Bots of SOC 历史试题

0x00 背景

记录曾经单刷的试题，都是比较老的题库了。

0x01 第一套WEB

4.
Hints
First find the IP address of the web server hosting imreallynotbatman.com. You may have found this IP during the course of answering the previous few questions.

The key here is searching for events where the IP address of the web server is the source. Because it's a web server, we most often see it as a destination but in this case the intruder took control of the server and pulled the defacement file from an internet site.

SPL : index=* src=192.168.250.70  sourcetype="stream:http"
9个事件

5.
dest_ip=23.22.63.114
prankglassinebracket.jumpingcrab.com

#108
index=*     sourcetype="stream:http" dest_ip="192.168.250.70" uri="/joomla/administrator/index.php" src_ip="23.22.63.114"

#109
index=*  dest_ip="192.168.250.70" exe app=http status=200 http_method=POST

#110
index=*  3791.exe MD5=* process="3791.exe" signature="Process Create"

#111
You need to pivot outside of Splunk to answer this question. Use the IP address discovered earlier to search for malware that has been associated with it in the past.

Experienced analysts know to use sites like https://www.threatminer.org/ to search for malware associated with the malicious IP address, but if all alse fails, Google it!

https://x.threatbook.com/v5/ip/23.22.63.114

#112

https://www.virustotal.com/

#114
index=*     sourcetype="stream:http" dest_ip="192.168.250.70" uri="/joomla/administrator/index.php" src_ip="23.22.63.114" form_data=* |sort + _time

#115
It's not hard to get a list of songs by the artist. Once you have that,use the "len()" function of the "eval" SPL command. For Splunk style points, use a lookup table to match the password attempts with songs

GPT 导出 6个字母的歌单
“Yellow”
“Clocks

index=*     sourcetype="stream:http" dest_ip="192.168.250.70" uri="/joomla/administrator/index.php" src_ip="23.22.63.114" form_data=* |rex field=form_data "passwd=(?P<name>.*?)&"|dedup name|table name |where len(name)=6|search name=yellow

#116 卡住了
看到status=303 , 思路歪了，想登录成功是302，没有从登录次数着手

index=* sourcetype="stream:http" dest_ip="192.168.250.70"   form_data=* |rex field=form_data "passwd=(?P<name>.*?)&"|table name url|stats values(url) as url count by name

batman登录成功次数2次，src ip两个 23.22.63.114 40.80.148.42

#117
计算平均值
index=*     sourcetype="stream:http" dest_ip="192.168.250.70" uri="/joomla/administrator/index.php" src_ip="23.22.63.114" form_data=* |rex field=form_data "passwd=(?P<name>.*?)&" |eval q= len(name)|table name q|stats avg(q) as qq

#118  ？
思路，计算2个时间差
 timestamp: 2016-08-10T21:45:10.253339Z 12345678
 timestamp: 2016-08-10T21:46:25.861614Z  batman
75.608

delta(_time)
-92.169084

index=* sourcetype="stream:http"  dest_ip="192.168.250.70"  form_data=* | rex field=form_data "passwd=(?<userpassword>\w+)"
| search userpassword=batman
| transaction userpassword
| table duration

使用transaction命令将具有相同userpassword值的事件组合到一个事务中后，可以使用table命令来提取感兴趣的字段。假设你想提取每个事务的持续时间
92.169084

#119
 |rex field=form_data "passwd=(?P<name>.*?)&"
344  统计错误

 |rex field=form_data "passwd=(?P<name>\w+)"
412

#200
index=*     we8105desk  User="WAYNECORPINC\\*"

#202
src_ip: 192.168.250.100
思维不够跳脱，还限制在 index=*    Cerber ，这里没有 sourcetype="stream:dns"

index=* sourcetype="stream:dns" "query_type{}"=A src_ip="192.168.250.100" |stats count by query

查询威胁情报
cerberhhyed5frqa.xmfir0.win       域名中含有key flag
2016-06-23    2016-08-18    垃圾邮件

index=* sourcetype="stream:dns" "query_type{}"=A src_ip="192.168.250.100" query!="*.microsoft.com"query!="*.local"

#203
index=* sourcetype="stream:dns" src_ip="192.168.250.100" query!="*.microsoft.com"query!="*.local" query!="*.arpa" dest_port=53

#204
Question:
During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length of the value of this field?

index=* "*.vbs"  ".exe" sourcetype="WinEventLog:Security"
没读明白，以为问的是字段长度 Process_Command_Line 填20

index=* "*.vbs"  ".exe" sourcetype="WinEventLog:Security"|eval len1=len(Process_Command_Line)  |table len1 ,Process_Command_Line
4426 又错了

答案：
index=* "*.vbs"  ".exe"  host=we8105desk  |eval len1=len(cmdline)  |table len1 ,cmdline
4490
(有歧义，一个有转义一个没有) eg : &  -->  &amp;

#205 没思路
USB 密钥？
index=*   host=we8105desk User="WAYNECORPINC\\bob.smith" usb

先粗略搜索哪些 sourcetype
index=* "usb"    从无引号到引号一般人想不到

WinRegistry    313    86.704%     // win注册表
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational    44    12.188%    
WinEventLog:System    2    0.554%    
WinEventLog:Security    1    0.277%    
nessus:scan     1    0.277%

每一个都审计一遍最后排查到 WinRegistry
index=* "*usb*" sourcetype=WinRegistry |stats values(registry_value_data) as registry_value_data count by registry_value_name

答案：
index=*  sourcetype="winregistry" data!="" "*usb*" friendlyname |stats count by registry_value_data
MIRANDA_PRI

#206 
Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IPv4 address of the file server?

思路错误 歪到 sourcetype="stream:http"  再查威胁情报

index=* sourcetype="stream:http" src="192.168.250.100" http_method=GET status=200 http_user_agent!="Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.32"

The "stats" SPL command can be used to count the most common destination IP for the SMB protocol.

index=* src="192.168.250.100" sourcetype="stream:smb" dest="192.168.250.20"

居然是连接最多的
192.168.250.20

#207
How many distinct PDFs did the ransomware encrypt on the remote file server?

被上一题影响，以  dest="192.168.250.20" 来搜索
index=* "*.pdf" 
快捷思路：
index="botsv1" *.pdf 
| stats count by sourcetype

index=* "*.pdf" Relative_Target_Name="*.pdf" |dedup Relative_Target_Name|table Relative_Target_Name sourcetype

#208
index="botsv1"  121214.tmp CommandLine="\"C:\\Windows\\System32\\cmd.exe\" /C START \"\" \"C:\\Users\\bob.smith.WAYNECORPINC\\AppData\\Roaming\\121214.tmp\""

#209
The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
Hints:
In Sysmon events, EventCode=2 indicates file creation time has changed. Watch out for duplicates!

index="botsv1"  "*.txt"  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" file_path="C:\\Users\\bob.smith*" file_create_time="1602-05-15 14:07:01.334"

#210 (没做出来)
The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

该恶意软件会下载一个包含Cerber勒索软件加密代码的文件。该文件的名称是什么

在问题24中看到有一个恶意的域，根据该域进行搜索发现访问url的jpg文件

index="botsv1"    "http.hostname"="solidaritedeproximite.org"

#210
steganography

0x02 ICS

#101 ？
Hints
Looking up the technical documentation or specs for different PLCs can provide a lot of operational information

What are the different states a PLC can be in? Try doing a search for those

有歧义
192.168.97.6

搜索
1756-L61/B

#102 real GPT
Hints
Who makes the logix5561 device?

newgpt
Who makes the logix5561 device?
The logix5561 device is manufactured by Rockwell Automation.

real GPT
Who makes the logix5561 device?
The Logix5561 is a product of Allen-Bradley, which is a brand of Rockwell Automation. Rockwell Automation is a multinational company specializing in industrial automation and information technology. Allen-Bradley is one of its key product lines, known for its programmable logic controllers (PLCs), human-machine interface (HMI) devices, industrial control components, and related software. The Logix5561 is a model of PLC within the Allen-Bradley ControlLogix family, designed for various industrial automation applications.
Allen-Bradley

#103  
2
Based on the answer in question 102, answering in MB, how large is the user memory on the previously identified controller?

Hints
Look at the technical spec sheet for the logix5561 device

newgpt
answering in MB, how large is the user memory on the Logix5561

The user memory on the Logix5561 controller is approximately 750 MB.

answering in MB, how large is the user memory on the 1756-L61/B LOGIX5561
The user memory on the 1756-L61/B LOGIX5561 controller is approximately 2 MB.

Real gpt

answering in MB, how large is the user memory on the Logix5561
The user memory size of the Logix5561 PLC, measured in megabytes (MB), can vary depending on the specific configuration and model variant. However, typically, the Logix5561 PLCs come with user memory sizes ranging from 8 MB to 32 MB. It’s essential to check the specific model and configuration details to determine the exact user memory size for a particular Logix5561 PLC unit.

answering in MB, how large is the user memory on the 1756-L61/B LOGIX5561
The 1756-L61/B Logix5561 PLC typically comes with a user memory size of 32 MB

#104

newgpt
What is Logix5561 the built-in COM (communication) port?

The Logix5561 controller does not have a built-in COM (communication) port. It primarily uses Ethernet/IP for communication with other devices on the network. However, it does have a built-in USB port that can be used for programming and configuration purposes.

Real gpt
The Logix5561 PLC features a built-in COM (communication) port, which is typically an RS-232 serial port. This port allows for communication with external devices such as computers, operator interfaces, or other PLCs. It enables data exchange and programming functionalities, facilitating connectivity in industrial automation systems. However, it’s worth noting that specific models or configurations of the Logix5561 PLC might offer different communication port options, so it’s essential to verify the exact specifications of the particular unit in question.

#105
10.0.0.131

#106 纯懵   ?

What was the hostname that was connected to with a SMB command shell?

问的hostname

index=*    "smb" body="SMB Command Shell*"

Rslogix5000

#107 real GPT 
# Set connection parameters including slot numberplc.IPAddress =target_ip
plc.ProcessorSlot =slot_number

ProcessorSlot

#108  real GPT 
# Read the tag through the intermediate deviceresponse =plc.Read(tag_name,route=gateway_ip,plc_ip=target_ip)

route

#109
GetTagList

#110 没太明白
On which hostname was the Metasploit alert for detected windows/speak_pwned run against?

第一次填写源错了，后来填写的目的，对了
src_host srv-hq-bkup01
dest_host srv-hq-nas01
srv-hq-nas01

#111
Empire 

#112
F8:DB:88:3E:83:A0

#113
index=*    "*modify*" "*memory*"
192.168.1.100

#114  源和目的总是搞不清楚
Host 192.168.1.200 received a CIP error indicating an unauthorized command from host 192.168.1.6. What type of request created the alert?

index=*     "*CIP error*" src_ip="192.168.1.6" category="CIP Error (Service Not Supported) Indicating Unauthorized Command Message"

Get Attribute List

#115
index=* "scan"
1331

#116
factory-talk-vi

#117
None Logon

#118
10.0.0.131

#119
192.168.212.229

#120
newgpt
What protocol does Pycomm3 to use to read and write tag values?
Pycomm3 uses the CIP (Common Industrial Protocol) protocol to read and write tag values. 

What protocol does Pycomm3 to use to read and write tag values? (选择：创造性)
 Pycomm3 primarily uses the EtherNet/IP protocol to read and write tag values from Allen-Bradley and Rockwell Automation PLCs. 
EtherNet/IP

#121 error
What type of data can be used with the ‘request_data’ command
Bit （-10）
答案：binary

#122 error
In alphabetical order, and separated by commas, i.e. a,b,c - What three drivers come installed with pycomm3?

CIPDriver
EIPDriver
Micro800Driver

答案：
CIPDriver,logixdriver,slcdriver

#123
What type of PLCs can be used with Pycomm3

Pycomm3 supports various PLC models from these manufacturers, including but not limited to:
• CompactLogix series
• ControlLogix series
• MicroLogix series
• PLC-5 series
• SLC 500 series

Error

What type of PLCs can be used with Pycomm3,Answer guidance: Provide the manufacturers with a comma separating each one. For example: alpha,gamma

The Pycomm3 library is primarily designed for communication with Allen-Bradley and Rockwell Automation programmable logic controllers (PLCs). Therefore, the supported PLC manufacturers for Pycomm3 are:
Allen-Bradley, Rockwell Automation

# 124 有歧义   为啥不是192.168.41.2
index=* "Honeywell"

10.1.0.101

#125
xp_cmdshell

#126 error
RECONFIGURE  (-10)
答案：
sp_configure

#127 error
index=* 21151 "*compromise*" "related to *asset"
Workstation Compromise notification alerted which indicates asset 21151 may be compromised. Asset 21146 response function or process control may be impacted. The following list of notifications were related to this asset: PLC Date/Time Change and potentially concerning asset characteristic(s)  （-10）
答案：
PLC Date/Time Change

#128
index=*  "*Siemens*" "download"

.jar file download request    6    66.667%    
Host 192.168.97.6 attempted to download a new program to PLC 192.168.96.7    2    22.222%    
Host 192.168.1.200 attempted to download a new program to PLC 192.168.1.6    1    11.111%

蒙的 6次的
192.168.192.74

#129
Jar

#130
192.168.208.1

#131
3389

#132
index=*  "7834" src_dragos_id=7834 "rdp" body="Forwarded RDP Negotiation Request - nonstandard dst port"

Rshistorian

#133
index=*   dest_host=rshistorian
33

#134
index=*   nmap src="192.168.208.1"
192.168.192.74

0x03 OKTA

#001 ? 一个一个试的
10

#002
先看的
index=* eventtype=okta_log_authentication action=failure reason=LOCKED_OUT
观察 displayName 
Bridget Sive    66    36.872%

Bridget Sive

Hints
The username is stored in the field actor.alternateId but full name is in another field.

如果没有发现reason 字段，则容易回答错误 误选成luciana ，搜索时 "*lock*" 可避免错误
index=* "lock" eventtype=okta_log_authentication action=failure

LOCKED_OUT    179    79.556%    
INVALID_CREDENTIALS    42    18.667%    
login denied    4    1.778%

luciana@coffeecase.biz    36    78.261%    
alexei@coffeecase.biz    6    13.043%    
max@coffeecase.biz    4    8.696%

#003 考虑看图表
index=* src_ip=* "client.geographicalContext.country"=India

client.geographicalContext.geolocation.lat
18.6161
client.geographicalContext.geolocation.lon
73.7286

以为是用谷歌转换经纬度呢
18°36’58”N,73°43’43”E

What is the latitude and longitude of the potential adversary located in India?
Answer guidance: Use this format but substitute the actual numbers: 18°32’45”N,71°39’40”E. You may have to Google how to make a degree symbol on your keyboard!

Hints
Use the MFA dashboard found in the Okta Identity Cloud Add On for Splunk.
[图1]  (一张世界地图)

18°36’57”N,73°43’42”E

#004
index=* app_label!="ok*"
6

#005
index=* Luciana src_user="luciana@coffeecase.biz" eventType="user.authentication.sso" |table app _time
Google Workspace

#006  傻了
What is the most popular form of MFA authentication used either as primary or secondary factor?
Answer guidance: Use the full string found in the data.

index=* MFA eventType="user.authentication.auth_via_mfa" |stats count by authenticationContext.credentialType 
null    1095
OTP    38
SMS    34
EMAIL    1

Hints
The factor used is in one of the "debug" fields.

index=* MFA eventType="user.authentication.auth_via_mfa" |stats count by debugContext.debugData.factor 
EMAIL_FACTOR    1

PASSWORD_AS_FACTOR    690
OKTA_VERIFY_PUSH    303
SIGNED_NONCE    102
SMS_FACTOR    34
SOFT_TOKEN    23
OKTA_SOFT_TOKEN    15
EMAIL_FACTOR    1

PASSWORD_AS_FACTOR

#007
index=* "*Google*" eventtype=okta_log_authentication "authenticationContext.credentialProvider"=GOOGLE

Max Quim

#008  醉了
index=*  eventtype=okta_log_authentication |table actor.alternateId  a
|eval a=3914/17

230

Hints
Use the MFA dashboard found in the Okta Identity Cloud Add On for Splunk.

每个用户平均授权量
[图2] （一张图表搜索出 AVERAGE AUTHENTICATORS PER USER : 4）

4

#009 Max Quim works mostly out of Salt Lake City, Utah but his mobile phone number is attributed to what US state?
Answer guidance: Provide the full name of the state.

index=* "Max" client.geographicalContext.city="*salt*"
309个事件

卡了挺久
Hints
The Mobile number can be found in the target{}.alternateId field.

用 num 查没结果
用 "*phone*" 查33个事件
或者写一个美国电话号的正则

\d{3}[-.]?\d{3}[-.]?\d{4}

index=* "Max" client.geographicalContext.city="*salt*" | rex field=_raw ".?(?P<ddd>\d{3}[-.]?\d{3}[-.]?\d{4}\b)." |stats count by ddd
9个事件
点击其中一个事件，发现有  MobilePhone 和 alternateId 字段   

+1 表示国家代码
优化正则
index=* "Max" client.geographicalContext.city="*salt*" | rex field=_raw ".?(?P<ddd>1\d{3}[-.]?\d{3}[-.]?\d{4}\b)."|stats count by ddd

11260035284    3
13035551135    6
13039561135    3
区号（3位）
依次问gpt
1260035284，无法直接确定其所属地区
+13035551135属于美国科罗拉多州（Colorado）的电话号码
Colorado

#010  卡住

index=* "Josef" "*provision*"    targetAppAlternateId="Google Workspace"

suspiciousActivityTimestamp

#011 ？
Hints
Okta's identity lifecycle management Event Types all start with "application.provision."

index=* "*provision*"     eventType="application.provision.user.deprovision" |stats count by src_user
maria@coffeecase.biz    2
rashmi@coffeecase.biz

index=* "*provision*"     eventType="application.provision.user.deprovision"  |table src_user actor.displayName target{}.displayName

rashmi@coffeecase.biz    Rashmi Amarjeet    
unknown
Josef Walters
maria@coffeecase.biz    Maria Otavia    
unknown
James Brodsky

index=* "*provision*"     eventType="application.provision.user.deprovision"  |table src_user actor.displayName target{}.displayName|stats count by target{}.detailEntry.appUsername

答案：Luciana Regla

#012 
A potential adversary tries to log in as kelechi@coffeecase.biz and is denied access to Coffeecase's Okta tenant due to a country block policy. What operating system was this adversary using when they were blocked?

Hints
Okta evaluates sign on policies in the Event Type "policy.evaluate_sign_on"

index=* "*kelechi*" "target{}.displayName"="Kelechi Adwoa" "os"|stats count by client.userAgent.os
Windows 10    87
Mac OS X    28
Unknown mobile    17
Unknown    12

index=* "*kelechi*" "target{}.displayName"="Kelechi Adwoa" "os" |table displayMessage client.userAgent.os |dedup client.userAgent.os
 User report suspicious activity    Mac OS X
Authentication of user via MFA    Unknown mobile
User single sign on to app    Windows 10
Received SMS status update    Unknown

填 Mac OS X 错误
写 Windows 10 对了

#013
index=* "*report*" eventType="user.account.report_suspicious_activity_by_enduser"  |stats count by src_ip
66.215.49.9    3
68.194.182.26    1

两个ip都不对  -20

There is a specific event that is logged when a user reports suspicious activity.

#014 error

index=* debugContext.debugData.risk="*Anomalous Location*"   displayMessage IN ("User login to Okta","Verify user identity") action=success|stats  values(client.geographicalContext.country) as con values(debugContext.debugData.risk) as debug count by src_user

alexei@coffeecase.biz    India    {reasons=Anomalous Location, Anomalous Device, level=HIGH}    3
haruki@coffeecase.biz    
Japan
United States
{reasons=Anomalous Device, Anomalous Location, level=HIGH}
{reasons=Anomalous Location, Anomalous Device, Anonymizing Proxy, level=HIGH}
9
josef@coffeecase.biz    India    {reasons=Anomalous Device, Anomalous Location, level=HIGH}    3
max@coffeecase.biz    
Ireland
Malta
Morocco
Switzerland
United States
{reasons=Anomalous Device, Anomalous Location, level=HIGH}
{reasons=Anomalous Location, Anomalous Device, level=HIGH}
{reasons=Anomalous Location, level=LOW}
{reasons=Anomalous Location, level=MEDIUM}
22

4个用户不知道选哪个

Kele..,max

Hints
Session cookie hijacking can be detected by looking for multiple useragents, autonomous system numbers, autonomous system orgs, ip addresses, that are all part of the same externalSessionId.

index=* debugContext.debugData.risk="*Anomalous Location*"   displayMessage IN ("User login to Okta","Verify user identity") action=success |stats  values(client.geographicalContext.country) as con values(debugContext.debugData.risk) as debug values(client.userAgent.rawUserAgent) as ua values(src_ip) as ip count by src_user

还是不知道

index=* debugContext.debugData.risk="*Anomalous Location*" authenticationContext.externalSessionId=* displayMessage IN ("User login to Okta","Verify user identity") action=success

index=* debugContext.debugData.risk="*Anomalous Location*" authenticationContext.externalSessionId=*  action=success|stats values(client.ipAddress) as ip_list count ```dc(client.ipAddress) as ip_count``` values(src_user) as src_user by authenticationContext.externalSessionId 
| where mvcount(ip_list)>1

kelechi,max

#015 
From what likely city and country is a brute-force attack attempted on one of Coffeecase’s employees, from a known anonymizing proxy IP address?
Answer guidance: Provide the city and country, comma separated. Ignore any special characters.

index=* "*Anonymizing Proxy*" "outcome.reason"!=INVALID_CREDENTIALS  |stats values(client.geographicalContext.city) as city values(client.geographicalContext.country) as con values(src_ip) as ip values(debugContext.debugData.risk) as risk count by src_user

bridget@coffeecase.biz São Paulo Brazil 188.241.177.181 {reasons=Anomalous Device, Anomalous Location, Anonymizing Proxy, level=HIGH} 21
    haruki@coffeecase.biz Tokyo Japan 156.146.34.63 {reasons=Anomalous Location, Anomalous Device, Anonymizing Proxy, level=HIGH} 15
    kelechi@coffeecase.biz São Paulo Brazil 
    188.241.177.181
    188.241.177.55
    {reasons=Anomalous Location, Anonymizing Proxy, level=HIGH} 21
    max@coffeecase.biz São Paulo Brazil 
    188.241.177.254
    188.241.177.55
    {reasons=Anomalous Location, Anonymizing Proxy, level=HIGH} 69

两个地理位置填了都错了

Hints
Use an event that displays "Max sign in attempts exceeded."

index=* "Max sign in attempts exceeded" "*Anonymizing Proxy*" |table outcome.reason client.geographicalContext.city client.geographicalContext.country src_ip

reason竟然都是 LOCKED_OUT

LOCKED_OUT    São Paulo    Brazil    188.241.177.181

第一次填的 São Paulo 错了，后来改成 Sao Paulo

#016 difficult
Hints
The "policy.evaluate_sign_on" event is fired with a reason that includes "DENIED" when a device does not pass an unmanaged check.

index=* "*policy*" eventType="policy.evaluate_sign_on" "outcome.reason"="Sign-on policy evaluation resulted in DENIED"

34个事件 
target{}.displayName

Block Brazil 11 52.381% 
Okta Dashboard 11 52.381% 
 Salesforce.com 10 47.619% 
 Catch-all Rule 6 28.571% 
 W97JTQJXHM 6 28.571% 
  Denied Due To Device Check - Screen Lock 4 19.048% 
  SURFACE6 4 19.048%

Denied Due To Device Check - Screen Lock

根本想不到这个字段target{}.displayName是策略值的key

#017 error

Hints
Operating system details in ASA logs are found in fields that begin with "details.server."

index=* "*access*" "*mana*" "client.userAgent.os"=Linux |table _time
index=* "*access*"  sourcetype=OktaASA login linux  
index=* "*access*"  sourcetype=OktaASA login linux index=*

19:41:12

#018 error

index=* "*asa*" "target{}.displayName"="Okta Advanced Server Access" "client.userAgent.os"="Windows 10" |stats count by client.ipAddress

66.215.49.9

index=* "*access*"  sourcetype=OktaASA  windows
13.57.38.234

#019
The field target{}.displayName will contain the answer. Also, look at events that evaluate sign on policy.  评估登录策略

index=* "*Atlassian*" "target{}.displayName"="Atlassian Cloud" eventType="policy.evaluate_sign_on" |table target{}.displayName

Atlassian Sales/Marketing Tool Policy

0x04 Corelight  

(113,122 答案，119懵的)

#101
index=corelight "tag::eventtype"=attack
47

或搜 index="corelight" "*signature*"

#102
10.0.0.31

#103
Win32/Trickbot  error
Trickbot  

#104
CAoNRI62m9CRqS0R2

#105
103.16.104.83

#106
Http

#107
index="corelight"  uid=CAoNRI62m9CRqS0R2 sourcetype=corelight_notice

https://attack.mitre.org/software/S0266/

S0266

#108
index="corelight" sourcetype=corelight_http http_method=POST 

Hints （-10）
The UID will allow you to go from Suricata alerts to HTTP logs, where User-Agent strings are logged.

index="corelight" alert.signature=*  "alert.signature"="ET MALWARE Win32/Trickbot Data Exfiltration" |table uid

CAoNRI62m9CRqS0R2   
CAxYSR26jP6LeD4z1e

index="corelight" alert.signature=* |dedup alert.signature |table alert.signature

CAoNRI62m9CRqS0R2   Ghost
CAxYSR26jP6LeD4z1e    Ghost

#109
What is a process name that is repeated within the POST body of these HTTP requests?

index="corelight"  "alert.signature"="ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"

CAoNRI62m9CRqS0R2   
CAxYSR26jP6LeD4z1e

index="corelight"  uid=CAoNRI62m9CRqS0R2 OR uid=CAxYSR26jP6LeD4z1e post_body=*

[System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost…

填csrss.exe error
svchost.exe

#110
nessus

#111

CAoNRI62m9CRqS0R2   Ghost
CAxYSR26jP6LeD4z1e    Ghost

Hints （-10）
ASUS WRT is the victim identifier in the alerts.

ChGTlJ1zd2PRktosx5

0

#112   （通过dashboard ?）
09/24/2021
index="corelight" sourcetype=corelight_ssh

Ssh 面板找到ja3 hash
排除掉外网ip 剩下内网ip
index="corelight" sourcetype=corelight_ssh  hassh=ae8bd7dd09970555aa4c6ed22adbbf56

10.0.0.72

#113
1/12 error
Hints (-30)
PCR is calculated as part of the conn log
PCR - A Flow Metric for the Producer/Consumer Relationship  

PCR = 
SrcApplicationBytes ⎼ DstApplicationBytes/
SrcApplicationBytes + DstApplicationByte

index="corelight" sourcetype=corelight_conn dest_ip IN( 
10.0.0.72)|table bytes_in bytes_out | appendpipe [stats sum(bytes_in) as a]| appendpipe [stats sum(bytes_out) as b]

128098172
306097

127,792,075

128,404,269

0.99523   error

10.0.0.45
10.0.0.41
10.0.0.50
10.0.0.90
10.0.0.13
10.0.0.1
10.0.0.91
10.0.0.72
10.0.0.70
10.0.0.31
171.103.187.218

index="corelight" sourcetype=corelight_conn dest_ip IN( 10.0.0.71,
10.0.0.45,
10.0.0.41,
10.0.0.50,
10.0.0.90,
10.0.0.13,
10.0.0.1,
10.0.0.91,
10.0.0.72,
10.0.0.70,
10.0.0.31,
171.103.187.218) |table bytes_in bytes_out c d| appendpipe [stats sum(bytes_in) as a]| appendpipe [stats sum(bytes_out) as b]

129202516    128829377
|stats count| eval a=129202516,    b=128829377|eval c=a-b,d=a+b,e=c/d
0.00145  error

index="corelight" sourcetype=corelight_ssh  hassh=ae8bd7dd09970555aa4c6ed22adbbf56 dest="10.0.0.72"|table uid
index="corelight" sourcetype=corelight_conn uid=CLn5mqsd7SVfTn10g

答案：-0.99593

#114 懵的
Examining the inferences section of the SSH log associated with that session, one code indicates a behavior that explains the PCR we just observed. Which code is it?

index="corelight" sourcetype=corelight_ssh
inferences{}

Lfd   (文件下载)

#115
index="corelight" 10.0.0.72 sourcetype=corelight_http

Sqli error
sql injection

#116
Username

#117
200

#118
no

#119 懵的
Returning to SSH connections made by our infected host, we see a second one being made to a country the organization has no business relationship with. What country is that connection going to?

通过ssh看板
Thailand

#120
index="corelight" 171.103.187.218 sourcetype=corelight_ssh

1c:6e:58:a2:57:98:33:f4:53:e8:63:46:df:a2:31:ef

#121 试错
How many payload bytes were sent over that connection?

利用上一步uid
index="corelight" uid=CPxHxI3uiHLgH2I196
bytes_in/resp_bytes   307753  error
bytes_out/orig_bytes
 128105745

Hints (-10)
The answer excludes IP header bytes.

#122 卡住
index="corelight" uid=Cf4a6b27DUfJ9M67g4 sourcetype=corelight_ssl

md5WithRSAEncryption error
IETF error
TF error

Hints（-30）
Present in etiher the subject or issuer field of the SSL logs.
Makers of Widgits!

ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
 

0x05 场景2

#201
whoami.php

#202
What is the IP address that only appears once as the server for the three connections in the previous question?

10.9.18.101（-10）
66.228.32.31

#203
142.4.4.112

#204
What is the domain associated with an X.509 certificate subject that purports to be from London?
Answer guidance: Provide the domain name of the system. Example: splunk.com

CN=example.com,OU=IT Department,O=Global Security,L=London,ST=London,C=GB（-10）

index=ctf x509 sourcetype=corelight_x509 "certificate.subject"="CN=example.com,OU=IT Department,O=Global Security,L=London,ST=London,C=GB"  

example.com

#205
What cipher suite was used with the certificate from the prior question?

index=ctf x509 sourcetype=corelight_x509 "certificate.subject"="CN=example.com,OU=IT Department,O=Global Security,L=London,ST=London,C=GB"

Rsa (-10)
Sha256 (-10)
sha256WithRSAEncryption (-10)

Hints (-10)
A cipher suite includes the protocol, key exchange, authentication, encryption, and hashing algorithm. A cipher suite looks like: `TLS_RSA_WITH_AES_256_GCM_SHA384`

TLS_sha_with_rsa_256_gcm_sha384 (-10)

Hints
Since the cipher suite is negotiated with each SSL connection, you'll find it in the SSL log: `path=ssl`  (-20)

index=ctf path=ssl
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

#206
index=ctf example.com ja3=*
35492f143de0f906215ea3aaf6ee0a74

#207 懵的，另一个没试，也可能对
index=ctf example.com ja3=* ja3=35492f143de0f906215ea3aaf6ee0a74 

Hints
With the domain from question 4, search for `path=ssl example.com` and look at the `ja3s` field

623de93db17d313345d7ea481e7443cf    5    71.428%    
f2e1706526fe0692ee36be58110ffc83    2    28.571%

#208
What department does that certificate from question 204 allegedly correspond to?

Hints(-10)
Corelight and Zeek use two logs for SSL connections: x509 and ssl. The x509 log has certificate details, including the Subject details

IT （-10）
IT Department

#209
What is the SHA1 of the most recent X.509 certificate from question 204?

Hints -10
Corelight treats x509 certificates as files, so you'll need to pivot from the x509 log to the files log  (-10)

In the `x509` log, look to the `id` field for file ID, then find the matching entry to the `files` log  (-20)

index=ctf sourcetype=corelight_files attachment_type="application/x-x509-ca-cert"

index=ctf sourcetype="corelight_x509"

Id=FNZ7Z22WzAofFQvsZf  最新的一个

F5ad0bcc1ad56cd150725b1c866c30ad92ef21b0  (-10)

index=ctf sourcetype="corelight_files" fuid=FNZ7Z22WzAofFQvsZf

19594b811f9f867db68efabcc7135852e63fd7da

#210
index=ctf uid=CQ7g3p24Fnx2TldSa1 sourcetype=corelight_files
i5pv72yr.exe

#211
index=ctf 104.168.98.206 sourcetype=corelight_files
fdd0480a69d17d33292733668c6fd1dedf453a3c

#212
Archivo 18-09-2019_23119.doc

#213

index=ctf sourcetype="corelight_smtp" |table mailfrom|dedup mailfrom

jobs@hitmail.cc
crogstrike@gchteam.com
bodega@iospa.com
ndelgado@softonic.com.do
sales@securanetworks.net

Hints (-30)

The question is focusing on the sender's email address, so find the "mailfrom" address with a name to group unique senders, then check the domains to see if they resolve (using the tool of your choice, like nslookup or dns.google.com).

gchteam.com

35

#214
index=ctf sourcetype="corelight_dns" 10.9.18.1| appendpipe [ stats sum(duration) as a ]|eval b=a/1605|table a b
0.15239 (-10)

Hints （-30）
The 'rtt' field tells you the "round trip time" of a given DNS request

Search for all DNS log entries, then use Splunk's statistics function to find the average: 'path=dns | stats avg(rtt)'   （-30）

index=ctf sourcetype="corelight_dns" 10.9.18.1  | stats avg(duration)
0.16123

#215
This traffic sample has been reduced to a four minute window, during which we observed unusually high delays on DNS responses. During what minute were DNS responses slowest?
Answer guidance: Provide the integer value. Example: 42

Hints
Use the 'bucket' and 'stats' functions in Splunk to group the 'rtt' fields of the events in one-minute intervals. （-20）

Search for "path=dns | bucket _time span=1m | stats avg(rtt) by _time" and identify the one minute with the highest average value （-30）

index=ctf sourcetype="corelight_dns" 10.9.18.1   rtt=* | bucket _time span=1m  | stats avg(rtt) by _time

_time    avg(rtt)
2021/09/28 18:00:00    0.008589423982437047
2021/09/28 18:01:00    0.18139616357746408

1

index=ctf sourcetype="corelight_dns" 10.9.18.1   rtt=*|stats by _time

2021/09/28 18:00:44.754  - 2021/09/28 18:01:50.848

#216
index=ctf "WinHTTP sender"
看到了但是没仔细看
post_body: SKINNER-WIN-PC\willy.skinner|P@ssw0rd$ \x00os passwords

Hints
(-30)
The Corelight HTTP log captures the address the requestor sends, along with the beginning of the POST body.

SKINNER (-10)

SKINNER-WIN-PC

#217
In their copious free time, an analyst reads a blog post about a technique that attackers use to download files from their C2 server. A potential indicator is that the user agent will contain "WinHTTP loader". What is the file size of the payload downloaded using this technique?

index=ctf "WinHTTP loader"

uid=CCu68f1tACrteRwZ6h
uid=CouJIA24iGS1q3KJfh

samerton.png    
tablone.png

index=ctf uid=CCu68f1tACrteRwZ6h  OR uid=CouJIA24iGS1q3KJfh sourcetype=corelight_conn

resp_bytes: 557299  (-10)

Hints （-30）
While the "http" log contains the user agent, you might need to pivot to the files log to determine the file size of what was downloaded.

index=ctf uid=CCu68f1tACrteRwZ6h  OR uid=CouJIA24iGS1q3KJfh sourcetype=corelight_files
(返回2结果)
557056

（不太懂为啥2文件公用一个 total_bytes）

#218
e35df3e00ca4ef31d42b34bebaa2f86e

#219
INF 17844.doc

#220

Hints  (-10)
File hashes are stored in the "files" log along with the file unique ID, these fields can be used to pivot to other Corelight logs
fuid

index=ctf FgY7in4PHFNMPdcnC2 sourcetype=corelight_pe
2019-09-18T05:47:11
#221 (微步)
Emotet

0x06 reference

需要补充sysmon EventCode
EventCode 1: Process Creation - 记录进程的创建事件，包括进程的命令行参数、父进程、进程ID等信息。
EventCode 2: File Creation Time Changed - 记录文件的创建时间被修改的事件。
EventCode 3: Network Connection - 记录网络连接事件，包括源IP地址、目标IP地址、端口等信息。
EventCode 5: Process Terminated - 记录进程的终止事件，包括进程的退出代码、终止时间等信息。
EventCode 6: 对应于驱动程序加载的事件。当此事件发生时，Sysmon会记录有关正在加载到Windows内核中的驱动程序的信息。
EventCode 7: Image Loaded - 记录加载到进程空间的模块（DLL）的事件。
EventCode 8: CreateRemoteThread - 记录在远程进程中创建线程的事件。
EventCode 11: FileCreate - 记录文件创建事件，包括文件路径、创建进程等信息。
EventCode 12: RegistryEvent (Object Create and Delete) - 记录注册表对象的创建和删除事件。
EventCode 13: RegistryEvent (Value Set) - 记录注册表值的设置事件。
EventCode 14: RegistryEvent (Key and Value Rename) - 记录注册表键和值的重命名事件。

第一套题目中涉及的
EventCode    count
1    767
2    1434
3    533001
5    684
6    18
7    168374

0x07 后记

官方的平台搜索有限制
The search you ran exceeded the indexed field extraction limit=‘200’ while it was extracting fields. If the search references a field that is not part of the set of indexed fields that the search annotates to the results that it generates, those results might be incomplete or incorrect. To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index.