Restrict the uri_path to the value you found in question 202. Hints: Find all events with sourcetype="stream:http" using the POST method from the attacker's IP address you found in question 201. Hints: Analyze all HTTP traffic from the scanning system to and inspect URI values.īOTS2 203: What SQL function is being abused on the uri path from question 202? (10 pts) What is the URI path? Answer example: phpinfo.php (10 pts) Search for events with the target URL in them and an action of "blocked".īOTS2 202: The IP address from question 201 is also being used by a likely different piece of software to attack a URI path. Hint: App scanners are often 'noisy', sending many invalid requests. Find queries to a known public DNS server.īOTS2 201: Provide the IP address of the system used to run a web vulnerability scan against (10 pts) Hints: Search for events containing that FQDN, recording DNS resolutions. Look for events caused by installing software.īOTS2 200: What is the public IPv4 address of the server running (10 pts) Hint: Find the typical domain used to download Tor. Review the email with base64-encoded text for body (or content) and decode the base64.īOTS2 105: What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: three numbers with dots between them, like 1.2.3 (10 pts) Review the body of emails that Amber has sent. Hints: Look for emails sent from Amber Turing. What is that employee's email address? (5 pts)īOTS2 103: What is the name of the file attachment that Amber sent to a contact at the competitor? (5 pts)īOTS2 104: What is Amber's personal email address? (15 pts) Read them to find the answer.īOTS2 102: After the initial contact with the CEO, Amber contacted another employee at this competitor. Find her email address.įind emails containing Amber's email address and the domain name of the competitor you found in question 100. Look for emails (SMTP traffic) to or from Amber Turing. What is the CEO's name? Provide the first and last name. Look at the site and http_referer values and look for names of rival beer makers.īOTS2 101: Amber found the executive contact information and sent him an email. Switch to 1:100 sampling.Įxamine the src_ip field and restrict it to Amber's IP address. Examine the sourcetype field and restrict it to stream:http. Search all events in the correct index with 1:10,000 sampling. They all have the same client_ip address-that's Amber's IP address. Using the correct index value and 1:100 sampling. What is the website domain that she visited? Splunk finds approximately 71,700 events,īOTS2 100: Amber Turing was hoping for Frothly (her beer company) to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. On the right side, adjust the time range to Just below the Search box, on the left side, Log in again as student1 with a password of student1 Log in as student1 with a password of student1 Splunk Boss of the SOC v2 Splunk Boss of the SOC v2 (650 pts) Submit Flags
0 Comments
Leave a Reply. |