Boss Of The SOC (BOTS) v1 — Threat Hunting with Splunk (Part-I)
Description
- The lab is provided by INE — Effectively Using Splunk (S1).
- Another very good & free lab: here.
Continuing of Boss Of The SOC (BOTS) v1 — Threat Hunting with Splunk (Part I)…
So, in my previous writeup we came to a conclusion that the APT attack group members used Acunetix vulnerability scanner to perform reconnaissance activities against the Joomla websites hosted on 192.168.250.70 organization’s IP.
So, now let’s perform Weaponization & Delivery Activities steps to dig-down more into the target’s infrastructure and all relevant information related to this APT.
Step 2 — Weaponization
In this phase, we’ll start investigating target’s infrastructure and all relevant information related to this APT.
Bearing with Splunk, we’re able to derive a relatively good amount of information from 40.80.148.42. Yet, applying same tactics against the 23.22.63.114 address doesn’t yield us a lot of interesting information.
Now, if we go to the open-source platforms such as robtex, or threatcrowd and submit this IP address …
we can see that this IP address returns some phishing domains, which are similar to Wayne Enterprise.
Besides, using open-source tool like ThreatCrowd also reveals us a good deal of information.
Furthermore, if we perform DNS lookup against one of the above phishing domains, we’ll come across more valuable information i.e., Email or NS.
With the email, we can potentially divulge other infrastructure associated with the APT group.
Step 3 — Delivery Activities
In this phase, we want to gather more information, potential malware used by the attackers …
Website such as ThreatMiner gives us precious information relating to TTPs used by the APT.
Submitting the 23.22.63.114 address to www.threatminer.org returns a few sample malwares being used by the adversaries …
Again, if we submit MD5 hashes to open sources as VirusTotal or Hybrid Analysis, we can retrieve metadata about those samples, which is useful in the future investigation.
Next post: We’ll examine Exploitation, Installation, and C2 phases used by the APT.
Stay Tuned!!
Ok till then — Happy Hacking!!
