Purple Team 4: Analyzing a Ransomware Attack with Splunk

What You Need for this Project

Purpose

To practice threat hunting, using the Boss of the SOC (BOTS) Dataset.

Connecting to My Splunk Server

Go here: https://splunk.samsclass.info or here: https://splunk2.samsclass.info

Log in as student1 with a password of student1

The Splunk main page opens, as shown below.

At the top left, click "Search & Reporting".

The "Search" page opens, as shown below.


Challenges

4.1: IP Address (5 pts)

What was the most likely IP address of we8105desk on 24AUG2016?

Hints:

4.2: Signature (5 pts)

Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Hints:

4.3: FQDN (15 pts)

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Hints:

4.4: Suspicious Domain (15 pts)

What was the first suspicious domain visited by we8105desk on 24AUG2016?

Hints:

4.5: VB Script (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is name of the first function defined in the VB script?

Hints:

4.6: VB Script (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

Hint:

4.7: USB key (15 pts)

What is the name of the USB key inserted by Bob Smith?

Hints:

4.8: Server Name (5 pts)

Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the domain name of the file server?

Hints:

4.9: IP Address (15 pts)

Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

Hints:

4.10: PDFs (20 pts)

How many distinct PDFs did the ransomware encrypt on the remote file server?

Hints:

4.11: Process ID (15 pts)

The VBscript found above launches 121214.tmp. What is the ParentProcessId of this initial launch?

Hints:

4.12: Text Files (15 pts)

The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?

Hints:

4.13: File Name (15 pts)

The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

Hints:

4.14: Obfuscation (10 pts)

Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?

Hints:


Posted 4-27-19 3:41 pm
Scoring engine removed for WCIL 5-20-19