So the journey continues ahead of BOTS EMEA tomorrow…
211. How many cryptocurrency mining destinations are visited by Frothly endpoints?
index=botsv3 earliest=0 *coinhive*
Looking at the queries we see there are 6 types:
A: 6
212. Using Splunk’s event order functions, what is the first seen signature ID of the coin miner threat according to Frothly’s Symantec Endpoint Protection (SEP) data?
Straightforward:
index=botsv3 earliest=0 (*coin* OR *monero*) sourcetype=”symantec:ep:security:file”
| reverse
Look for ‘CIDS_Signature_id’
A: 30358
213. According to Symantec’s website, what is the severity of this specific coin miner threat?
Check the event severity with search from 212 and it returned it is Major, not right though. Through a quick gander on Google, it was found as…
A: Medium
214. What is the short hostname of the only Frothly endpoint to show evidence of defeating the cryptocurrency threat? (Example: ahamilton instead of ahamilton.mycompany.com)
Using the same sourcetype as before ‘symantec:ep:security:file’
index=botsv3 earliest=0 (*coin* OR *monero*) sourcetype=”symantec:ep:security:file”
Looking at the ‘actions’, we see there’s one as ‘blocked’.
From here filtering out:
index=botsv3 earliest=0 (*coin* OR *monero*) sourcetype=”symantec:ep:security:file” action=blocked
Check the hostname and…
A: BTUN-L
215. What is the FQDN of the endpoint that is running a different Windows operating system edition than the others?
A list of source types that show OS are here. We can see Syslogs and winhostmon are good so go with a wildcard search of sys.
index=botsv3 sourcetype=winhostmon *windows*
| stats values(host) by OS
And we have: BSTOLL-L.
But they want the FQDN so..
A: BSTOLL-L.froth.ly
216. According to the Cisco NVM flow logs, for how many seconds does the endpoint generate Monero cryptocurrency? Answer guidance: Round to the nearest second without the unit of measure.
Looking through sources, we find ‘cisconvmflowdata’ as a logytpe.
Refining the search:
index=botsv3 source=cisconvmflowdata *coinhive*
We have 6 results. The JS Miner has hit a subdomain hence the result comes up is from the ‘dh’ field. Googling a way of calculating the first and last time logs was helpful here:
index=botsv3 source=cisconvmflowdata *coinhive* | stats max(_time) as maxtime min(_time) as mintime | eval difference=maxtime-mintime
A: 1652 (Note not the answer in the Splunk solutions but I beg to differ)
217. What kind of Splunk visualization was in the first file attachment that Bud emails to Frothly employees to illustrate the coin miner issue? Answer guidance: Two words. (Example: choropleth map)
Searching for mail logs, also noting bstoll was compromised:
index=botsv3 *bstoll*
| search sourcetype=*mail* OR sourcetype=*o365* OR sourcetype=*POP3* OR sourcetype=*SMTP*
We have one result. This indicates the attachment was a malware alert text associated with a subject ‘Draft financial Plan for Brewery FY2019’.
Conscious brewertalk had been compromised and looking at attachments:
index=botsv3 *bstoll* | search sourcetype=*mail* OR sourcetype=*o365* OR sourcetype=*POP3* OR sourcetype=*SMTP* *brewertalk* “attach_filename{}”=”*”
Looks like sifting through these, one of the images shows a base64 encrypted message indicating Bud messed up and that they found the Coinminer. Looking at the previous event, he mentions looking at the ‘Splunk chart below’. Hazarding a guess, I put…
A: Column chart.
218. What IAM user access key generates the most distinct errors when attempting to access IAM resources?
Going back now to the cloudtrail logs. Sifting through the user types we find ‘IAMUser’. The Access Key Id field is userIdentity.accessKeyId:
index=botsv3 *error* sourcetype=”aws:cloudtrail” user_type=IAMUser eventSource=”iam.amazonaws.com” | stats dc(errorMessage) by userIdentity.accessKeyId | sort -dc(errorMessage)
This returns the highest errorMessage userIdentity.accessKeyId as:
A: AKIAJOGCDXJ5NW5PXUPA
219. Bud accidentally commits AWS access keys to an external code repository. Shortly after, he receives a notification from AWS that the account had been compromised. What is the support case ID that Amazon opens on his behalf?
As bud is an insufferable moron and all these questions seem to revolve around him, I’m going to guess he tried to log in (and also because of this article’s help about account compromised in API actions for Cloudtrail):
index=botsv3 *error* sourcetype=”aws:cloudtrail” errorCode=AccessDenied
I seem to be barking up the wrong tree here so having looked at the hint I’m advised to use SMTP.
Searching in here for access keys:
index=botsv3 sourcetype=*SMTP* *access key*
One result, looking at the subject we get a case number!
A: 5244329601
220. AWS access keys consist of two parts: an access key ID (e.g., AKIAIOSFODNN7EXAMPLE) and a secret access key (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). What is the secret access key of the key that was leaked to the external code repository?
Looking at the body of text, we see the compromised account as AKIAJOGCDXJ5NW5PXUPA — same as our previous question with error-heavy attempts. We see the source of the account compromise being in a github link.
A: Bx8/gTsYC98T0oWiFhpmdROqhELPtXJSR9vFPNGk
In the interest of time, I’ll have to work through the rest of these without posting as there’s a lot to get through in time for the EMEA event.
As always, stay safe!
