Splunk Challenge

Objective6

After solving the HID Lock challenge, I continue solving the objectives as Santa with some special privileges. I can access various systems that was only possible for Santa before, like the Splunk terminal in the Great Room which used to be locked with the following error message The Splunk terminal is for Santa and select SOC elves only

Great Room

Unfortunately there are no more hints from the elves, only warnings and panic:

Hey Santa, there’s some crazy stuff going on that we can see through our Splunk infrastructure. You better login and see what’s up.

Next I click the terminal on the table which opens Splunk in a new tab with the goal of figuring out the answer to the next objective:

Spliunk SOC

Thankfully it has a very nice chat interface where Alice Bluebird helps out with hints for the first few training questions:s

Question 1

How many distinct MITRE ATT&CK techniques did Alice emulate?

Alice provides the first part of a handy splunk query to find that the answer is 13:

| tstats count where index=* by index 
| search index=T*-win OR T*-main
| rex field=index "(?<technique>t\d+)[\.\-].0*" 
| stats dc(technique)

Question 2

What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

This was also rather easy to answer: t1059.003-main t1059.003-win

Question 3

One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

A simple search in Splunk for index=* MachineGuid reveals entries such as REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid which quickly provides the answer: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

Question 4

According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp)

Following a similar logic, I searched for index=* OSTAP in splunk, which retrieved 8 results. Then I scrolled down to the bottom to find the oldest one and submitted its timestamp as answer: 2020-11-30T17:44:15Z

Question 5

One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

For this one I had to try a bit harder, but some time spent looking at the frgnca github repo, I figured that it had to do something with Audio, so I crafter this query in Splunk index=* EventCode=1 AND CommandLine="*Audio*" which helped retrieve the correct answer: 3648

Question 6

Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

This question probably took me the longest to figure out. I’ve spent about 2 hours looking for information in Splunk, and what eventually unblocked me was reading the question over and over again until I realized that the answer will come only partially from Splunk. Eventually I solved it by searching for any occurrence of *.bat files in Splunk, which helped me find Discovery.bat from the Red Canary repo, which was used to create the simulation. The answer was the final line in this batch script: quser

Question 7

According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

This was a rather easy one, I searched for index=* SERIAL in Splunk which revealed several records. Right on top the first one had the answer: 55FCEEBB21270D9249E86F4B9DC7AA60

Final Question

What is the name of the adversary group that Santa feared would attack KringleCon?

For this final question Alice provided a base64 encoded cipher text that according to her was encrypted with Santa’s favourite phrase.

7FXjP1lyfKbyDK/MChyf36h7

What’s more, she even suggested that the encryption key was mentioned during the KringleCon Talk by Dave Herrald on Adversary Emulation and Automation. I fast-forwarded to the end to find this slide:

Stay Frosty

The choice of RC4 cipher was almost obvious, after reading Alice’s hint in Splunk SOC Chat:

It’s encrypted with an old algorithm that uses a key. We don’t care about RFC 7465 up here! I leave it to the elves to determine which one!

Armed with this knowledge, I used CyberChef and the uncovered passphrase to uncover the name of the adversary group.

Adversary Group - CyberChef

Splunk Done

On to the next one! 😎

Previous
Next

Last updated on Jan 11, 2021