Splunk: SHHC20
Splunk Challenge

In the Great Room is Angel Candysalt standing beside a terminal with the Splunk logo.

The terminal can only be accessed when in the Santa persona.

Splunk Intro

Accessing the terminal shows some the overview of how to access Splunk, and info on the training questions that will help get to the challenge question answer.

Training #1

How many distinct MITRE ATT&CK techniques did Alice emulate?

After reviewing the chat history between Santa and Alice Bluebird, a hint is provided to find the answer for training question #1 by using the following search: | tstats count where index=* by index, which shows 26 indexes and 13 unique MITRE ATT&CK techniques.

Training #2

What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

Looking back at the search conducted for training question #1, I can see the two indexes. t1059.003-main t1059.003-win.

One technique that Santa had us simulate deals with 'system information discovery'. What is the full name of the registry key that is queried to determine the MachineGuid?

A quick Google search showed me the answer: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.

Training #4

According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

I did a quick search in the attack index for the work OSTAP using the search index=attack OSTAP which showed the answer to be 2020-11-30T17:44:15Z.

Training #5

One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

frgnca authored a PowerShellAudioDeviceCmdlets and the question asks about Sysmon Event Code 1, so I searched for index=* WindowsAudioDevice EventCode=1 which showed two events. Looking at the oldest, I saw the ProcessId to be 3648.

Training #6

Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

The t1547 tests are associated with Regsitry Run Keys / Startup Folder, so I started my search there. I admittedly tried finding this through Splunk every which way, but finally found it outside. I went back to the t1547 atomic in github and read back through the yaml to see all actions it was taking. THere, I saw references to a bat (Discovery.bat) that I hadn't seen before. The last command in that turned out to be the answer.

Training #6

According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

For this I searched for index=* sourcetype=bro* serial which showed the certificate.subject field. So I ran the search with a reduced query of index=* sourcetype=bro* certificate.subject=*dc* which showed over 99% of the certs used serial 55FCEEBB21270D9249E86F4B9DC7AA60.

Training #6

This last one is encrypted using your favorite phrase! The base64 encoded ciphertext is:
It's encrypted with an old algorithm that uses a key. We don't care about RFC 7465 up here! I leave it to the elves to determine which one!

Hmmm.... RFC 7465 is for RC4 encryption. From watching the talk track, at the end was a slide that was stated to be the most important that stated "Stay Frosty".

I headed over to https://cryptii.com/pipes/rc4-encryption and started by converting the string "Stay Frosty" into hex, which produced 53 74 61 79 20 46 72 6f 73 74 79

From there, I built a chain that took the encrypted string, base64 decoded, then decoded with RC4.

The Lollipop Guild

An overview of all people, places, and events can be learned in the Introduction.