Reading Time : 6min

Cyberdefenders Boss of The Soc V1 Walkthrough Part 1


Challenge/Competition: Boss Of The SOC v1 link

By: Splunk Team link


This is Part 1 of two part series, this blog post cover first 14 questions.

Challenge Details

Scenario 1 (APT):

The focus of this hands on lab will be an APT scenario and a ransomware scenario. You assume the persona of Alice Bluebird, the analyst who has recently been hired to protect and defend Wayne Enterprises against various forms of cyberattack.

In this scenario, reports of the below graphic come in from your user community when they visit the Wayne Enterprises website, and some of the reports reference “P01s0n1vy.” In case you are unaware, P01s0n1vy is an APT group that has targeted Wayne Enterprises. Your goal, as Alice, is to investigate the defacement, with an eye towards reconstructing the attack via the Lockheed Martin Kill Chain.

source: cyberdefenders.org

Scenario 2 (Ransomeware):

In the second scenario, one of your users is greeted by this image on a Windows desktop that is claiming that files on the system have been encrypted and payment must be made to get the files back. It appears that a machine has been infected with Cerber ransomware at Wayne Enterprises and your goal is to investigate the ransomware with an eye towards reconstructing the attack.

source: cyberdefenders.org

Walkthrough

After setting up our VM we access splunk with 127.0.0.1:8000
Lets start answering

Q1: This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.

Ans: splunk

Detail: We are using splunk enterprise which is made by company named splunk.


Q2: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

Ans:  40.80.148.42 

Detail: first lets filter the results by domain name imreallynotbatman.com

Then we will see the source ip addresses that access this domain.

here ip address 40.80.148.42 looks suspicious as it tried to connect to our domain many time in the short period.
by looking at the the user agent field of a request made by this IP address ensure our suspison


Q3. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)

Ans: acunetix 

Detail: As can be seen in Image above.


Q4. What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

Ans: joomla 

Detail: by looking at web request made to imreallynotbatman.com we can see this in headers


Q5. What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).

poisonivy-is-coming-for-you-batman.jpeg 

Detail: first we need to know what is the IP of our web server,
for that we will set 40.80.148.42 as source IP and will check destination IPs related to it.

here we can see that 192.168.250.70 is very noisy as what Vulnerability scanners does. so this must be the IP address for our webserver.

lets use this as source IP and check if it is connecting to any IP addresses

here we can see our initial IP address 40.80.148.42 with most requests and we also see this 23.22.63.114 IP address as well,

Lets set this up as destination address and search for our serch and apply stats filter to it.


Q6. This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

Ans: prankglassinebracket.jumpingcrab.com 

Detail: As we can see in above picture that the file is associated with this FQDN


7. What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Ans:  23.22.63.114

Detail: Mentioned Above.


8. Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

Ans: lillian.rose@po1s0n1vy.com

Detail: All we need to do is historical whois lookup for po1s0n1vy.com or waynecorinc.com and we will find this email address as registrar


9. What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

Ans: 23.22.63.114

Detail: we know that bruteforce attempts use POST method and we are checking 192.168.250.70, by adding username and password in search query we get these source IPs

here most of the request were made by 23.22.63.114


10. What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)

Ans: 3791.exe

Detail: Setting up source ip as 40.80.148.42 and destination IP as 192.168.250.70 and applying stats filter we get this result


11. What is the MD5 hash of the executable uploaded?

Ans: AAE3F5A29935E6ABCC2C2754D12A9AF0 

12. GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Ans: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

if we check 23.22.63.114 on virustotal we can see in relations a file MirandaTateScreensaver.scr.exe an exe file pretending to be a wallpaper.
with sha256 = 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8


13. What is the special hex code associated with the customized malware discussed in question 12? (Hint: It’s not in Splunk)

Ans: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21

Detail: still on virustotal from Question 12, check community section and you will find this hex code there.


14. One of Po1s0n1vy’s staged domains has some disjointed “unique” whois information. Concatenate the two codes together and submit them as a single answer.

Ans: 31 73 74 32 66 69 6e 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6f 6d 72 79 61 6e 66 69 6e 64 68 69 6d 74 6f 67 65 74

Detail: If we look at historic whois record for waynecorinc.com we can see these two hex strings

All we need to do is concatinate both of them.