RLCTHD

/home

/posts

Home > Posts > Splunk - Boss Of the SOC version 1

Splunk - Boss Of the SOC version 1

I just finished the original Boss of the SOC (BOTS) Version 1, scoring 15,224 points. The challenge emphasizes the importance of using Splunk’s capabilities to analyze and interpret security data. https://bots.splunk.com/

I don’t have a fully structured writeup this time, because I felt a bit pressured by the four-hour timer, but the experience itself was immensely valuable.

The challenge is made of two scenarios:

  • Web Site Defacement – Figuring out whether the personal blog of Wayne Enterprises’ CEO had been compromised.

  • Ransomware – Tracking down the scope and details of a ransomware incident.

This challenge pushed me to experiment with SPL beyond basic searches. Seeing how SPL pipelines manipulate data was key to catching patterns you can’t always see in raw logs.

Some tasks, like the ones of extracting hashes, IP addresses, or suspicious filenames from JSON Sysmon logs, were much faster using Linux command-line tools, because, for me, using jq, grep, sort, uniq, tr, etc. has become a habit, and I still have yet to get fully accustomed to Splunk’s SPL.

For instance, in question 204: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length of the value of this field?

Downloaded the log of the suspicious, obfuscated log of the vbs executed by “cmd.exe”.

index=botsv1 sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" *.vbs

and in bash:

cat log | tr -d '\n' | wc -c

Though if I needed to answer more questions related to this in Splunk, I could have used some queries like: eval len=len(field)

Another interesting task was question 115: One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. We are looking for a six character word on this one. Which is it?

I saved the list of attempted passwords locally, then parsed a wiki article with all Coldplay songs titles, sorted both files, applied uniq and used comm, this returned two answers: Yellow and Voodoo.

What I loved about BOTS v1 was how it’s pure hands-on investigation. Every single task, like digging through logs or hunting for a malicious file, felt like I’m doing real-world SOC operations.

My prior experience with Suricata from challenges like HTB’s Meerkat was a definite advantage, but this challenge allowed me to focus a lot more on Splunk as an investigation component.

Though, Splunk is just a tool, albeit a very powerful one, but it doesn’t magically make you a good analyst. The core skill is how you think through the data. Splunk helps you analyze logs faster and at a big scale. SOC work is still really fascinating.

Get Involved #

I think knowledge should be shared and discussions encouraged. So, don’t hesitate to ask questions, or suggest topics you’d like me to cover in future posts.

Stay Connected   #

You can contact me at ion.miron@tutanota.com

HackTheBox - Strutted [Linux]
Self Hosted VPN with Wireguard
back to top