Threathunting on clo.ng

Working Through Splunk's Boss of the SOC - Part 6

Mon, 13 Jul 2020 00:00:00 +0000

Question 51 (325)

Microsoft cloud services often have a delay or lag between “index time” and “event creation time”. For the entire day, what is the max lag, in minutes, for the sourcetype: ms:aad:signin? Answer guidance: Round to the nearest minute without the unit of measure.

This is an excellent question! Let’s start putting together a query to show the time and indextime.

You can’t just table the “_indextime” field, so we’ll use eval to create a field:

Working Through Splunk's Boss of the SOC - Part 5

Sun, 12 Jul 2020 00:00:00 +0000

Question 41 (315)

During the attack, two files are remotely streamed to the /tmp directory of the on-premises Linux server by the adversary. What are the names of these files? Answer guidance: Comma separated without spaces, in alphabetical order, include the file extension where applicable.

We know it’s likely that we’ll be able to find these files in the /tmp directory based on the question, so I’m going to start pretty broad here:

Working Through Splunk's Boss of the SOC - Part 4

Tue, 07 Jul 2020 00:00:00 +0000

Question 31 (304)

What is the name of the user that was created after the endpoint was compromised?

I have no idea what “the endpoint” is referring to here, so basically I’m stuck looking for anything user-creation related.

I wish I could tell you I had some surefire way of finding the answer, but here’s how I solved this one. I started with this query becuase it captured any event that had both “user” and “add”:

Working Through Splunk's Boss of the SOC - Part 3

Sun, 28 Jun 2020 00:00:00 +0000

Question 21 (220)

AWS access keys consist of two parts: an access key ID (e.g., AKIAIOSFODNN7EXAMPLE) and a secret access key (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). What is the secret access key of the key that was leaked to the external code repository?

No SPL needed here. Answer this question by following the link to the Github commit mentioned in the email from Question 20.

Question 21 answer:

Bx8/gTsYC98T0oWiFhpmdROqhELPtXJSR9vFPNGk

Question 22 (221)

Using the leaked key, the adversary makes an unauthorized attempt to create a key for a specific resource. What is the name of that resource? Answer guidance: One word.

Working Through Splunk's Boss of the SOC - Part 2

Sat, 27 Jun 2020 00:00:00 +0000

I hope you enjoyed part 1 of this series and learned a few things along the way. I’m going to jump right into questions for part 2.

Question 11 (214)

What is the short hostname of the only Frothly endpoint to actually mine Monero cryptocurrency? (Example: ahamilton instead of ahamilton.mycompany.com)

NOTE: This answer writeup contains spoilers for question 9!

Wow, that’s a broad question. To me, the question implies that the attempt to mine cryptocurrency was actually successful and proof of work may have been submitted over the network. However, it’s not totally clear how the word “actually” is being used here.

Working Through Splunk's Boss of the SOC - Part 1

Fri, 26 Jun 2020 00:00:00 +0000

It occurred to me yesterday as I was updating documentation for DetectionLab that although it includes a script to install Boss of the SOC, I’ve never actually partipated in it or tried it out. I thought this could be a great place to document how I walk through the series of questions to help other people understand my methodology.

If you’d like to follow along, you can quickly spin up BOTS in DetectionLab as well: https://github.com/clong/DetectionLab/wiki/Install-the-Splunk-Boss-of-the-SOC-(BOTS)-Dataset(s)