Last active
October 27, 2022 23:45
-
-
Save Supriya-Maz/d8161a26250b8efa530cb47e5043ba81 to your computer and use it in GitHub Desktop.
GN Road Show Workshop
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Stop Chasing Ghosts: California Roadshow | |
| Cheat Sheet | |
| You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting. | |
| Question Answer Form | |
| https://stopchasingghosts.typeform.com/to/JWKos6K2 | |
| [Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc | |
| // | |
| The following tools may be helpful in your investigation. | |
| Internet Scanners | |
| Censys: censys.io | |
| Shodan: shodan.io | |
| Internet Listeners | |
| GreyNoise: https://viz.greynoise.io/analysis | |
| Malware Repositories | |
| VirusTotal: virustotal.com | |
| Decoders | |
| CyberChef: https://gchq.github.io/CyberChef/ | |
| Base64: https://www.base64decode.org/ | |
| CharCode: https://charcode98.neocities.org/ | |
| Splunk Hints | |
| This is for questions involving Splunk. | |
| Splunk Login Credentials | |
| URL: http://54.242.3.177:8000 | |
| Username: workshop | |
| Password: dc_workshop | |
| Alternatively, if you are allergic to Splunk, you can download this raw log file: http://milkco.xyz/milkco_logs.csv | |
| Note: Make sure all queries are set to ‘All Time’ | |
| Extract IP’s from solr logs | |
| source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | |
| Count the number of IP’s | |
| source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by src_ip | |
| Output a list of IP’s | |
| source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | table src_ip | |
| Query IP’s against GreyNoise | |
| source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnquick ip_field=src_ip | |
| Query IP’s against GreyNoise by Geolocation | |
| source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnenrich ip_field=src_ip | search greynoise_country=Russia | dedup src_ip | table src_ip, greynoise_country | |
NOTE: Updated credentials - they should be correct now
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://docs.google.com/document/d/1T8Ys1gfRR4bJNSRBpHbwYj1CA-xSmWHKy_q6VDVBHds/edit?usp=sharing