Open in app

Sign in

Write

Sign in

Boss Of The SOC (BOTS) v1 — Threat Hunting with Splunk (II)

Flick3r (Vighnesh Deep Sharan)
4 min readOct 30, 2023

--

Description

  • The lab is provided by INE — Effectively Using Splunk (S1).
  • Another very good & free lab: here.

Continuing of Boss Of The SOC (BOTS) v1 — Threat Hunting with Splunk (Part I)…

So, now let’s proceed further with the analysis to discover exploitation activities that is done within the target organization.

Step 4 — Exploitation Activities

In this phase, we’ll employ Splunk to uncover any exploitation activity on the network. Let’s us focus on stream:http sourcetype. The query is:

index=botsv1 sourcetype="stream:http"

Considering the following image:

Looking at http_method section in the INTERESTING FIELDS column, it’s obvious that POST requests account for a large portion of HTTP requests.

We are also interested in the requests being sent to 192.168.250.70, which is our organization website. The search we use is as the following.

index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix"

Note: NOT "Acunetix" is specified to exclude Acunetix scanner requests.

Applying the search, the result is much cleaner. Let’s look at the http_user_agent field.

We discovered that the agent Python-urllib/2.7 is used, let’s also include it in our search.

index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" http_user_agent="Python*"

Scroll down a little bit, we can see that the form_data contains values of username and password!

Considering the below query:

index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" http_user_agent="Python*" | table _time,form_data,c_ip | sort + _time

It’s undoubtable that the APT performed password bruteforcing. If we are interested in checking whether the attack is successful, the User Agent field can tell us.

index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" | search form_data="*user*pass*" http_user_agent="Mozilla*" | table _time,form_data,http_user_agent,c_ip | sort + _time

It’s very likely that batman is the correct password. The search revealed that attackers used Python to bruteforce password then logged in with their actual web browser.

Finally, if we want to see the timeframe of the two successful logins, we can do so as below:

index="botsv1" sourcetype="stream:http" http_method="POST" dest="192.168.250.70" NOT "Acunetix" | search form_data="*passwd=batman*" | table _time,form_data,http_user_agent,c_ip | sort + _time

The meaningful timeframe can also explain a successful brute force attack.

Step 5 — Installation Activities

As far as the exploitation is successful, we are mostly interested in the malware being transferred to the victim.

To upload the malware, we want to look at POST request with the extension of a Windows executable.

index=botsv1 NOT "Acunetix" sourcetype=stream:http http_method=POST dest=192.168.250.70 ".exe"

part_filename{} is the field we want to look at, but it’s not enabled by default. We will simply click on All Fields, then choose part_filename to activate it.

By doing so, we can efficiently extract files are uploaded to the server as the following image:

The file 3791.exe is malicious due to the source address.

Splunk provides the ability to extract hashes of the uploaded files. To do that, we focus on Sysmon log events:

index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

We can narrow down the search by looking at the executable 3791.exe and Event ID is 1.

index=botsv1 3791.exe sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1

We can make an additional step by adding CommandLine to only filter the commands initiated from 3791.exe.

index=botsv1 "3791.exe" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine=3791.exe

In order to extract the relevant hash, we can do as follows:

index=botsv1 "3791.exe" sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine=3791.exe | stats values(md5)

We then submit the hash onto hybrid-analysis, it’s marked as malicious.

Step 6 — Command and Control Server

In this phase, the APT will mostly interact with the victim over C2. It’s very likely that C2 will use domain to interact with the victim.

Splunk allows us to extract domains with stream:dns sourcetype. Let’s us filter DNS traffic of the 22.23.63.114 ip address.

index=botsv1 sourcetype=stream:dns "23.22.63.114" | stats values(name{})

If we look a bit closer, this domain defaces our webserver.

index=botsv1 sourcetype="stream:http" "prankglassinebracket.jumpingcrab.com"

So, this is the end of full end-to-end analysis of Bots-v1-dataset via Splunk.

I hope this will contribute something to the readers who are passionate about blue-teaming.

Thanks for Reading,

Stay Tuned!!

Ok till then — Happy Hacking!!

Splunk
Soc
Cybersecurity
Siem
Ethical Hacking

--

--

Flick3r (Vighnesh Deep Sharan)

Written by Flick3r (Vighnesh Deep Sharan)

2 Followers

Cybersecurity Enthusiast, CyberGeek, Pentester, VAPT, SOC-Analyst, Data Analyst @Cognizant.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams