Professional Documents
Culture Documents
Splunk 201 –
Threat Hunting Workshop
Based on BOTS 1.0 Dataset
Paul Pang
Password : splunkpaul
Use your browser to access the
following site :
– http://192.168.10.121:8000
#whoami
10 Years as Splunk Ninja
50+ BOTS @APAC
Agenda
▶ Splunk Basic
▶ ex1 : Web Defacement
▶ ex2 : Threat Intelligence
▶ ex3 : Hunting Known Threat : Crypto Miner, Botnet and Malware
▶ ex4 : Hunting Unknown Threat : DNS tunneling & exfiltration
▶ Latest APT operations and updates
© 2017 SPLUNK INC.
Source : SANS, Building a world class security operation center roadmap 2015
6
© 2017 SPLUNK INC.
Pyramid of Pain
Diamond Model
Cyber Kill Chain : APT Detection and Response
© 2017 SPLUNK INC.
Web
Threat intelligence
.pdf
Portal
Network
Activity/Security
Proxy log
MAIL
C2 WEB
communication
to blacklist
Events that
contain link to file
Process
making C2
traffic
.pdf Calc.exe Svchost.exe
Command
Recon Weaponize Deliver Exploit Install & Action
Control
ANALYTICS OPERATIONS
DATA
PLATFORM
Platform for Machine Data
© 2017 SPLUNK INC.
Data Real-Time
Search Process
Monitor Parsing Pipeline Real-Time
Parsing Queue
Input
Index Queue
• Source, event typing Buffer
TCP/UDP • Character set
normalization
Input • Line breaking
• Timestamp
Scripted identification
Indexing
• Regex transforms Pipeline Raw Data
Input Index Files Splunk
Index
© 2017 SPLUNK INC.
Schema-on-the-Fly
Raw events
▶ metadata ▶ timechart
▶ AND OR NOT ▶ sort
▶ stats –count, values, average, AS ▶ reverse
▶ lookup ▶ transaction
▶ eval – lower, length, round ▶ rex
▶ fields ▶ search
▶ table ▶ iplocation
▶ head ▶ geostats
▶ tail
© 2017 SPLUNK INC.
▶ Microsoft Sysmon
▶ Windows Events
▶ Windows Registry
▶ IIS
▶ Splunk Stream (wire data)
▶ Suricata
▶ Fortigate (NGFW)
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 1
Answer : 40.80.148.42
© 2017 SPLUNK INC.
Search Basics
Selected and Interesting Fields
▶ What is the likely IP address of someone scanning imreallynotbatman.com for
web application vulnerabilities?
© 2017 SPLUNK INC.
More Fields
© 2017 SPLUNK INC.
Histogram
© 2017 SPLUNK INC.
Time Picker
© 2017 SPLUNK INC.
SPL Help
© 2017 SPLUNK INC.
Autocomplete
© 2017 SPLUNK INC.
Smart Mode
Default
© 2017 SPLUNK INC.
Smart Mode
With stats
© 2017 SPLUNK INC.
Fast Mode
© 2017 SPLUNK INC.
Verbose Mode
© 2017 SPLUNK INC.
Verbose Mode
With stats
© 2017 SPLUNK INC.
Search Basics
Other Controls
© 2017 SPLUNK INC.
Field Detail
© 2017 SPLUNK INC.
AND AND
© 2017 SPLUNK INC.
Parenthesis
© 2017 SPLUNK INC.
NOT
© 2017 SPLUNK INC.
Equivalent Searches
Assuming Four sourcetypes
AND AND
AND AND
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 2
▶ What are the top URIs being returned during the scan on
imreallynotbatman.com?
Answer : /joomla/index.php/component/search/
© 2017 SPLUNK INC.
▶ What are the top URIs being returned during the scan on
imreallynotbatman.com?
© 2017 SPLUNK INC.
Generate a count by URI to see what values are most frequently seen
© 2017 SPLUNK INC.
Our Results?
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 3
Answer : 192.168.250.70
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 4
Answer : 23.22.63.114
© 2017 SPLUNK INC.
File x
imreallynotbatman.com
▶ HTTP POST submits data to be processed
POST
File x
© 2017 SPLUNK INC.
Wildcards
Wildcard Search
© 2017 SPLUNK INC.
Our Search...
© 2017 SPLUNK INC.
table Command
© 2017 SPLUNK INC.
Hands-on Exercise
Question 5
Answer : Acunetix
© 2017 SPLUNK INC.
▶ What company created the web vulnerability scanner used by Po1s0n1vy? Type
the company name. (For example "Microsoft" or "Oracle")?
© 2017 SPLUNK INC.
▶ Splunk Basics
▶ UI Familiarization
▶ Searching with structured fields and unstructured values
▶ Compound Searches (AND OR NOT)
▶ Introduction of stats, sort, table commands
▶ Wildcards
© 2017 SPLUNK INC.
Break
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 6
Answer : 12345678
© 2017 SPLUNK INC.
Password
© 2017 SPLUNK INC.
search Command
▶ Returns the first (or last) N number of specified results in search order
Hands-on Exercise
Selected and Interesting Fields
Question 7
▶ What was the correct password for admin access to the content management
system running "imreallynotbatman.com” ?
Answer : batman
© 2017 SPLUNK INC.
▶ Were any passwords used more than once and if so, where did they login from?
Hands-on Exercise
Selected and Interesting Fields
Question 8
▶ What was the average password length used in the password brute forcing
attempt, rounded to the nearest integer?
Answer : 6
© 2017 SPLUNK INC.
▶ What was the average password length used in the password brute forcing
attempt, rounded to the nearest integer?
© 2017 SPLUNK INC.
Calculate a length for the Calculate the average of all Round the avgPword field to 0
userpassword string and store lenpword and rename it decimal places and put it into
the value in lenpword avgPword the avgPword field
© 2017 SPLUNK INC.
▶ What was the average password length used in the password brute forcing
attempt, rounded to the nearest integer?
© 2017 SPLUNK INC.
▶ If we wanted to see the frequency of the brute force attacks over time, timechart
can help us visualize this
© 2017 SPLUNK INC.
Timechart Command
Which Span is Better?
▶ It depends....
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 9
▶ How many seconds elapsed between the time we first saw the password batman
and the time we saw it again?
Answer : 92.17
© 2017 SPLUNK INC.
transaction command
Group events together based on common Duration is a value created with transaction
value(s). In this case group events as a that calculates the difference between the
transaction based on the same userpassword first and last event in seconds
© 2017 SPLUNK INC.
transaction Command
▶ How many seconds elapsed between the time we first saw the password batman
and the time we saw it again?
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 10
▶ What is the name of the file that defaced the imreallynotbatman.com website?
(For example "notepad.exe" or "favicon.ico") ?
Answer : poisonivy-is-coming-for-you-batman.jpeg
© 2017 SPLUNK INC.
File x
imreallynotbatman.com
▶ HTTP POST submits data to be processed
POST
File x
© 2017 SPLUNK INC.
▶ Very few results in HTTP when the Web Server is the source
© 2017 SPLUNK INC.
IP: 40.80.148.42
GET imreallynotbatman.com
poisonivy-is-coming-for-you-batman.jpeg IP: 192.168.250.70
IP: 23.22.63.114
© 2017 SPLUNK INC.
IP Location
▶ With geostats and iplocation events can be easily laid out on a map
▶ Maps can be drilled down to a point, additional configuration can be done to drill
down to the street level
© 2017 SPLUNK INC.
Final
FULL TIME
90:00
© 2017 SPLUNK INC.
How to hunt ?
10
2
© 2017 SPLUNK INC.
http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-
like-in-system-logs
10
3
© 2017 SPLUNK INC.
10
4
Free for 1st Year Subscription
© 2017 SPLUNK INC.
10
6
© 2017 SPLUNK INC.
Threat Intelligence
(IOC) Analysis
© 2017 SPLUNK INC.
10
8
Threat Data/Raw IOCs
© 2017 SPLUNK INC.
10
9
Threat Data from Mandiant APT1
© 2017 SPLUNK INC.
11
0
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 11
▶ Based on the data gathered from this attack and common open source
intelligence sources for domain names, what is the email address that is most
likely associated with Po1s0n1vy APT group ?
Answer : lillian.rose@po1s0n1vy.com
© 2017 SPLUNK INC.
Question 107
Beginner
▶ Based on the data gathered from this attack and common open source
intelligence sources for domain names, what is the email address that is most
likely associated with Po1s0n1vy APT group?
Back to VirusTotal
© 2017 SPLUNK INC.
Continuing with VT
DomainTools
whois.domaintools.com
© 2017 SPLUNK INC.
Reverse Whois
Validation
© 2017 SPLUNK INC.
11
9
© 2017 SPLUNK INC.
Lookups
Threat Data ( sample file : threat_list.csv )
© 2017 SPLUNK INC.
12
1
© 2017 SPLUNK INC.
12
2
© 2017 SPLUNK INC.
Threat Intelligence
In reality, the threat intelligence can be periodically pulled into Splunk lookup
using scheduled script
– e.g. Tor servers, known C&C servers,…
Pre-configured in Enterprise Security App
(http://docs.splunk.com/Documentation/ES/latest/User/ThreatIntelligence)
In this exercise, a static mock-up lookup is used
– Download the threat_list.csv from
ê https://splunk.box.com/s/uankij3knyqads1xanfawd5y0wrlkluf
– Import the Lookup file into Splunk
ê Setting à Lookups à Lookup table files
– Define the lookup definition
ê Setting à Lookups à Lookup definitions
12
3
© 2017 SPLUNK INC.
12
4
© 2017 SPLUNK INC.
12
5
© 2017 SPLUNK INC.
12
6
© 2017 SPLUNK INC.
12
8
ES’ Threat Intelligence – Pre-config Threat Lists
© 2017 SPLUNK INC.
129
Customer Case: Client running P2P ( BT bit torrent )
© 2017 SPLUNK INC.
Client IP : 172.26.228.230
Time : 18:10 5/3/14
Threats :
Accessing following Bad IP
13
1
© 2017 SPLUNK INC.
https://www.sans.org/reading-
room/whitepapers/threats/detecting- https://github.com/ZeroDot1/CoinBlockerLi
crypto-currency-mining-corporate-
environments-35722 13
2
© 2017 SPLUNK INC.
1) Domain:
https://zerodot1.gitlab.io/CoinBlockerLists/list.txt
2) ignoring regex :
(^#|^\s*$)
3) fields :
domain:$1,description:Cryptomining_domain
13
3
© 2017 SPLUNK INC.
1) MiningServerIPs:
https://zerodot1.gitlab.io/CoinBlockerLists/
MiningServerIPList.txt
2) ignoring regex :
(^#|^\s*$)
3) fields :
ip:$1,description:Cryptomining_IP
13
4
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
1) Domain:
https://ransomwaretracker.abuse.ch/downloads/RW
_DOMBL.txt
2) ignoring regex :
(^#|^\s*$)
3) fields :
domain:$1,description:Ransomware_domain
13
6
© 2017 SPLUNK INC.
1) Ransomware ServerIPs:
https://ransomwaretracker.abuse.ch/downl
oads/RW_IPBL.txt
2) ignoring regex :
(^#|^\s*$)
3) fields :
ip:$1,description:Ransomware_IP
13
7
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 12
Answer : 192.168.250.100
© 2017 SPLUNK INC.
Ransomware Picture
Hostname: we8105desk
IP: 192.168.250.100
© 2017 SPLUNK INC.
Process Execution
sourcetype=x* | stats values(ParentImage) by process
© 2017 SPLUNK INC.
CommandLine
sourcetype=x* CommandLine=* | stats values(CommandLine) by Computer,process
© 2017 SPLUNK INC.
Powershell Process
sourcetype=x* process=*powershell.exe | stats values(CommandLine) by Computer,process
© 2017 SPLUNK INC.
Be careful of this !!
sourcetype=x* process=*powershell.exe CommandLine=”*-enc*” | top
CommandLine
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 13
▶ During the initial Cerber infection a VB script is run. The entire script from this
execution, pre-pended by the name of the launching .exe, can be found in a field
in Splunk. What is the length in characters of this field ?
Answer : 4490
Very long CommandLine ?
© 2017 SPLUNK INC.
sourcetype="XmlWinEventLog:Microsoft-Windows-
Sysmon/Operational" | eval len=len(CommandLine) | table
User, len, CommandLine | sort - len
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" |
eval len=len(ParentCommandLine) | table User, len, ParentCommandLine |
sort - len
15
1
© 2017 SPLUNK INC.
What Do We Have?
▶ What data set will show execution of commands and the specific commands
executed?
• Sysmon
▶ Do we know what kind of a file we are looking for?
• .exe
▶ Let’s start there
© 2017 SPLUNK INC.
Initial Search
© 2017 SPLUNK INC.
Refined Search
Something Doesn’t Seem Right
© 2017 SPLUNK INC.
▶ During the initial Cerber infection a VB script is run. The entire script from this
execution, pre-pended by the name of the launching .exe, can be found in a field
in Splunk. What is the length in characters of this field?
• 4490
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 14
▶ Bob Smith's workstation (we8105desk) was connected to a file server during the
ransomware outbreak. What is the IP address of the file server?
Answer : 192.168.250.20
© 2017 SPLUNK INC.
Registry sourcetype
© 2017 SPLUNK INC.
fileshare
▶ Bob Smith's workstation (we8105desk) was connected to a file server during the
ransomware outbreak. What is the IP address of the file server?
• 192.168.250.20
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 15
▶ How many distinct PDFs did the ransomware encrypt on the remote file server ?
Answer : 257
© 2017 SPLUNK INC.
Question 207
Intermediate
▶ How many distinct PDFs did the ransomware encrypt on the remote file server?
Hmmm...
© 2017 SPLUNK INC.
Ransomware Picture
Encryption
cerberhhyed5frqa.xmfir0.win
Initial Connection
solidaritedeproximite.org
Hostname: we8105desk
IP: 192.168.250.100
USB Key Name: MIRANDA_PRI File Server
VB script executed – Excessive Length
Hostname: we9041srv
IP: 192.168.250.20
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 16
Answer : 3968
© 2017 SPLUNK INC.
CommandLine
© 2017 SPLUNK INC.
Question 208
Beginner
▶ What is the parent process ID of 121214.tmp?
• 3968
© 2017 SPLUNK INC.
17
6
© 2017 SPLUNK INC.
3) Processes which have never been seen before such as new network communication on unknown ports or to a
rare IP-address could be an early indicator of an attack and need to be reviewed
17
7
© 2017 SPLUNK INC.
Bad Rabbit
17
9
© 2017 SPLUNK INC.
Hunting Unknown
Threat
Inside Threat : How to detect and trace Unknown Data
© 2017 SPLUNK INC.
Exfiltration ??
Same events can have different security meanings, based on sequence:
Event 1 … 13:01:21
Event 2 … 13:42:17
Action 3
Known DNS Unknown DNS
= Misconfiguration
Note “Windows
event”
Analyst /
Investigator
What happened? Unknown DNS Unknown DNS
= Recon, Lateral Movement
= Exfiltration
If event 1, then
event 2, then… Unknown DNS C&C Site Lots of DNS Event
Ah – ha, that’s
how they got in.
Now what infected
the host?
18
1
DNS
© 2017 SPLUNK INC.
Tunneling
18
182
2
© 2017 SPLUNK INC.
DNS
Exfiltration
18
3
© 2017 SPLUNK INC.
18
4
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 17
Answer : 8.8.8.8
Finding unauthorized DNS servers
© 2017 SPLUNK INC.
• DNS Tunneling
• DNS Spoofing
Host Subnet
18
6
Finding unauthorized DNS servers
© 2017 SPLUNK INC.
18
7
sourcetype=bro_dns dest_port=53 dest_ip!=10.0.0.0/8 dest_ip!=192.168.0.0/16 dest_ip!=172.16.0.0/16
© 2017 SPLUNK INC.
• DNS Spoofing
• DNS Exfil
• DNS Tunneling
18
9
Finding clients connecting to multiple DNS servers
© 2017 SPLUNK INC.
19
0
© 2017 SPLUNK INC.
Hands-on Exercise
Selected and Interesting Fields
Question 18
▶ There is data exfiltration by using DNS tunneling? Find the IP addresses of the
source PC.
• DNS Tunneling
queries
• DNS Exfil
19
2
Finding Queries Over 200 characters
© 2017 SPLUNK INC.
19
3
Bonus Exercise
© 2017 SPLUNK INC.
• Check which IP pairs ( source IP & dest IP ) has sent out longest
domain name query
19
4
Finding Queries Two Standard Deviations Over Normal
© 2017 SPLUNK INC.
19
5
© 2017 SPLUNK INC.
▶ Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
© 2017 SPLUNK INC.
▶ TIPS
• Leverage our Bro DNS data index=bro sourcetype=bro_dns
• Calculate Shannon Entropy scores | `ut_parse(query)`
• Calculate subdomain length | `ut_shannon(ut_subdomain)`
• Display details | eval sublen =
length(ut_subdomain)
| table ut_domain ut_subdomain
ut_shannon sublen
© 2017 SPLUNK INC.
▶ TIPS … | stats
• Leverage our Bro DNS data count
• Calculate Shannon Entropy scores avg(ut_shannon) as avg_sha
• Calculate subdomain length avg(sublen) as avg_sublen
• Display count, scores, lengths, deviations stdev(sublen) as stdev_sublen
by ut_domain
| search avg_sha>3
avg_sublen>20 stdev_sublen<2
© 2017 SPLUNK INC.
Latest APT
Operations
© 2017 SPLUNK INC.
IP/Domain/IOC Reputation
Checking
– http://www.robtex.com
– https://www.threatminer.org/
– https://www.shodan.io
© 2017 SPLUNK INC.
Case Study :
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group (also
known as, APT-C-00, SeaLotus and APT32)
https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/
20
5
© 2017 SPLUNK INC.
Scheduled task 1:
Downloads a COM scriptlet that
redirects to Cobalt Strike
payload
20
6
© 2017 SPLUNK INC.
Scheduled task 2:
Uses Javascript to download
a Cobalt Strike Beacon
20
7
© 2017 SPLUNK INC.
20
8
© 2017 SPLUNK INC.
20
9
© 2017 SPLUNK INC.
21
0
© 2017 SPLUNK INC.
21
1
© 2017 SPLUNK INC.
21
2
© 2017 SPLUNK INC.
21
3
© 2017 SPLUNK INC.
What’s Next?
Experienced
ES BOTS Hands-On
Introductory
© 2017 SPLUNK INC.
Next Steps
▶ If you would like to take the data set home with you and explore further, now you
can!
• https://www.splunk.com/files/downloads/botsv1_data_set.tgz
• Contains a README and an app with indexes of the data
▶ Read our blog series called Hunting with Splunk!
• https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html
• Ever increasing, covers many of the topics we talked about today
© 2017 SPLUNK INC.
Helpful Links
Thank You