Splunk 2 Boss of the SOC (BOTS) - 300 Series | TryHackMe | Splunk Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody my name is Ron and welcome to the walkthrough video of the Splunk 2 300 series questions in this video we'll be continuing the boss of the soc competition by Splunk and we'll be investigating events that gave a certain user encrypted files and malware again I'm making this video to reinforce my own learning and hopefully help you guys out with understanding Splunk and if you have any comments or any ideas make sure to put it in the comments below and if you found this content helpful or useful give me a thumbs up and subscribe for more cyber security content and without further Ado let's get into it okay let's go ahead and get started with a Splunk 2 Task 5 300 series questions so first question Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18th what is the name of this file after it was encrypted so what they wanted us to do initially was was use to index Bots V2 Mallory and the file extension of PowerPoint which is Dot pptx so let's go ahead and plug that in Dot pptx and let's change the preset to search all time so on the first result we can easily see frothly marketing campaign q317.pptx.crypt since they wanted us to be more specific about the host let's check out host under selected fields and notice that it is Mac Lori Dash air13 so let's go ahead and just add this to our search moving forward so what is the name of the file after it was encrypted it was frothly marketing campaign q317.pptx.crypt next question there is a Game of Thrones movie file that was encrypted as well what season and episode is it so let's go ahead and clear some of this up let's get rid of Mallory and Dot pptx and let's type in Game of Thrones as you let the Search terms populate you'll see that it is season 7 episode 2 and just looking at this you can see that a torrent was involved and a movie file was involved and it eventually did get encrypted so let's go ahead and just start off with got so scrolling down and looking at the third result we'll see that Game of Thrones season 7 episode 2 was encrypted and if we look at under interesting Fields columns Target path we'll see other related Game of Thrones files so what season and episode was it it was season seven episode two let me go on a little side quest here and see how she got this file Let's uh let's get rid of a lot of this information and let's just see what this pulls up 18 events and let's look under Source type oh it looks like she got this possibly from an email okay check that out let's look at the body and it doesn't seem to say anything about Game of Thrones let's look at file attachments actually so one has the attachment so she might have gotten this from an email let's see okay this person or this user sent this torrent file to her and it might have been Mac's neckbeard gmail.com so let's look at the body real quick also I still cannot believe you didn't get my reference when I called you Mallory of dragons all right maybe some guys flirting with Mallory here there's also an office 2016 Patcher torrent file here so there's definitely some piracy going on alright back to the main quest next question Kevin lagerfield used a USB drive to move malware onto cute kitten Mallory's personal MacBook she ran the malware which obfuscates itself during execution provide the vendor name of the USB drive Kevin likely used answer guidance use the time correlation to identify the USB drive okay so we'll be looking for a USB vendor and this could be a username that she used in her Macbook so let's go ahead and clear this up let's type in USB vendor let's look at the first result okay it seems that we have some information here under idea058f let's see if we can uh find something with that let's go to Google let's check out that first link and it is a USB vendor ID is zero five eight F and the vendor details is Alcor microcorp and that is the answer Alcor microcorp [Music] question what programming language is at least part of the malware from the question above written in so we're looking for a programming language now [Music] how are we gonna find that um let's start filling up the search bar Let's uh go to decorations username and use krausen let's get rid of USB vendor [Music] and let's look or possibly file events so from my understanding file events could mean events related to file activities such as file creation deletion modification or access so let's go look up file events and let's look at columns Target path under interesting fields and we'll see that we have users and acrossen downloads important HR info for mcrausen let's go ahead and search for some identifiers like this md5 so since we know it's malware let's go to virus total and let's type in the hash md5 hash the popular threat label here is Trojan Pearl remission and the language that I'm seeing here is Peril so the programming language they used is Pearl next question when was this malware first seen in the wild so let's go back to our virus total here and look at the details so the first time it was seen in the wild so first time it was seen in the wild was January 17 2017. next question the malware infecting cucin uses Dynamic DNS destinations to communicate with two CNC servers shortly after installation what is the fully qualified domain name of the first of these destinations so going back to bars total let's look at relations the first domain that has been detected 2 out of 89 here is this duckdns.org and another one with this hopto.org and that is it for the Task 5 300 series questions hopefully it was easy enough to follow and you guys found it useful so if you like this content please give me a thumbs up and subscribe for more cyber security content thank you guys for watching

Info

Channel: RonR1337

Views: 329

Rating: undefined out of 5

Keywords:

Id: hk_IM5GYlS0

Channel Id: undefined

Length: 7min 52sec (472 seconds)

Published: Wed Sep 27 2023