Holiday Hack 2020: Splunk Challenge

• Holiday Hack 2020
• 1) Uncover Santa's Gift List
• 2) Investigate S3 Bucket
• 3) Point-of-Sale Password Recovery
• 4) Operate the Santavator
• 5) Open HID Lock
• 6) Splunk Challenge
• 7) Solve the Sleigh's CAN-D-BUS Problem
• 8) Broken Tag Generator
• 9) ARP Shenanigans
• 10) Defeat Fingerprint Sensor
• 11) Naughty/Nice List with Blockchain Investigation

Objective

Terminal - Sort-O-Matic

Challenge

While it isn’t called out in the objective, Minty Candycane will provide Splunk hints if I help him fix the Sort-O-Matic. I can find both Minty and the Sort-O-Matic in the Workshop. If I’m myself, Minty greets me with the challenge:

Hey there, KringleCon attendee! I’m Minty Candycane!

I’m working on fixing the Present Sort-O-Matic.

The Sort-O-Matic uses JavaScript regular expressions to sort presents apart from misfit toys, but it’s not working right.

With some tools, regexes need / at the beginning and the ends, but they aren’t used here.

You can find a regular expression cheat sheet here if you need it.

You can use this regex interpreter to test your regex against the required Sort-O-Matic patterns.

Do you think you can help me fix it?

If I come in as Santa, Minty’s got a slightly different message:

Hey there Santa!

I’m working on this regex Present Sorter and making great progress! It’s still not quite right though.

I found a regular expression cheat sheet that helps a lot!

Oh and this regex test interface has been amazing for testing my adjustments.

Santa, I thought we were limiting access to the room next door with the HID reader.

I thought I should let you know.

Solution

Opening the Sort-O-Matic starts with the Help Manual:

On closing that, there are eight regular expressions that I need to complete:

When I get on correct and hit the button, it turns green:

For each, I can click on the description text to get more detail:

The solutions are:

Challenge	Solution
1. Matches at least one digit	\d
2. Matches 3 alpha a-z characters ignoring case	[a-zA-Z]{3}
3. Matches 2 chars of lowercase a-z or numbers	[a-z0-9]{2}
4. Matches any 2 chars not uppercase A-L or 1-5	[^A-L1-5]{2}
5. Matches three or more digits only	^\d{3,}$
6. Matches multiple hour:minute:second time formats only	^([0-1]?\d|2[0-3]):[0-5]\d:[0-5]\d$
7. Matches MAC address format only while ignoring case	^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$
8. Matches multiple day, month, and year date formats only	^([0-2]\d|3[01])[\.\/-](0\d|1[0-2])[\.\/-]\d{4}$

On correctly activating all eight, it shows complete:

Splunk Challenge

Hints

On solving the Sort-O-Matic, Minty provides hints about Splunk:

Great job! You make this look easy!

Hey, have you tried the Splunk challenge?

Are you newer to SOC operations? Maybe check out his intro talk from last year.

Dave Herrald is doing a great talk on tracking adversary emulation through Splunk!

Don’t forget about useful tools including Cyber Chef for decoding and decrypting data!

It’s down in the Great Room, but oh, they probably won’t let an attendee operate it.

Minty tells Santa roughly the same info:

Some of the elves in the Great Room are analyzing some issues using Splunk.

I watched the intro to SOC operations and threat hunting talk from last year to get ready.

What a great idea to invite Dave Herrald to talk about tracking adversary emulation in Splunk!

And thank you for the tip on Cyber Chef for decoding and decrypting data!

Those hints also show up in the badge:

• Defenders often need to manipulate data to decRypt, deCode, and refourm it into something that is useful. Cyber Chef is extremely useful here!
• There was a great Splunk talk at KringleCon 2 that’s still available!
• Dave Herrald talks about emulating advanced adversaries and hunting them with Splunk.

Challenge

As an attendee, Angel Candysalt in the Great Room next to the Splunk terminal didn’t have much to say to say to me. But as Santa, he issues a call for help:

Hey Santa, there’s some crazy stuff going on that we can see through our Splunk infrastructure.

You better login and see what’s up.

On entering the Splunk terminal, just like last year, it’s a chat interface and a series of questions:

Click for full size image

The chat shows Santa starting off a training exercise using the questions on the right about adversary emulation:

Click for full size image

There’s an DM with Alice Bluebird where she will guide me through the various questions and offer hints.

Solution

1

How many distinct MITRE ATT&CK techniques did Alice emulate?

The query | tstats count where index=T* by index will show all the indexes that start with T with a count of how many logs fall in that index:

The indexes start with either Txxx- or Txxx.yyy-, where x and y are digits. To group by technique id, I need to ignore the sub-techniques coming after the .. I’ll replace instances of . with -, and then split on - taking only the first result there and save it into a field, aid. Then I can pipe that into stats dc(aid) (dc is distinct count) to get a count of how many different Att&ck IDs there are. The result is 13:

Answer: 13

2

What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

| tstats count where index=T1059.003* by index will give a count of records associated with any index that starts “T1059.003”. I can make it print the answer with some extra formatting:

| tstats count where index=T1059.003* by index 
| sort(index)
| stats delim=" " list(index) as res
| nomv res

Answer: t1059.003-main t1059.003-win

3

One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

I searched MachineGUID on Atomic Red Team GitHub and found T1082.yaml. Its in there:

Answer: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

4

According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

Based on hints from Alice, I searched the attack index, specifically for OSTAP, using index=attack OSTAP . It returned five records. To get the first one sorted by time, I used:

index=attack OSTAP 
| sort _time
| head 1
| table "Execution Time _UTC"

Answer: 2020-11-30T17:44:15Z

5

One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

On visiting frgnca’s Github, there were eight repositories associated with it. I searched each of their names against Atomic Red Team’s GitHub until I found the WindowAudioDevice report referenced:

They reference the scripts with the user cdhunt, but they are coauthors on the repo:

I’ll search for EventCode=1 and the string “WindowsAudioDevice-Powershell-Cmdlet”, sort by time, and get the process ID:

index=* EventCode=1 WindowsAudioDevice-Powershell-Cmdlet 
| sort SystemTime 
| table SystemTime, process_id

Of the two results, I’ll grab the first:

Answer: 3648

6

Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

First, persistence via the run key is Mitre Att&ck technique T1547.001. So I searched for .bat in that index with index="t1547.001*" ".bat". There were 26 results, and just scanning through and looking at the filenames, I was able to rule out a lot of them because they were specific to a single technique, or weren’t multiline. When I found a bat name, I would locate it in the Atomic Red Team GitHub and check it out.

Discovery.bat was the bat the question was looking for, and the last line was quser.

Answer: quser

7

According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

I did a search for sourcetype=bro* and serial and then did a stats to get unique serials and subjects:

index=* sourcetype=bro* serial
| stats count by certificate.serial, certificate.subject

This returned 12 certificates:

Row 8 in that list is for win-dc-748, which looks like a DC, and the associated serial does solve the challenge.

Answer: 55FCEEBB21270D9249E86F4B9DC7AA60

Challenge Question

On solving the seventh question, Alice gives the ciphertext for the main question: 7FXjP1lyfKbyDK/MChyf36h7. There’s also the phrase from Splunk’s KringleCon talk:

Putting that together in CyberChef as an RC4 decrypt solves the challenge:

Answer: The Lollipop Guild

« 5) Open HID Lock7) Solve the Sleigh's CAN-D-BUS Problem »