Splunk

Evil emails!

Instructions from the badge:

Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

For additional advice you are told to visit Hermey Hall and talk to Prof Banas:

Hi, I’m Dr. Banas, professor of Cheerology at Elf University. This term, I’m teaching “HOL 404: The Search for Holiday Cheer in Popular Culture,” and I’ve had quite a shock! I was at home enjoying a nice cup of Gløgg when I had a call from Kent, one of my students who interns at the Elf U SOC. Kent said that my computer has been hacking other computers on campus and that I needed to fix it ASAP! If I don’t, he will have to report the incident to the boss of the SOC. Apparently, I can find out more information from this website https://splunk.elfu.org/ with the username: elf / Password: elfsocks. I don’t know anything about computer security. Can you please help me?

This time there was no terminal which needed to be fixed through some command line magic, instead you just had to browse to the URL given by Prof. Banas and follow the hints through the ElfU SOC chat interface. When you first visit, you will be greeted with the below message.

The main question to answer:

What was the message for Kent that the adversary embedded in this attack?

To get to the answer, you should rely on the training questions and the hints from SOC characters in the chat. Alice in the chat will tell you that you don’t necessarily need to solve all the training questions if you already know Splunk, you can safely skip and look for the answer to the main question. To do this you will need these 2 resources:

• ElfU Splunk Search: https://splunk.elfu.org/en-GB/app/SA-elfusoc/search
• ElfU File Archive: http://elfu-soc.s3-website-us-east-1.amazonaws.com/

Since I never used Splunk before, I went through the training questions anyway to learn the logic of Splunk:

Q1 - What is the short host name of Professor Banas’ computer?

This can be answered by simply paying attention to the discussion in the chat windows. If you missed it go back to the group chat called Chat with #ELFU SOC and read it again. Then you will see that the answer is sweetums.

Q2 - What is the fully path and name of the sensitive file that was likely accessed and copied by the attacker?

For this question, Alice mentioned that Prof. Banas is really close with Santa, and that they worry that the attacker who compromised the Prof’s machine may have accessed some sensitive information related to Santa. Her tip is to do a simple text search for something you are interested in, which she says can lead straight to the answer quite often. So when you search the data for any mention of santa you will get a few hits, the answer can be found within the below text:

ParameterBinding(Format-List):
  name="InputObject";
  value="C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt:1:Carl, you know there's no one I trust more than you to help.  Can you have a look at this draft Naughty and Nice list for 2019 and let me know your thoughts? -Santa"

Q3 - What is the fully-qualified domain name(FQDN) of the command and control(C2) server?

Since these questions are meant to be for training, Alice will almost give you the correct search term straight away. In one of her messages she posted a link to a Splunk search that she did with the below parameters:

index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3

This Splunk search gave away the answer in the first search result. The C&C server’s FQDN is: 144.202.46.214.vultr.com.

Q4 - What document is involved with launching the malicious PowerShell code (provide just file name)?

For this question Alice showed a neat technique which can help filter the pool of event logs by setting a time-window of +/- 5 seconds of some interesting event at a particular point in time. Eventually she points out that you are looking for a document, so why not search for the string doc and see what comes up:

19th Century Holiday Cheer Assignment.doc

This seemed promising, however this was not accepted as the answer. Then I remembered that word documents have different extensions such as .docx, .docm and so on, so I did a Google search for PowerShell execution from Word and realized that this requires Word Macros to be enabled, which means the file should have the .docm extension. Next I tried the same search but for docm and this time and the same filename popped up, but with .docm extension, which was the correct answer: 19th Century Holiday Cheer Assignment.docm.

Q5 - How many unique email addresses were used to send Holiday Cheer essays to Professor Banas?

To answer this one, Alice gave some useful info on StoQ and a starting query as well. If you modify the query a bit to show less info, you can easily count the emails manually:

index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.subject | sort - _time

Just sort the table based on the subject line and count how many there are for subject: Holiday Cheer Assignment Submission. In total you should get 21 which is the correct answer.

Q6 - What was the password for the zip archive that contained the suspicious file?

This one you can solve very easily without many hints, if you cared to read some of the emails that Prof received from his students as part of their course submissions. The ZIP which contained the malicious word document that was locked with the password 123456789 which was mentioned in the email as well. Not very strong, nor secure…

Q7 - What email address did the suspicious file come from?

This question was answered easily if you inspected any of the emails from the previous question. The sender was bradly.buttercups@eifu.org.

Main Question

Finally, to answer the main question of Objective 6, return to Alice for some additional hints. For obvious reasons the malicious document is not available for you to inspect, but the File Archive she mentioned earlier is a good place to look if you know what to look for. She also pointed out that it contains metadata from StoQ, and also provided a search term:

index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

The final hint from Alice will definitely lead you to the file that you need to answer the question. Can you get it?

Last thing for you today: Did you know that modern Word documents are (at their core) nothing more than a bunch of .xml files?

Of course it is the core.xml. The Splunk search she gave you shows that its path is: /home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml. So now you just need to navigate to this file in the File Archive, download it and peek inside:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/"
xmlns:dcmitype="http://purl.org/dc/dcmitype/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title>Holiday Cheer Assignment</dc:title>
<dc:subject>19th Century Cheer</dc:subject>
<dc:creator>Bradly Buttercups</dc:creator>
<cp:keywords></cp:keywords>
<dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
<cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy><cp:revision>4</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
<cp:category></cp:category></cp:coreProperties>

You will find the secret message to Kent within the <dc:description> tag:

Kent you are so unfair. And we were going to make you the king of the Winter Carnival.