Boss Of The SOC v2 Lab | CyberDefenders

Hello again, hunters!

Let’s dive into how we’ll approach version 2 of the Splunk Boss of the SOC challenge, which is available on CyberDefenders and provides a hands-on experience for security analysts.

• https://cyberdefenders.org/blueteam-ctf-challenges/boss-of-the-soc-v2

First, let’s understand the scenario. Then, we’ll explore the logs and security events available to conduct our investigation.

APT Scenarios:

In this hands-on exercise, you assume the persona of Alice Bluebird, the soc analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly to > assist them with their recent issues.

Hunting Scenarios:

• PowerShell: Adversaries will use PowerShell Empire to establish a foothold and carry out attacks.
• Exfiltration Over Alternative Protocol - FTP: Data Exfiltration may occur using common network protocols, principally FTP.
• Exfiltration Over Alternative Protocol - DNS: Data Exfiltration may occur using common network protocols, specifically DNS.
• Adversary Infrastructure: The adversary has established multiple components of infrastructure beyond what we have already uncovered.
• Spearphishing Attachment: Adversaries will attempt to establish a foothold within Froth.ly using Phishing.
• User Execution: Adversaries will attempt to establish a foothold within Froth.ly by enticing a user to execute an action on a file.
• Persistence - Create Account: An adversary will look to maintain persistence across an enterprise by creating user accounts.
• Persistence - Scheduled Task: An adversary will look to maintain persistence across reboots by using a task scheduler.
• Indicator Removal On Host: Clearing of audit / event logs could indicate an adversary attempting to cover their tracks.
• Reconaissance: User Agent Strings may provide insight into an adversary that they may not have intended to show.
• OSINT: Identifying publicly available company information and who is accessing it may provide insight into the adversary.
• Lateral Movement: Adversaries will look to move laterally to other systems using Windows Management Instrumentation (WMI).
• Data Staging: Adversaries will stage data prior to exfiltration to make it easier to extract data at a time of their choosing as well as have a central place to place information as it is identified. The data included in this app was generated in August of 2017 by members of Splunk’s Security Specialist team - Dave Herrald, Ryan Kovar, Steve Brant, Jim Apger, John Stoner, Ken Westin, David Veuve and James Brodsky. They stood up a few lab environments connected to the Internet. Within the environment they had a few Windows endpoints instrumented with the Splunk Universal Forwarder and Splunk Stream. The forwarders were configured with best practices for Windows endpoint monitoring, including a full Microsoft Sysmon deployment and best practices for Windows Event logging. The environment included a Palo Alto Networks next-generation firewall to capture traffic and provide web proxy services, and Suricata to provide network-based IDS. This resulted in the dataset below.

References

• https://github.com/lr2t9iz/threat-hunting-queries/tree/main/cisco-splunk
• https://www.splunk.com/en_us/blog/security/metadata-tstats-threat-hunting.html
• https://www.splunk.com/en_us/blog/security/staff-picks-for-splunk-security-reading-january-2018.html
• https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata