Analyzing Log Files with Splunk: A Cybersecurity Lab Guide

CYBR 440 - Incident Detection and Response Module 8 Lab – Analyzing Log Files In this eighth lab, we will dig into a very popular SIEM and data access/analysis platform called Splunk. This lab will take some of what you’ve learned about endpoint and network host files and put them together in the context of a network wide malware investigation. You will use many sources of data in this investigation and become familiar with the Splunk user interfaces and Splunk Search Language. You will be required to submit the following graded items as part of this lab:  Answer all questions listed in BOLD  Provide screenshots when asked Accessing the Lab This lab is hosted in the universities IS Lab and requires special instructions to access it. If you are not familiar with accessing the IS Lab, please see the document in this course that walks you through accessing the Cybersecurity Desktop. You can access the Cybersecurity Desktop through the Web or using VMWare’s Horizon client. You should use the native Horizon client when possible as it provides better performance. The web client can be accessed at https://workspace.bellevue.edu . Make sure you log into this interface with your Bellevue student ID and password. After accessing workspace.bellevue.edu and selecting the IS Lab desktop, open a browser and navigate to https://10.98.100.11 . The first time you access this site you will see a warning in the browser. Make sure to click advanced and then Proceed to 10.98.100.11 (Unsafe). You should see the following remote access page.

After accessing Bellevue Bank and Trust’s Remote Management Portal, login in using the following information:  Username: analyst# - Where # is the number provided to you by your instructor  Password: An@lyst#!! - Where # is the number provided to you by your instructor After logging in you should see the following page: You should have three available connections, RDP Kali #, RDP Workstation#, and SSH Kali #. These are your three analyst tools you will use throughout this course. You will be using the Windows 10 RDP Workstation# connection for this lab. You should open each new RDP or SSH connection in a new tab. Part 1 - Investigation of an APT with Splunk A couple of notes on this lab before we begin. This lab walks you through the process of investigating a real incident using Splunk. The data set is called the Boss of the SOC and it contains real attack data. As such, you may encounter profanity or offensive terms. As this is based on real attack data it mirrors what you will see in a real investigation. This lab is also different because the Splunk application will guide you through the investigation. Make sure you read each step carefully and answer the questions. When using this app, pay attention to the search language queries as this is primarily what you will rely upon when using Splunk. These queries will look like this:

The queries allow you to open a search in another tab and will show you what you will see when working with a SIEM like Splunk. The data set includes IDS/IPS, Windows, DNS, HTTP, IIS, and Symon logs as well as a few others so you will get experience looking at the type of logs we have discussed through the course. All the answers to every question will either be displayed within the App via a Splunk query/visualization or with a query you will run in a new search tab. 1. Once you have your Windows 10 Analyst Desktop open, start by opening Chrome and navigating to https://splunk.bbtrust.com:8000 . You may also open the shortcut to Splunk on the desktop. Login with your username analyst# and password An@lyst#!! where # is your student/analyst number. 2. After logging in, open the Investigating with Splunk Workshop application on the left side of the screen. 3. Read through the initial screen and then select Scenario #1 - APT at the top of the screen and then APT Prologue.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

4. This screen will guide you through the rest of the lab. Make sure as you go through these screens that you take time to check the options at the bottom of screen to show additional information. Also make sure you take note of the navigation links at the bottom of the page. These allow you to navigate through each step of the investigation and will show you how to answer each investigative question. 5. Finding the IP Scanning Your Web Server (Part 1 of 2) Answer the following questions: What is the likely IP address of someone from the PO1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

40.80.148.42 Looking through the events I was able to see that this IP was attempting to use a vulnerability scanner. Paste a screen shot of the screen or query you used to answer this question. 6. Finding the IP Scanning Your Web Server (Part 2 of 2) Answer the following questions: What additional information can we get from the Suricata IDS logs? It has an “alert.action” and “alert.category” this can help prioritize which to focus on first What phase of the Lockheed Martin Cyber Kill Chain does this data represent? Reconnaissance 7. Identifying the web vulnerability scanner. What company created the web vulnerability scanner used by P01S0n1vy? Acunetix Paste a screen shot of the query or screen that shows you the vulnerability scanner name in Splunk below. Since this can be used similar toa google search, I had it searched for the word scanner.

8. Determining which web server is the Target? What is the IP address of our web server? 192.168.250.70 What content management system is imreallynotbatman.com likely using? joomla 9. Identifying where a brute force attack originated What IP address is likely attempting a brute force attack against iamnotreallybatmna.com? 23.22.63.114 10. Identifying the first password attempted in a brute force attack. What was the first brute force password used? 12345678 11. Extracting passwords from events (Part 1 of 2). Which command is used to get the length of the passwords? Lenpword=len(userpassword) 12. Extracting passwords from events (Part 2 of 2). One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six-character song is it? Yellow What is the name of the lookup table used for finding the answer? Coldplay.csv

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

13. Identifying the password used to gain access. What was the correct password for admin access to the content management system running imreallynotbatman.com? batman What phase of the Lockheed Martin Kill Chain did this attack take place? Exploitation 14. Finding the average length of the passwords during the brute force attack? What was the average password length used in the password brute forcing attempt rounded to the closest whole integer? 6 15. Determining the elapsed time between events? How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login rounded to two decimal places? 92.169084 seconds Paste a screen shot of the query used to find this answer.

16. Identifying the number of unique passwords attempted during the brute force attack. How many unique passwords were attempted in the brute force attempt? 412 Why is there one extra password counted between the total attempts and distinct attempts? Since batman was used twice it counted it as an attempt 17. Identifying the executable uploaded What is the name of the executable uploaded by P01s0n1vy? 3791.exe 18. Determining the MD5 hash of the executable uploaded. What is the MD5 hash of the executable uploaded? AAE3F5A29935E6ABCC2C2754D12A9AF0 What type of log captured the hash? XmlWinEventLog 19. Identifying the file that defaced our web server (Part 1 and 2)

What is the name fo the file that defaced the imreallynotbatman.com website? poisonivy-is-coming-for-you-batman.jpeg 20. Identifying the fully qualified domain name of the system that defaced the web server. This attacked used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack? prankglassinebracket.jumpingcrab.com 21. Using OSINT to Identifying attacker infrastructure. What IP address has P01s0n1vy tied to domains that pre-staged to attack Wayne Enterprises? 23.22.63.114 22. Using OSINT to create linkages between email and infrastructure Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with P01s0n1vy APT group? lillian.rose@po1s0n1vy.com 23. Using OSINT to identify associated malware. GCPD reported that common TTPs (Tactics, Techniques, and Procedures) for the P01s0n1vy APT group if initial compromise fails is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to P01s0n1vy’s initial attack infrastructure. Using research techniques, prove the SHA256 hash of this malware. 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8 24. Using OSINT to find cluse pertaining to the adversary. What special hex code is associated with he customized malware discussed in the previous question?

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21 In your own words, write a one paragraph executive summary of what happened with this attack. Your paragraph should be 5-7 sentences and should be understandable to a non-cybersecurity person. The attacker scanned our web server, leading them to identify a web vulnerability in one of our sites that uses Joomla. They were able to exploit this vulnerability by using a brute force attack. Once in, they used a program to compromise the web server. After compromising the web server, they attempted to move to different servers but were unable to do it to Windows. Therefore, they defaced the website by posting an image. Part 2 - Investigation of Ransomware using Splunk This second scenario is like the first except the type and vector of the attack is different. Follow the same procedure to research this attack. 1. After entering or remaining in the Investigating with Splunk Workshop, select Scenario #2 - Ransomware at the top of the page, then select Ransomware Prologue. Read through this page and then continue with the navigation buttons below. Do not forget to select the checkmarks at the bottom of each page. 2. Identifying the IP Address of a Victim System. What was the most likely IP address of we8105desk on 24 Aug 2016?

192.168.250.100 3. Identifying removable media. What is the name of the USB key inserted by Bob Smith? MIRANDA_PRI What query was used to find this answer? 4. Identifying the malicious file. After the USB insertion, a file execution occurs that is the initial Cerber infection. This file execution creates two additional processes. What is the name of the file? Miranda_Tate_unveiled.dotm What type of log was used to identify this file? XmlWinEventLog 5. Identifying suspicious processes executing. During the initial Cerber infection a VB script is run. The entire script from this execution, pre- pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of this field? 4490 6. Identifying the file server connections from infected host. Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server? 192.168.250.20 7. Identifying the first suspect domain visited by the victim. What was the first suspicious domain visited by we8105desk on 24 Aug 2015?

Solidaritedeproximite.org 8. Identifying cryptor code filename and origin. The malware downloads a file that contains the Ceber ransomware crypto code. What is the name of that file? Mhtr.jpg 9. Event chaining - identifying the parent/child processes. What is the parent process id of 121215.tmp? 3968 10. Determine which signatures specific to the ransomware alerted. Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times? 2816763 11. Damage assessment - identifying the encrypted text files. The Ceber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt? 406 Which query was used to find this number? 12. Damage assessment - identifying distinct PDFs encrypted. How many distinct PDFs did the ransomware encrypt on the remote file server? 257 13. Identifying redirection post encryption to a domain.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase? Cerberhhyed5frqa.xmfir0.win In your own words, write a one-paragraph executive summary describing what happened in this attack. A user got a hold of a USB that contained malicious code and inserted it into their work computer. Once it was inserted, it was able to run the code and install malicious files into the computer. The files contained a program that encrypted the user’s local disk and shared files. Once the encryption was done it would redirect them to a page notifying them of a ransomware. Paste a screen shot of the timeline for this attack below. This can be found on the last page of the ransomware scenario.

Module 8 Lab

Related Documents