Splunk SIEM Tutorial | Most Popular Cybersecurity Tool

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Splunk is one of the most popular cyber security tools and today we're going to be doing a Hands-On tutorial to help you sharpen your skills um JB this is cyber insight and today we're going to be hopping into another try Hackney lab walkthrough so I'm going to get my browser set up over here but do me a solid go ahead and smash that like button first and if this is your first time on the channel I appreciate it and invite you to go ahead and subscribe to the channel but if you do do that do make sure that you do turn on the notifications that way you don't miss whenever I drop any new content so let's jump over into this and uh we're gonna talk a little bit about what we're going to be doing today so this room here today is part of their blue team primer series on try hack me it might look familiar to you because we actually did the first half of this room oh I want to say maybe a year or so ago it's a really really big room there was like four different sections we did the the first two uh and I promised we would get back to it and today we are going to be doing that so uh I would recommend right off the bat there's two different things we gotta we gotta do before we hop into it want to hit the start machine here and then there's an attack box going to want to go and hit that button up there and get that turned on just to give you a little bit of background on the data that we have in here that we're going to be viewing within Splunk we're going to be using Splunk to do some analysis on some different problems that have happened within this environment uh the cool thing with this is it was from a data set called boss of the sock it was created back in 2017 and there's a whole bunch of cool different types of data in here which is very applicable to what we would see in an actual uh real world organization in a real environment so we have some windows endpoint monitoring including sysmon which if you have been doing any of the cyber security blue team type of stuff you know sysmon is one of the the better tools that we have for detecting different types of events on windows boxes uh also has Palo Alto firewalls I believe there's some web proxies and then also using cerakata as a network-based IDs so a whole bunch of different types of log sources coming into Splunk if you've never messed with Splunk before uh this is a great room to kind of get your hands dirty and kind of figure things out we're just gonna fumble through this uh we are going to be successful but this is totally uh about learning how to use Splunk so if you have any questions or comments as we move through this go ahead throw those in the chat and uh we'll hit those up as we go through one thing they do recommend here is uh if you want to get a feel or feel a little bit easier using Splunk instead of jumping into this right away there is a little bit more of a basics of Splunk from Splunk 101. if you go check out my try hack me Rooms Walkthrough playlist you'll see that I actually do have that here Splunk 101 um if you feel the need to do that go ahead and do that if not uh you can just hop into this and like I said we already did the the first two uh series of questions 100 and 200 if you want to check that out that there should be a link in the video description you can go and walk through that so we are just going to go and jump into this the the Series 300 questions I already have uh Splunk up and running I have the attack box up we see uh there's a URL for us to go to right here that will launch Splunk you don't need a username and password to get into it and it will bring this up here and uh one of the things that you notice that when we do get into Splunk we want to point towards the index of the data that we're using and in this case we're going to be using the uh boss of the sock version 2 data set so it just index equals and then in quotes Bots V2 uh as you notice here it says 135 000 events partial I stopped it just because there's so many events within this data set but at least you could see when we jumped in that we do have a bunch of data in here so let's go see what these first few questions are and we will start digging into this so uh they do give us kind of this walk through here of how to go about finding all the different information uh that we need to get we can either start with this or actually just start with the questions and then refer back up to this as needed I think we should do that and see if we can kind of figure things out and if not we can go up and take a look at stuff so the the first question here uh is Mallory's critical PowerPoint presentation on her MacBook gets encrypted by ransomware on a specific date and they want to know what is the name of this file after it was encrypted so there's a few bits of information here that are kind of interesting we obviously could search based off of date if we wanted to um we know her name and we know that there's a PowerPoint presentation so uh a few different things we could do with that if we go here we can also just search for Mallory we're just going to hit this little magnifying glass over here let's see if that comes up with anything helpful we kind of see over here nothing is kind of coming in yet sometimes this does take a second and sometimes I've noticed in these labs for whatever reason sometimes you have to like refresh stuff just make sure that we are doing that properly and that is actually kind of what they recommend us doing here I'm just going to refresh this real quick since I did kind of have this up here we go all right so we do see this coming in here and we see 181 events that have Mallory in these types of logs so a few different things that we can look at right away is we can look at some of the different Source types that are coming in some of the hosts that we see once you kind of get really familiar with spelunk then a lot of this you might just be using uh different commands in the or in syntax in the search field but from a learning perspective it's kind of really good to just go through the GUI here and see what types of things pop up when we look at selection fields and interested fields and then we can click into these to even see more about this so we see this Mac Laurie Air 13 that could be her Mac computer that they were talking about has Mac in it and Mac Air that kind of seems like a a potential play on that we have all these different types of sources that stuff is coming from so we have like Windows event logs maybe some Powershell some streams um streams are kind of interesting because we're able to see like the full data coming through whether it's HTTP or SMTP and just depending upon what tool sets you have to monitor those you're able to pull those back in we see cerakata we see OS query so a whole bunch of uh of different types of uh Source types there uh and then underneath your other interesting types of fields we're definitely going to be digging into these especially when we're looking for uh specific things but right off the bat um we are just looking at her name now we could go and search for her Mac based off of that host it's probably going to pull up a lot of stuff if we just do that by itself I think we could probably go like this I'm going to click on that and it's going to put the host there we probably could get rid of this and then they did mention the type of file that it was right so it's PowerPoint so there's a few different extensions that we can do for PowerPoint and we can add the syntax like this so we have the index the host name and then for PowerPoints PPP or pptx and this little aspects here means anything so anything that ends in dot PPT or Dot pptx so we can go ahead and do that and that should bring up any type of logs that have any type of PowerPoints that was also associated with her MacBook so let's go and do that or dot pptx it'll be like this okay so we got seven events that are matching this and let's see if we can kind of see what we got here oh let's see different Source types that we have here OS query results or Ps and we see here if we click down into this this looks like PS I'd assume that that's probably Powershell it looks like some type of command here that ended up taking a PowerPoint and it looks like a DOT crpt so it looks like it encrypted it somehow we can click this little arrow here and then it will give us a lot more information you know I would assume that's a Powershell command that's probably outputting something but uh yeah I would say that that looks like what we're looking for as far as the PowerPoint um document that ended up getting encrypted so let's see if we can copy that over and uh see if that will answer that first question now moving back and forth between um here and whatever else you're using as far as within the attack box back and forth you got to use this little clipboard thing here that can get kind of annoying sometimes but let's see if this will answer that so what is the name of the file after it was encrypted boom there we go so it says there is a Game of Thrones movie file that was encrypted as well what season and episode is it so we know that whatever is doing the uh the encryption by the ransomware is encrypting things with a DOT CR ypt extension so we should be able to go like this I think uh let's see if there's any other particular syntax that we want there um we're gonna go we're gonna identify the source type too so we go Source type yes because that's where we found that and then we can go um that particular extension right so we're just gonna go Asterix Dot c-r-ypt let's see if we should go like this PS boom let's give that a try okay so we got a whole bunch of different events here that are coming from PS The Source type that are matching the dot Crypt extension and so that looks like a thousand events coming in which you know if she had ransomware and it was encrypting every single uh file that was on her laptop that would make a lot of sense again if we wanted to we could click into these and get a little bit more into the different Source types of stuff like that but I would say anything that's uh g-o-t dot uh you know whatever the chance it could be Game of Thrones so uh that looks like it is uh season seven episode two I think that's uh probably a fair statement we can type that in and see if that ends up working so season s07 let me move this down so you can see this a little bit better s07 e02 right there let's see if that works okay so it says Kevin uh loggerfield used a USB drive to move malware onto cute kitten Mallory's personal Macbook so different different computer here uh she ran the malware which obfuscates itself during execution provide the vendor name of the USB drive Kevin likely used and we can use time correlation to help identify kind of when all this stuff was happening so what we will do here I would say is first off we're going to look for this particular host so cute kitten so we can go back up here let's get out of this and I don't think we're going to need anything here now the nice thing with this is it should kind of auto fill or allow you to autofill based off of data that you already have that's within these particular indexes so it already knows that there's a host cute kitten so we can go ahead and we can do that probably going to be a whole bunch of events that come in for this we could search on USB possibly as well we could try to correlate things down to specific times now you see here I have I'm using all time over here because I wanted to look at the complete data set yeah so we are going to have a lot of different events that matched here so let's see if they give us any any additional hints on what would be a good way to go about doing this so they're talking about doing what we did searching for that searching for the particular host um she says it is um a MacBook so we could look for um different places that we would expect uh files to download on a MacBook um if you're familiar at all with the kind of the folder directory structure of a MacBook for kicks and Giggles let's just do this I just want to see if we see anything that matches on USB and we can look at Source types I got OS query let's see what was this Powershell command here let's grip no that's not gonna let's get rid of that let's see foreign see what other types of interesting fields we can look at other fields that they have here there's a lot of os query stuff and we can talk about that in a second I'm gonna see if there's anything else that kind of pops up here so they talk about what is OS query OS query exposes operating system as a high performance relational database so this allows you to write SQL queries to explore operating system data uh so with OS query SQL tables represent abstract Concepts such as running processes load kernels open network connections plugins stuff like that so let's take a look if we can find maybe the path in which something might have been downloaded let's see foreign so I think if I remember correctly with Mac it's going to end up being user and then name and then then the folder but we have to kind of um escape the the slashes this way so let's see this let's copy this over let's see if we can go like this let's get rid of that should be I believe users let's see home Maybe our desktop downloads nothing okay foreign might be user no let's see trying to look on my own yeah it's users okay downloads Maybe no okay now let's take a look let's take a look around at what else that might be see what they kind of say potential things here um hmm it could be something in there let's see oh I think the reason is huh yeah yeah we don't know what uh we don't actually know what her username is duh that's obvious okay uh uh so let's do this we're just going with Mallory without actually uh knowing what it is that we're looking at here let's try this okay there we go now we can see what we might have here that might come up let's see under names no let's see we can go under more fields see if there is event type see name let's see what oh no that wasn't it uh let's see see let's just try users see that okay see if we can find something else here I'm gonna try to not scroll through that so quickly hmm see if there's something else action host username okay there we go there we go okay so MK brass and let's click on that so at that point maybe we could go USB see if that comes up with anything no okay so we should go and look for particular the folder structure for her with that username so we should be able to double Escape that like before so we'll go backslash backslash forward slash backslash backslash m k r a u I think that will do it let's see if that's the case let's give that a try let's see okay that looks good did I oh did that backwards there we go yep that's why that syntax matters a lot okay oh let's see first time seeing someone do a live try hacking oh man I have a lot of uh a lot of videos doing live ones sometimes it works out well sometimes it doesn't but uh normally the stuff that I run into that are that are issues um you know other people run into the same stuff so watching me fumble through stuff uh you know it just helps other people out all right so now we have all the stuff that kind of would go under this particular directory um let's see what I might let's look at downloads uh let's see so let's go uh downloads okay so what do we got [Music] um downloads path nothing really jumping out there I wonder what else might and if anybody has any other ideas I'm happy to uh to do that USB let's see and I think I did this before let's see anybody end up coming up with some USB hits here I think I did uh Source type that was grep and we saw that it was USB yeah I am just not seen that let's get rid of that Source type [Music] um let's see trying to see what type of hmm let's see if there was any other hints back here look at the available interesting fields let's see what they say for the search query execute double escaped we kind of did that all right so maybe we're kind of hopping around a little bit too much uh so let's just go here downloads search that five let's see I'll stare up file type index hostname added added these are all file events added so let's just see downloaded okay so this is file here Target path um okay so there's a sha value for this file we can go ahead we can copy that maybe and and go see if there's a anything malicious with that let's see do you want to copy link can I get that see what's uh let's get rid of that along Target path yeah okay so there's only one column Target path there file events added but I want to get the Sha value from that and then we will go to um we will go to virustotal and take a look text just let's see if that helps yeah so I just clicked on the shell right text so maybe this particular event isn't the one that I need let's take a look at this one because it's all the same file let's see no just really applicable in a real life scenario I think so I mean so if you uh I mean you're searching for something uh some type of Ransom layer and you you're trying to find what file was actually the original one that did that um yeah let's see not this one again so that's not it let's see added see this one there we go all right so that's the one that I want let's look at the show raw text is what I want there we go now I should be able to take the shaw value okay and copy that we can go to virustotal accept all that virus total so this is a good place to go and check and see if stuff is potentially bad just because um it doesn't show up here doesn't mean that it's not bad um sometimes stuff hasn't been uploaded and hasn't been searched yet all right so this did get flagged as something bad so that's good let's see there's some details here that we can pick out so it's a Purl script has some potential names relations some IP addresses Behavior kind of goes into uh what it potentially does um some domain names that it points to um we didn't find um let's see so we found the file they want us to if we could look to events one minute prior what keywords are we talking about here once you find the file you confirm yet the hash pivot and then look one minute prior to what we're doing let's see let's see if there's anything Tom uh we go one minute prior apply off that necessarily pulled up anything else there I think so [Music] um oh and then with that within that time period we can maybe go and search for USB Maybe I don't know if that's going to work or not okay So within that time period of when we saw that file get downloaded I went and extended the search period to a minute before and then searched on USB and now we do see some stuff matching on this so removed added let's see if it gives us any interesting information mass storage added okay so we do have a vendor ID of zero five 8f don't know what that is but we can definitely go and Google that uh USB vendor058f and that looks like it's Alcor microcorp all right let's see if we can copy that see if that is the answer that was a lot of uh kind of going back and forth but the the thinking there makes sense right so if we see a file being downloaded at a certain time period and we know it was because somebody plugged in a USB once we end up finding that file if we just go back uh and open up the the time frame there then uh that might make sense so let's see if this works cool all right that worked it says what is a programming language is at least part of the malware uh in question from above so we actually already saw that when we went to virustotal and we saw under details I think it said it was Pearl let's see Pearl yep so kind of got a little bit ahead of ourselves there but that's cool all right and then when was the malware first seen in the wild we actually will see that here on virus total as well first team in the wild 2017 January 17th so we just copy this move this over hopefully this is in the format that they want it here yeah that looks good cool okay the malware infecting cute kitten uses Dynamic DNS destinations to communicate with two command and control servers shortly after installation what is to fully qualified domain name of the first alphabetically of these destinations so we should also see from this that they identified what these were going to from a DNS standpoint and it looked like these two now we could do a search within Splunk just to verify this um we could just search on like e i DK Maybe let's see this we also could search for like specific traffic type e i d k and we see actually it's already popping up here uh because it already knows that we see it in the logs right um like I said if it knows that it's there then it will it will show that somehow eidk let's see oh and you got to make sure that you change the time range uh back to what we wanted that to be which was all time all right so we do that and we see that we have 12 events for that DNS name we can see just a source source type it's going to be stream DNS remember I mentioned that there's different types of streams depending on the types of protocols that you're using so here is just kind of capturing the back and forth of DNS resolution so um there's two different ones that we already identified so let's grab this one and we can copy this over let's see if this is the first one the second one I don't remember which one was in alphabetical order I think that's the first one and then we can see the other one let's get rid of that and that's hop2.org 2.org and let's see if that works all right so that was all the 300 questions so we kind of did a few different things here with that we knew that we had a Macbook that had uh some type of um ransomware on there that started encrypting stuff so we went through um and looked for the specific encrypted file based off of that then we also look to see uh based off the extension other encrypted files then we knew that malware was loaded onto another laptop so we ended up having to identify that laptop we had to go about finding the the file the malicious file that was doing that in order to do that we had to kind of go through the directory structure find out the username of the person who was using that and then we found out some information about the USB drive identified the malware went to virus total looked it up found out about the languages is written in how long it's been out in the wild and then um some of the DNS information that's used for its command and control excuse me all right so now let's move on to the next set of questions again if you got any comments or any other questions you can throw those in the chat but we can definitely just keep moving on here so um let's see what we got here so federal law enforcement agency reports that I don't even I'm not even gonna try to pronounce that to dong gang uh often spearfishes its victims with a zip file uh uh that have been uh that have to be open with a password what is the name of the attachment sent to uh frothly which is the name of the company by a malicious actor so um first thing that we would want to do here is maybe search for zip files um so we could potentially go back here go like dot zip now again if we knew what time period it was that we're looking for we could definitely uh try to narrow that down that way especially an environment where we just have so much data it wouldn't necessarily make sense to maybe just go searching for dot zip files but um in this case maybe it does all right so we got a bunch of different hosts we still got stuff coming in um let's see what else might we be looking at a source type just wondering what type of source types we have here I would say okay so they said it was spear phishing so be over email so that might make sense to look for DOT Zips through the SMTP stream all right so we have six events um and let's see it's all going to one host just make sure that this is yeah this is done it's not spinning anymore all right so we got six different emails there okay so we got attachment type uh attachment size attachment file name okay so that kind of gives us what that might be there is that invoice.zip since that is uh the only one that appears to have come in over email um so let's go and throw that in and see if this is correct and voice.zip all right now let's take a look at this we should be able to get in here and see the actual raw data content body and it's in we can see it in HTML here as we have not received a service assessment letter I'm assuming that you might have accidentally overlooked the invoice should you wish to end the agreement please let us know otherwise early withdrawal penalties apply please refer to the attached document for payment details due to the personal nature of the account we have added a password to the document please enter this password so this number right here is probably the password so we can go ahead and take that see if this works okay um so this apt group encrypts most of their traffic with SSL what is the SSL issuer that they use for the majority of their traffic answer guidance copy the field exactly including spaces so let's see if they give us any hints here uh for this question we need the attacker's IP remember there was an IP address scanning a brewertalk.com use that IP address and search for TCP stream instead of the HTTP stream Okay so we wouldn't necessarily know this information just doing this from today but if we had done the first two set of questions we would know that there was an attacking IP address that had already been doing stuff against the environment so um we can definitely go and find that and then uh we can use that as part of our search let's see I think it's going to be so what is the IP address of the system used to run a vulnerability web scan against Brewer talk we can just take this and so we will be using that and what we're going to be looking for here is Source stream TCP right because it's not HTTP because they talked about using SSL um for their communication and encryption so we should be able to go like this move this over here now we got an IP address and so we're gonna go here we're gonna drop this IP in here and we're going to get rid of that zip file we don't care about that but the stream we do care about we're going to change this to 8 to TCP because that will be what uh the SSL would fall under let's give this a try okay so we have a lot of different events from this IP address are to or from this um host so this is the host that would be connecting to that um Source type is that stream because we already identified that so we should be able to under all this different stuff look through destination IP Mac server SSL cert self signed okay so we might have something in here we're looking for the SSL issuer so who is actually signing the certs and we can see that this came up here so C equals US which looks a little dicey so let's do that I'm going to copy this okay uh what unusual file for an American company does uh winsys 32 dll cause to be downloaded in the frothy environment so definitely we'll search on this I wonder if they want us to use that IP address as well no I think we're just going to start with just the dll so we can go like this we're going to get rid of all of this paste paste okay seven events and we got a bunch of different hosts new process has been created from Windows event logs and sysmon let's see if they got a file name maybe no keywords image index message parent ID record subject let's see three more Fields let's see if there's anything else of Interest here user no okay um so it's probably something in here that we just missed object okay let's see process ID hmm um let's see so it has a FTP command interesting so it's using FTP there so through the results you should see a tool Associated transferring files to the system the sources associated with the binary so if we see FTP being used in here now we keep seeing over there we could probably look for FTP stream um let's see if they yeah we just go FTP stream Source type Source type equals stream FTP okay whole bunch of events now we should be able to see see if there if there was a question we were trying to get to here what unusual file does that cause us to download so I assume it's using FTP to download something kind of funky hey okay he said the audio is low can everybody else here okay just want to make sure my my mic is showing that it's good uh file name a lot of that all right so let's see how we can go about seeing that so I say yeah a lot of events are returned might be a good idea to shrink this down but how uh you're looking for an unusual file that was downloaded by winsys32dll research commands that can be utilized with a tool that is specific to downloads okay so let's look and see within here um uh methods load way transport trying to see method okay so these are probably different types of commands so we could do a bit of research into these different types of FTP commands I'm pretty sure that uh uh return here is like what you use to actually pull down a file so we're just going to go ahead and click on that that's going to pop that up here method return and here we should be able to look at file names okay so then it was asking what file name sticks out so actually a whole bunch of interesting stuff here uh so some type of DNS python script netcat PS exec python wget all sorts of uh stuff that you could do some pretty malicious stuff with and then this here which definitely sticks out uh on a non well on it on a us-based system I would say um so how can we go about getting that copied over in a way where that will work I don't even know let's even see if this will let me do that yeah good luck that's Korean okay awesome let's see if we can find a way to uh copy Korean over over from here see if they give us a hint uh when copying the Unicode characters of the answer the attack box clipboard automatically converts it to escape Unicode characters convert it uh back to unescape Unicode with cyber chef okay so should be able to do that should we could either go to cyber Chef online or we should be able to go like this let's see if this will work cyber Chef is great uh for converting converting different things let's see yeah I am just not sure uh I'm gonna converts it to escape convert it back to unescaped unicode uh let's see let's get rid of autobake let's see and if anybody has any ideas with this I will gladly take them now it won't even let me let's try this again copy all this copy see I don't know why that won't let me uh get that like it did the first time I'm gonna close out cyber Chef open it back up copy this hmm well let's see let's see if there is another way that we can do that and worst case if we just can't get it we know what we have to do to get it um the other thing that they mention is using um using Chrome and I am using Safari so that might be a problem on my end which is perfectly fine because they put that in the hints uh convert it back to unescape unicode like right so let's see if I do that here I'll just go let's try it in the browser here cyber chef okay paste and then they were saying go unescaped Unicode something escaped I'm going to drag this over here I don't think that that is necessarily [Music] what I want there and let's see coming out yeah I would definitely play around with this a bit more but uh uh yes um I believe you paste a Korean in the right and then the left select right but this is talking about uh when you go to move it um I mean unless you think doing it in the browser here and I don't know if that's I don't know if that's really yeah see they're talking they're talking about doing it from this perspective of once I go to copy it from from the attack box it's going to end up putting it in this Escape Unicode format and then so they're saying once you get out to go and use the unescape Unicode character's recipe it seems Safari doesn't like this character set so that could just be uh that could just be a me problem let me see let me bring up my other do it on Chrome real quick off the screen um let's see if that will work maybe maybe not [Music] um um no I wasn't using Chrome I was using Safari on uh as far as a browser that I'm using to do all this in once I copy it out of the attack box yeah still nothing with that we're gonna just move on from this we we have the data we identified really what is the like crazy file name uh that sticks out from everything else which I think was their main question um and if anybody ends up finding out what that is they can go ahead throw it in the uh in the comments section in the future and uh and yeah we come back I'll figure out what it is at a later time all right last few questions uh what is the first and last name of the poor innocent sap who was implicated in the metadata of the file that was executed Powershell Empire on the first victims workstation Okay so the question for that see what they say [Music] for that question um I have links for the execution malware contained in the uh aforementioned zip file so we got a few different places we can go check this out let's open that new tab open this in a new tab let's see what we got so hybrid analysis it's got a description of this invoice.doc file now there's other ways that we could have got this information so for instance if this didn't come up um on any of these these analysis websites since we have the um since we have the pass code that was needed to unzip the file we actually could go and uh and reconstruct that uh and actually use the passcode to get in the file obviously if you do that since it is malware you'd want to do that in a sandbox uh but it would give us this information but we see here that the the person whose name is associated with this file and the description of it is Ryan kovar so we can put that in here okay and within the document what a kind of points is mentioned if you found the text so then they have screenshots of kind of what happens when you explode this and open it up we see congrats it looks like you have a virus total account and chose to live on the edge I think they're mocking people if you find this uh turn it in for some cyber East egg points Okay so cyber East eggs I I don't even know what that is but great and then last question to maintain persistence in the frothly network um this particular apt configured several scheduled tasks to Beacon back to their C2 server what single web page is most contacted by these scheduled tasks all right so to end up seeing that we're gonna go uh and search for schedule tasks EXE it's a good place to start that with let's see okay and we can just go tasks EXE search that up and then we get a whole bunch of events here different hosts they were running on Source type is going to be sysmon and windows event logs actions allowed success command line different things that it's doing it's deleting Microsoft Office enabling updates this one though looks a little interesting here so it's creating something daily to run at this time running a Powershell running Powershell some type of encoding converting it to a base64 string and it looks like putting it somewhere in this registry file Maybe um and we see that it's kind of doing that a little bit so that uh that is a little interesting I would say um so we could probably um we could probably go look for things related to that registry um kind of see where that might make sense um so we can look for like I said that particular registry which I think go back and look at that was this software Microsoft network so uh uh source let's see how I want to do this source equals when registry and then [Music] um whatever that was I don't need to go all the way back down there yeah and it was this uh H uh hklm software Microsoft network and so let's see software Microsoft network see if I can do this win registry software [Music] and let's see if that's a double or not yeah it's gonna be double all the way through okay software Microsoft forward slash network all right let's see how that looks okay so three events okay so we could take a look at these uh let's see if there is uh anything data type data all right so we got some base64 stuff there um let's see if we actually click into one of these what this looks like so probably just go about uh see if there's a way I can just get the Raw the raw data from that and then go back to um cyber chef and drop that in so let's see there's a way that's a little bit easier to copy that um we're just rename PID destination data okay copy that move over to cyber Chef drop that in this could be base64 encoded so we can from base64 okay and that's cool and all that but we probably are going to need to clean that up a little bit as well let's see if there is a other entropy generate now uh let's see data format um code text decode text public key networking language that is I don't know that is what I want nope let's get rid of that decode I know that there's something else um do I want to get that text cleaned up let's see I know there's a way to do it um white space no no bytes let's give that a try there we go all right and let me move this so you can see this a little bit better okay this is much more readable now um and we're looking for it's going to a website um it looks like it's going to log in and then a process dot PHP so this is all base64 encoded but this is where it's going this might be what the answer is so there's like what four files or not four files four logs total that kind of matched that so we could go through each of those but let's just let's go with this one off the bat copy it over and see if uh if this is what the answer is maybe we'll get lucky and not have to go through the other um the other logs let's get rid of that boom that's it okay so uh that was all of that for the 400 questions what do we do we ended up going uh looking through email streams looking for zip files did some lookups uh on that ended up finding a passcode looked for uh the SSL issuer for the encrypted command and Control stream we end up finding uh uh what was used to download this dll which is FTP we did some some looking through FTP streams we ended up finding that Korean file that kind of stuck out quite a bit um did a little bit of research into the particular file that executed Powershell Empire got a little bit of information on that using a few other sites since it's already something that was known in the wild um and then uh looked at the ways that the APT was doing and maintaining persistence specifically with a scheduled task I was beaconing back to their C2 servers and were able to identify what that was kind of pointing back to there so uh that was it um we do need to go back at some point and get the proper translation for uh this particular file that was downloaded but uh I'll go find that after the fact but if anybody else hasn't wants to throw it in the comments section in the future that's cool uh any other questions or comments before we wrap this one up this one was kind of a little bit long because there was a lot to it you can definitely see why I ended up breaking up this Roman knot trying to do all uh four series of questions but uh yeah it was a lot of fun always good to learn Splunk like I said go check out some of the other Splunk rooms that I have uh in my try hack me playlist pretty good so uh if nobody has any other questions or comments I appreciate everybody dropping in uh make sure you smash like button subscribe to the Channel all that other good stuff and I'll talk to you soon alright bye foreign

Info

Channel: CyberInsight

Views: 1,408

Rating: undefined out of 5

Keywords: tryhackme splunk, tryhackme splunk tutorial, comptia cysa+ lab, cysa+ splunk, tryhackme cysa+ splunk, cysa+ lab, cysa+ splunk lab, tryhackme blue team, splunk lab, cyberinsight, tryhackme splunk 2 walkthrough, cyber defense tryhackme, siem tutorial, splunk for devops, intro to splunk, free splunk training, splunk cyber defense, splunk cyber analyst, splunk blue team, sysmon splunk, suricata splunk, palo alto splunk, BOTSv2 walkthrough, BOTSv2 series 300, BOTSv2 series 400

Id: pTvGrj3QOmU

Channel Id: undefined

Length: 77min 0sec (4620 seconds)

Published: Thu Mar 23 2023