Avatar Avatar

Home

Menu: Blog
  • Blog
  • Tags
  • Search

    • Boss Of The SOC (BOTS) v1 - Threat Hunting with Splunk (II)

     Tags:  | siem | traffic_analysis | soc | blue |
    Read this in "about 4 minutes".

    Description

    • The lab is provided by INE - Effectively Using Splunk (S1).
    • Another very good & free lab: here.

    Continuing of Boss Of The SOC (BOTS) v1 - Threat Hunting with Splunk (I)


    Step 4 - Exploitation Activities

    In this phase, we’ll employ Splunk to uncover any exploitation activity on the network. Let’s us focus on stream:http sourcetype. The query is:

    • index=botsv1 sourcetype="stream:http"

    Considering the following image:

    botsv1/19.png

    Looking at http_method section in the INTERESTING FIELDS column, it’s obvious that POST requests account for a large portion of HTTP requests.

    We are also interested in the requests being sent to 192.168.250.70, which is our organization website. The search we use is as the following.

    • index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix"

    Note: NOT "Acunetix" is specified to exclude Acunetix scanner requests.

    Applying the search, the result is much cleaner. Let’s look at the http_user_agent field.

    botsv1/20.png

    We discovered that the agent Python-urllib/2.7 is used, let’s also include it in our search.

    • index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" http_user_agent="Python*"
    botsv1/21.png

    Scroll down a little bit, we can see that the form_data contains values of username and password!

    Considering the below query:

    • index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" http_user_agent="Python*" | table _time,form_data,c_ip | sort + _time
    botsv1/22.png

    It’s undoubtable that the APT performed password bruteforcing. If we are interested in checking whether the attack is successful, the User Agent can tell us.

    • index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" | search form_data="*user*pass*" http_user_agent="Mozilla*" | table _time,form_data,http_user_agent,c_ip | sort + _time
    botsv1/23.png

    It’s very likely that batman is the correct password. The search revealed that attackers used Python to bruteforce password then logged in with their actual web browser.

    Finally, if we want to see the timeframe of the two successful logins, we can do so as belows:

    • index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" | search form_data="*passwd=batman*" | table _time,form_data,http_user_agent,c_ip | sort + _time
    botsv1/24.png

    The meaningful timeframe can also explain a successful bruteforce attack.


    Step 5 - Installation Activities

    As far as the exploitation is successful, we are mostly interested in the malware being transferred to the victim.

    To upload the malware, we want to look at POST request with the extension of a Windows executable.

    • index=botsv1 NOT "Acunetix" sourcetype=stream:http http_method=POST dest=192.168.250.70 ".exe"

    part_filename{} is the field we want to look at, but it’s not enabled by default. We will simply click on All Fields, then choose part_filename to activate it.

    By doing so, we can efficiently extract files are uploaded to the server as the following image:

    botsv1/25.png

    The file 3791.exe is malicious due to the source address.

    Splunk provides the ability to extract hashes of the uploaded files. To do that, we focus on Sysmon log events:

    • index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

    We can narrow down the search by looking at the executable 3791.exe and Event ID is 1.

    • index=botsv1 3791.exe sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    botsv1/26.png

    We can make an additional step by adding CommandLine to only filter the commands initiated from 3791.exe.

    • index=botsv1 "3791.exe" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine=3791.exe
    botsv1/27.png

    In order to extract the relevant hash, we can do as follows:

    • index=botsv1 "3791.exe" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine=3791.exe | stats values(md5)
    botsv1/28.png

    We then submit the hash onto www.hybrid-analysis.com, it’s marked as malicious.


    Step 6 - Command and Control Server

    In this phase, the APT will mostly interact with the victim over C2. It’s very likely that C2 will use domain to interact with the victim.

    Splunk allows us to extract domains with stream:dns sourcetype. Let’s us filter DNS traffic of the 22.23.63.114 ip address.

    • index=botsv1 sourcetype=stream:dns "23.22.63.114" | stats values(name{})
    botsv1/29.png

    If we look a bit closer, this domain defaces our webserver.

    • index=botsv1 sourcetype="stream:http" "prankglassinebracket.jumpingcrab.com"
    botsv1/30.png
    Infomation Security © 2021-2024 • All right reserved.
    Simplicity is fashionable.
    Made with Jekyll using Typing Theme.