6. Splunk

Difficulty: 🎄🎄🎄

obj6-2

📜 Info & Hints

Splunk

Access https://splunk.elfu.org/ as elf with password elfsocks.

What was the message for Kent that the adversary embedded in this attack?
The SOC folks at that link will help you along!

For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

Chat with Alice Bluebird after solving all training questions

obj6-c10

The File Archive contents

You'll find some references to the File Archive contents in Splunk.
Access the raw files or the File Archive link in the navigation.

Starting point

Start with this stoQ event 

index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

The message in the properties of the malicious document.

stoQ puts metadata into the log management platform but it stores the raw artifacts in their entirety in the archive.

Did you know that modern Word documents are (at their core) nothing more than a bunch of .xml files

Find The message for Kent that the adversary embedded in this attack

⚡️ Solution

  1. Given the hints this should be easy, our search query will be:

    index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"  | eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

    Searching for emails from bradly.buttercups@eifu.org then extract all filenames and fullpaths from the result using Splunk spath command.

    obj6-19

  2. From the result we find core.xml mentioned in the hint: 

    core.xml    /home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml

  3. Get file from server:

    https://elfu-soc.s3.amazonaws.com/stoQ%20Artifacts/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4

  4. Open the file in any text editor, and you will find the message: 

    <cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dc:title>Holiday Cheer Assignment</dc:title>
  <dc:subject>19th Century Cheer</dc:subject>
  <dc:creator>Bradly Buttercups</dc:creator>
  <cp:keywords />
  <dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
  <cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy>
  <cp:revision>4</cp:revision>
  <dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
  <cp:category />
</cp:coreProperties>

    The answer:

    Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

    👨‍🔬 Dr. Banas

    Oh, thanks so much for your help! Sorry I was freaking out.
    I've got to talk to Kent about using my email again...
    ...and picking up my dry cleaning.

    As you noticed he is the only one coming to the university with short 😄!
    He actually freaked out and came quickly to fix the problem.

Congratulations! You have completed Splunk challenge! 🎉

🎓 What you've learned

  • Th modern Word documents are (at their core) nothing more than a bunch of .xml files.
  • Using Splunk spath command.
  • StoQ puts metadata into the log management platform but it stores the raw artifacts in their entirety in the archive.
Useful Resources from credit page

Security Tools:

Challenge Back End:

Challenge Front End: