Skip to content

Objective #6 - Splunk Challenge

Objective

Access the Splunk terminal in the Great Room. What is the name of the adversary group that Santa feared would attack KringleCon?

Analysis

Visit the Great Room and click on the Splunk terminal. You’ll use the Splunk search interface to answer a series of questions from Alice Bluebird in the KringleCastle SOC.

Tip

Watch Dave Herrald's talk on Adversary Emulation and Automation for background on this objective.

Solution

Question 1. How many distinct MITRE ATT&CK techniques did Alice emulate?

13 - Search Splunk “| tstats count where index=* by index”. Only count the distinct tXXXX numbers, ignoring -main and -win extensions. Alice provides a smarter way to do it after you submit your answer. Pay attention to these hints to make your searches more efficient.

Question 2. What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

t1059.003-main t1059.003-win - Search “| tstats count where index=t1059.003* by index” to pick out just the indexes that start with t1059.003.

Question 3. One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - Visit the atomic-red-team github repository and search for System Information Discovery. The first hit brings you to T1082, where you’ll find the answer under Atomic Test #8 - Windows MachineGUID Discovery.

Question 4. According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

2020-11-30T17:44:15Z - Search “index=attack ostap” to show all the attacks that were performed that include the keyword ostap, and then scroll all the way to the bottom to find the first instance.

Question 5. One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

3648 - frgnca authored a suite of Powershell cmdlets called AudioDeviceCmdlets. Searching for that in the atomic-red-team repo returns T1123, an audio capture attack. Search “index=t1123* EventID=1 “powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet” to bring up the related events.

Question 6. Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

quser - Search the Atomic Red Team github repo for “Registry Run Keys” to determine this is technique T1547.001. The batch file referenced in Atomic Test #3 is Discovery.bat, and the last line of that is “quser”.

Question 7. According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

55FCEEBB21270D9249E86F4B9DC7AA60 - Search for “index= sourcetype=bro” in Splunk. Add certificate.subject to the selected fields, and look at the top 10 values. Add “CN=win-dc-748.attackrange.local” to the search criteria, and now look in any of the events to find the certificate serial number.

Question 8. What is the name of the adversary group that Santa feared would attack KringleCon? (Challenge Question)

The Lollipop Guild - Copy the string 7FXjP1lyfKbyDK/MChyf36h7 into CyberChef (https://gchq.github.io/CyberChef/), apply the “From Base64” filter, then apply “RC4” with the phrase “Stay Frosty”, which was given in the Adversary Emulation and Automation talk.

Answer: The Lollipop Guild