splunk

Chris Long

9 minute read

Question 31 What is the name of the user that was created after the endpoint was compromised? I have no idea what “the endpoint” is referring to here, so basically I’m stuck looking for anything user-creation related. I wish I could tell you I had some surefire way of finding the answer, but here’s how I solved this one. I started with this query becuase it captured any event that had both “user” and “add”:

Chris Long

10 minute read

Question 21 AWS access keys consist of two parts: an access key ID (e.g., AKIAIOSFODNN7EXAMPLE) and a secret access key (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). What is the secret access key of the key that was leaked to the external code repository? No SPL needed here. Answer this question by following the link to the Github commit mentioned in the email from Question 20. Question 21 answer: Question 22 Using the leaked key, the adversary makes an unauthorized attempt to create a key for a specific resource.

Chris Long

13 minute read

I hope you enjoyed part 1 of this series and learned a few things along the way. I’m going to jump right into questions for part 2. Question 11 What is the short hostname of the only Frothly endpoint to actually mine Monero cryptocurrency? (Example: ahamilton instead of ahamilton.mycompany.com) NOTE: This answer writeup contains spoilers for question 9! Wow, that’s a broad question. To me, the question implies that the attempt to mine cryptocurrency was actually successful and proof of work may have been submitted over the network.