Proj 2x: BOSS OF THE SOC: Identifying Threat Actors (50 pts)

What You Need for this Project

A computer with a Web browser.

Purpose

To practice threat hunting, using the Boss of the SOC (BOTS) Dataset.

Connecting to My Splunk Server

Go here:

https://splunk.samsclass.info

If you are a CCSF student registered in CNIT 50, use the username in your CCSF email address (the part before "@mail.ccsf.edu") and an initial password of changeme
Otherwise, log in as student1 with a password of student1

Once you are logged in, at the top left, click "Search & Reporting", as shown below.

The "Search" page opens, as shown below.

Exploring the BOTS Data

Sampling the Data

Do these steps:

In the Search box, type
index="botsv1"
On the right side, click the "Last 24 hours" box and click "All time"
On the left side, under the Search box, click "No Event Sampling" and click "1: 100"
On the right side, click the green magnifying-glass icon

The search finishes within a few seconds, and finds approximately 9,452 results, as shown below. (The number varies because the sampling is random.)

There are actually 100x as many events, but we are only looking at 1% of them for now.

Viewing Sourcetypes

On the lower left, in the "SELECTED FIELDS" list, click the blue sourcetype link.

A "sourcetype" box pops up, showing the "Top 10 Values" of this field, as shown below.

Viewing Suricata Events

In the "sourcetype" box, in the "Top 10 Values" list, click suricata as shown in the image above.

Splunk adds

sourcetype="suricata"

to the search and finds approximately 1,250 results, as shown below. (The number varies because the sampling is random.)

Scroll down and look on the left side for the "INTERESTING FIELDS" list. Click event_type to see a list of values, as shown below.

The event types are self-explanatory, but you can read about them here if you want to.

Challenges

Find these items. Use the forms below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

2x_1: Staging Server IP (10 pts)
In the previous project, you found the staging server domain name (used to host the defacement file). Find that server's IP adddress.
HINT: Search for DNS events in Suricata containing the target FQDN.

Name or Email:

Staging Server IP:

2x_2: Leetspeak Domain (10 pts)
Use a search engine (outside Splunk) to find other domains on the staging server. Search for that IP address. Find a domain with an name in Leetspeak (like "1337sp33k.com").

Name or Email:

Leetspeak Domain:

2x_3: Brute Force Attack (15 pts)
Find the IP address performing a brute force attack against "imreallynotbatman.com".
HINT: Find the 15,570 HTTP events using the POST method. Exclude the events from the vulnerability scanner. Examine the form_data of the remaining 441 events.

Name or Email:

Brute Force Attacking IP:

2x_4: Uploaded Executable File Name (15 pts)
Find the name of the executable file the attacker uploaded to the server.
HINT: Find the 15,570 HTTP events using the POST method. Exclude the events from the vulnerability scanner. Search for common Windows executable filename extensions.

Name or Email:

Uploaded Executable File Name:

Posted 2-11-19