Hello everyone! It's been a while since I last posted but you know it's better later than never. 😏
During this time, I came across the following challenge: Corelight trickbot ctf.
It is available on BOSS of the SOC.
Spoiler alert ➡️You need to create an account first. You'll then discover more "games" and learning rooms. I was grateful when I discovered this site, because it teaches you how to use Splunk SIEM in a more advanced way. It's totally worth it!
Now let's dive into Corelight Partner Experience! 😎
101. How many total Suricata alerts were generated in this index?
index="corelight" sourcetype=* "suricata"
| dedup sourcetype
| table sourcetype
index="corelight"sourcetype="corelight_suricata_corelight"
47
102. Most of the alerts are being generated by a single source host. What is its IP address?
index="corelight" sourcetype="corelight_suricata_corelight"
10.0.0.31
103. What's the name of the malware family identified by these alerts?
index="corelight" sourcetype="corelight_suricata_corelight" alert.signature="ET MALWARE Win32/Trickbot Data Exfiltration"
trickbot
104. Let's take a closer look at the "ET MALWARE Win32/Trickbot Data Exfiltration" alerts. You'll notice that three of the alerts share a single UID, meaning they all occured on a single TCP stream. What is that UID?
index="corelight" sourcetype="corelight_suricata_corelight" "Win32/Trickbot Data Exfiltration"
CAoNRI62m9CRqS0R2
Note: The UID (Unique Identifier) in this context is used to uniquely identify a specific TCP stream or connection. When multiple alerts share the same UID, it means they are part of the same network communication session. This can be useful for correlating related events and understanding the full scope of an attack or suspicious activity.
105. What is the IP address of the malicious server involved in the alerts for this stream?
index="corelight" sourcetype="corelight_suricata_corelight" "alert.signature"="ET MALWARE Win32/Trickbot Data Exfiltration" uid=CAoNRI62m9CRqS0R2 | table src, dest
Exfiltration activity= destination
103.16.104.83
106. What layer 7 protocol is the traffic in the previous question flowing over that generates the alerts?
Layer 7 protocol = Application
Therefore, the field app comes handy.
That's intended to be the application involved in the event. For example, a user attempting to login to an SSH service would be an example of an authentication event, and the "app" would be "SSH" or "SSHD" or something along those lines.
The answer is http.
107. Taking the UID mentioned in the previous question and searching for it across the index, we see that a corelight_notice log was also generated. What is the number of the MITRE ATT&CK TTP referenced in the notice?
index="corelight" CAoNRI62m9CRqS0R2 sourcetype=corelight_notice
S0266
108. What User-Agent string was sent as part of the Trickbot HTTP requests?
index="corelight" uid=CAoNRI62m9CRqS0R2 sourcetype=corelight_http | table http_user_agent
Ghost
109. What is a process name that is repeated within the POST body of these HTTP requests?
svchost.exe
Few things about svchost.exe:
Image Path will always be: %SystemRoot%\system32\svchost.exe
Parent process: services.exe
Number of instances: many (generally at least 10, and often more than 50)Runs with the -k parameter to differentiate/services => the absence of this parameter is a strong indication that something is off.
It's used to run service DLLs.
Pay attention to name misspells.
110. Let's look at what happened after the malware was dropped. Looking at Suricata alerts following the Trickbot alert, a popular scanning tool appears to have been used for reconnaissance. What is the name of that tool?
index="corelight" sourcetype="corelight_suricata_corelight" | stats values(alert.signature)
nessus
111. One of the alerts generated by our infected host could result in command execution on a wireless access point. Looking at the response from the remote system, however, it's pretty clear that the attack failed. How many bytes did the target send back to the attacker on this connection?
index="corelight" sourcetype="corelight_suricata_corelight" | stats values(alert.signature)
index="corelight" sourcetype="corelight_suricata_corelight" "ETPRO Exploit Possible Asus WRT LAN Backdoor Command Execution"
index="corelight" ChGTlJ1zd2PRktosx5 sourcetype=corelight_conn
0
112. Looking at the layer 7 services used by the infected host after the Trickbot alerts above, we see an SSH connection made to an internal host. What is the IP address of that host?
index="corelight" src=10.0.0.31 sourcetype=corelight_ssh auth_success=true | table dest
10.0.0.72
113. What is the PCR (producer/consumer ratio) of that SSH session?
index="corelight" CLn5mqsd7SVfTn10g sourcetype=corelight_conn
`-0.9959339475461754`
The Producer-Consumer Ratio (PCR)
measures the “shape” of a system’s pattern
of network use. Significant shifts in PCR
may indicate unusual data movement
(staging or exfil). (source)
114. Examining the inferences section of the SSH log associated with that session, one code indicates a behavior that explains the PCR we just observed. Which code is it?
index="corelight" CLn5mqsd7SVfTn10g sourcetype=corelight_ssh
LFD
LFD stands for Login Failure Daemon.
Login Failure Daemon is a continuously running process that runs all the time (Every Second) and scans all the login attempts against your server using log file entries and blocks all the entries that fail within a short period of time. These types of attacks are also known as “Brute-Force Attacks“. The Daemon process runs every second and responds very quickly to these patterns and blocks all the offending IPs quickly. (source)
115. The owner of the infected workstation had no credentials to log into 10.0.0.72 over SSH. However, there was another connection between those hosts over HTTP. What attack type was sent over that connection?
index="corelight" src=10.0.0.31 dest=10.0.0.72 sourcetype=corelight_http | table uri
(source)
index="corelight" src=10.0.0.31 dest=10.0.0.72 sourcetype=corelight_http
SQL Injection
116. What parameter of the index.php script did the infected system attempt to use for SQL injection?
username
117. What was the HTTP status code from the targeted server?
200
118. Did this SQL injection attack generate any Suricata alerts? (Yes/No)
No
119. Returning to SSH connections made by our infected host, we see a second one being made to a country the organization has no business relationship with. What country is that connection going to?
index="corelight" src=10.0.0.31 sourcetype=corelight_ssh auth_success=true
Thailand
120. Judging by the PCR (producer/consumer ratio) of this connection, data was definitely exfiltrated to this external system. What is the SSH host key of that system?
1c:6e:58:a2:57:98:33:f4:53:e8:63:46:df:a2:31:ef
121. How many payload bytes were sent over that connection?
index="corelight" CPxHxI3uiHLgH2I196 sourcetype=corelight_conn
128105745
122. The challenge author's favorite SSL certificate organization name - a default out of many certificate generation tools - is present in this index, highlighted by a Suricata alert. What is that organization name?
index="corelight" sourcetype="corelight_suricata_corelight" | stats values(alert.signature)
Internet Widgits Pty Ltd
What are your thoughts? 😇
What do you say, will you give it a shot and be Boss of the SOC? 😎
Top comments (0)