed here is the document I was referring to. Probably better to take this offline. Email me from now on at ambersthebest@yeastiebeastie.com<ambersthebest@yeastiebeastie.com>
From: hbernhard@berkbeer.com<hbernhard@berkbeer.com> [hbernhard@berkbeer.com]
Sent: Friday, August 11, 2017 9:08 AM
To: Amber Turing <aturing@froth.ly<aturing@froth.ly>>
Subject: Heinz Bernhard Contact Information
Hello Amber,
Great talking with you today, here is my contact information. Do you have a personal email I can reach you at as well?
Thank You
Heinz Bernhard
hernhard@berkbeer.com<hernhard@berkbeer.com>
865.888.7563ambersthebest@yeastiebeastie.com
— — Series 200 Questions — -
Quick recap; here’s a few things we know about Amber Turing from the 100 Series Questions:
- aturing@froth.ly
- ambersthebest@yeastiebeastie.com
- 10.0.2.101
- wrk-aturing
What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.
index=”botsv2" *wrk-aturing* *download* *exe*and right there in the first event found we have “C:\Users\amber.turing\Downloads\torbrowser-install-7.0.4_en-US.exe”
7.0.4
What is the public IPv4 address of the server running www.brewertalk.com?
index=”botsv2" *brewertalk* *dns* *response*52.42.208.228
Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
index=”botsv2" *www.brewertalk.com* src_ip=”*” | spath src_ip | rare limit=20 src_ipsort the results by count and we see the most hits on:
45.77.65.211
— — Little tip here — -
I’m probably preaching to the choir, but it was around this point where I realized I could simply click on a field in the search results and then pick ‘Show Top 20’
— — break — -
The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php
index=”botsv2" src_ip=”45.77.65.211" sourcetype=”stream:HTTP”| top limit=20 uri_path/member.php
/search.php
I just tried both, TryHackme wanted the first one. The answer is:
/member.php
What SQL function is being abused on the URI path from the previous question?
index=”botsv2" src_ip=”45.77.65.211" sourcetype=”stream:HTTP” uri_path=”/member.php”The hint says to look at the form_data field, so lets see.
form_data:
regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit Registration!&question_id=makman' and updatexml(NULL,concat (0x3a,(SUBSTRING((SELECT password FROM mybb_users ORDER BY UID LIMIT 5,1), 32, 31))),NULL) and '1and the answer that TryHackMe is looking for is:
updatexml
What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
index=”botsv2" kevin sourcetype=”stream:HTTP”What we quickly learn about this user:
- frothly\kevin.lagerfield
- WRK-KLAGERF
- 10.0.2.109
index=”botsv2" kevin sourcetype=”stream:HTTP”| top limit=20 cookieThere’s only 4 values:
mybb[lastvisit]=1502408189; mybb[lastactive]=1502408191; sid=4a06e3f4a6eb6ba1501c4eb7f9b25228; adminsid=9267f9cec584473a8d151c25ddb691f1; acploginattempts=0
mybb[lastvisit]=1502408189; mybb[lastactive]=1502408191; sid=4a06e3f4a6eb6ba1501c4eb7f9b25228
mybb[lastvisit]=1502405547; mybb[lastactive]=1502405588; sid=b3fef1ea2c5e4eb4e0748b24f25d7fb9; mybb[threadread]=a%3A1%3A%7Bi%3A1%3Bi%3A1502405574%3B%7D; mybb[forumread]=a%3A1%3A%7Bi%3A5%3Bi%3A1502405574%3B%7D; loginattempts=1; mybbuser=1_kkolaQyAejS4ec81jmoML5PfijBeMzom3Ze3vdkc3vUHejukmg
mybb[lastvisit]=1502409359; mybb[lastactive]=1502409435; sid=79777f86e4e8e4cd0fbe8682866d70f8; loginattempts=1; mybbuser=24_pwJrN8qHFqgRmyxjF7ezfGLKuCmpk8cnSICIHvttCDRcCJ1ZvGSo we can kinda klutz our way through this one. Just copy/paste any values that are all digits until TryHackMe takes it as the answer.
1502408189
What brewertalk.com username was maliciously created by a spear phishing attack?
TryHackMe didn’t give us much to go on, but we’ll assume that kevin is the violator, so query:
index=”botsv2" kevin username sourcetype=”stream:HTTP”Ctrl + F “username”
<div id="welcome"><span class="logged_in_as">Logged in as <a href="index.php?module=user-users&action=edit&uid=24" class="username">kIagerfield</a></span> | <a href="http://www.brewertalk.com" target="_blank" class="forum">View Forum</a> | <a href="index.php?action=logout&my_post_key=c0dfd2032bfa073e9a68a89212b5e201" class="logout">Log Out</a></div>kIagerfield
Turns out we didn’t need Kevin’s IP or ComputerName.
— — Series 300 Questions — -
We’ll start by listing what we learned about Mallory by randomly poking around:
- MACLORY-AIR13
- 10.0.4.4
Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?
index=”botsv2" *maclory-air13* *.pptx| top limit=20 “columns.target_path”/Users/mallorykraeusen/Documents/Frothly_marketing_campaign_Q317.pptx.crypt
There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?
index=”botsv2" *maclory-air13* *.crypt| top limit=20 “columns.target_path”/Users/mallorykraeusen/Downloads/GoT.S07E02.BOTS.BOTS.BOTS.mkv.crypt
Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.
index=”botsv2" *kutekitten* *usb* | top limit=20 “columns.serial”849083BA Alcor Micro Corp.
0701348CAE3C4831 No results on Google
Hence TryHackMe is looking for:
Alcor Micro Corp.
What programming language is at least part of the malware from the question above written in?
index=”botsv2" kutekitten name=file_events | top limit=20 “columns.sha256”befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271
VirusTotal reports this hash as
Perl/Agent
Backdoor.OSX.Fruitfly
Hence the programming language that TryHackMe is looking for is:
Perl
When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD
Details tab on VirusTotal for the checksum above:
2017–01–17
The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?
Both are in VirusTotal for that hash under the Relations tab:
eidk.duckdns.org
From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?
eidk.hopto.org
— — Series 400 Questions — -
A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
index=”botsv2" *zip* sourcetype=”stream:smtp”| top limit=20 “attach_filename{}”invoice.zip
Not the answer to the question, but some of the other interesting files that were emailed:
- image.png
- Saccharomyces_cerevisiae_patent.docx
- Office2016_Patcher_For_OSX.torrent
- Malware Alert Text.txt
- GoT.S7E2.BOTS.BOTS.BOTS.mkv.torrent
What is the password to open the zip file?
index=”botsv2" *invoice.zip* sourcetype=”stream:smtp”| top limit=20 “content_body{}”For some reason Splunk refused to show the values in the Statistics tab, so one has to manually scroll down and expand the content_body field to see the email text.
912345678
The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
index=”botsv2" sourcetype=”stream:TCP” 45.77.65.211| top limit=20 ssl_issuerC = US
What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
index=”botsv2" winsys32.dll | top limit=20 Process_Command_LineWe see ftp.exe in the results, so let’s check for FTP usage:
index=”botsv2" sourcetype=”stream:ftp”| top limit=20 filenameand we get lucky, the very first filename is:
나는_데이비드를_사랑한다.hwp
What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation? Answer example: John Smith
This one is deceivingly simple. I overthought it and wasted some time before I realized that TryHackMe provides the link:
Check the details tab and see:
Ryan Kovar
Within the document, what kind of points is mentioned if you found the text?
TryHackMe provides this link as well for the previous question:
https://app.any.run/tasks/15d17cd6-0eb6-4f52-968d-0f897fd6c3b3/
Congrats! It looks like you have a virustotal account and choose to live on the edge. If you find this… turn it in for some CyberEastEgg points!!!
And the answer is:
CyberEastEgg
To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.html
We are going to go out on a limb since TryHackMe mentioned PowerShell Empire earlier:
index=”botsv2" schtasks.exe powershellWe get an event that queries a registry value, Base64 decodes, and runs whatever was in that value. So what’s the value?
index=”botsv2" \\Software\\Microsoft\\Network SetValue| top limit=20 dataWe get 4 hits total, 3 unique Base64 encoded obfuscated … things. Base64decode.org will easily translate them. They are really ugly, but we can follow the obfuscation enough to see that one calls out to https://45.77.65.211:443/news.php, one goes to /admin/get.php, and the third goes to /login/process.php.
news.php & /admin/get.php only show up once each, whereas process.php is in the logs 2x. TryHackMe wants the one that’s used most, so
process.php
Summary
All TryHackMe wanted was the end of the URL, but I was curious about that last event and kept looking. All three unique Base64 values we found pull down … something, and then pass it to Invoke-Expression.
We saw this before in the Windows Event Logs room. I’m sure that somewhere out there is a system administrator who is legitimately using Invoke-Expression, or the alias iex. However the first time I heard of this cmdlet was in cyber courses and to this day the only time I have seen it used was in malware or CTFs. Hence, JMHO, but I’d set your SIEM to notify INC response folks if any use of it is seen in the wild.
In the end this Splunk exercise ended up back where it began, with PowerShell. I’m a ‘Windows Guy’ so I’m not going to lie, this made me happy inside.
I got some good practice with Splunk in these two rooms, and I learned how useful the ‘ | top limit=20 <field> ‘ is.
References
Base64 (yeah I know, I’m citing myself. However this explains Base64 encoded commands in PowerShell): https://medium.com/@happycamper84/merry-christmas-from-test-local-b07750a1e011
Cmdlets overview: https://learn.microsoft.com/en-us/powershell/scripting/developer/cmdlet/cmdlet-overview?view=powershell-7.3
Invoke-Expression, iex, & obfuscation: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/#:~:text=%E2%80%9CInvoke%20expressions%E2%80%9D%20(IEX),both%20local%20and%20remote%20payloads.
Invoke-Expression described by Microsoft: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.3
