superducktoes/workshop.txt

## workshop.txt
Stop Chasing Ghosts: California Roadshow
Cheat Sheet

You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting.

Question Answer Form
https://stopchasingghosts.typeform.com/to/JWKos6K2

[Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc


//

The following tools may be helpful in your investigation.

Internet Scanners
Censys: censys.io
Shodan: shodan.io

Internet Listeners
GreyNoise: https://viz.greynoise.io/analysis

Malware Repositories
VirusTotal: virustotal.com

Decoders
CyberChef: https://gchq.github.io/CyberChef/
Base64: https://www.base64decode.org/
CharCode: https://charcode98.neocities.org/

Splunk Hints
This is for questions involving Splunk.
Splunk Login Credentials
URL: http://54.175.0.105:443
Username: workshop
Password: stop_chasing_ghosts

Alternatively, if you are allergic to Splunk,  you can download this raw log file:  http://milkco.xyz/milkco_logs.csv

Note: Make sure all queries are set to ‘All Time’
Extract IP’s from solr logs
source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Count the number of IP’s
source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by src_ip
Output a list of IP’s
source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | table src_ip
Query IP’s against GreyNoise
source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnquick ip_field=src_ip
Query IP’s against GreyNoise by Geolocation
source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnenrich ip_field=src_ip | search greynoise_country=Russia | dedup src_ip | table src_ip, greynoise_country
	Stop Chasing Ghosts: California Roadshow
	Cheat Sheet

	You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting.

	Question Answer Form
	https://stopchasingghosts.typeform.com/to/JWKos6K2

	[Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc


	//

	The following tools may be helpful in your investigation.

	Internet Scanners
	Censys: censys.io
	Shodan: shodan.io

	Internet Listeners
	GreyNoise: https://viz.greynoise.io/analysis

	Malware Repositories
	VirusTotal: virustotal.com

	Decoders
	CyberChef: https://gchq.github.io/CyberChef/
	Base64: https://www.base64decode.org/
	CharCode: https://charcode98.neocities.org/

	Splunk Hints
	This is for questions involving Splunk.
	Splunk Login Credentials
	URL: http://54.175.0.105:443
	Username: workshop
	Password: stop_chasing_ghosts

	Alternatively, if you are allergic to Splunk, you can download this raw log file: http://milkco.xyz/milkco_logs.csv

	Note: Make sure all queries are set to ‘All Time’
	Extract IP’s from solr logs
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
	Count the number of IP’s
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| stats count by src_ip
	Output a list of IP’s
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| table src_ip
	Query IP’s against GreyNoise
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| gnquick ip_field=src_ip
	Query IP’s against GreyNoise by Geolocation
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| gnenrich ip_field=src_ip \| search greynoise_country=Russia \| dedup src_ip \| table src_ip, greynoise_country