New Video from @madhatistaken: Advent of Cyber Day 3 with Splunk Challenge

This video presents the third day of Try Hack Me's annual Advent of Cyber event, where cybersecurity challenges accessible to beginners are offered daily until Christmas. The goal is to learn how to thwart the malicious plans of the villainous King Mal, a fictional character aiming to sabotage Christmas celebrations to impose his own holiday, East. With over $150,000 in prizes to be won, this edition promises to be both fun and enriching. The day's challenge focuses on the basics of Splunk, a powerful log management and analysis tool widely used in the field of cybersecurity.

The story unfolds in the fictional town of Wearville, where the team of the best festival company is preparing for Christmas celebrations. Everything seems to be going well until a dashboard suddenly displays a ransom message. This message comes from King Mal, the jealous ruler of Hopsc, who is tired of Easter being forgotten. He has sent his accomplices to attack the company's systems and turn Christmas into his own holiday, East. The security team, nicknamed TBFC Sock Team, must use Splunk to determine how the ransomware infiltrated the system and prevent King Mal from carrying out his plan before Christmas.

The challenge begins with an introduction to Splunk's features. The objective is to learn how to ingest and analyze custom log data. Splunk is a data processing platform that transforms thousands of raw events into actionable information. In this scenario, the logs have already been pre-loaded into Splunk by the security engineers of the team. Participants do not need to use the attack box (a virtual machine dedicated to attacks), but must launch a virtual machine to access the Splunk interface. Once the machine is started, they can connect to the interface via a provided URL and begin exploring the data.

The available logs come from two main sources: web traffic and firewall logs. Web traffic contains events related to connections to and from the web server, while firewall logs indicate whether the traffic was allowed or blocked. The Splunk interface allows filtering these logs using the Search Processing Language (SPL), a query language specific to Splunk. For example, using the query index=main, one can display all available logs, totaling nearly 18,744 events in this case. The goal is to analyze them to identify suspicious behaviors.

To facilitate analysis, Splunk offers several key features. The timeline displays a histogram of events over time, allowing the identification of suspicious activity spikes. The selected fields and interesting fields show metadata and fields extracted from the logs, such as the client's IP address, the user agent (which indicates which software initiated the request), or the requested access path (URI). These fields are essential for refining searches and identifying indicators of compromise.

The investigation begins by identifying the days with the most intense suspicious activity. Using an SPL query like index=main | timechart span=1d count, one can visualize the number of events per day. A clear spike in activity is visible over several days, suggesting an ongoing attack. By sorting these results in descending order, the most active day is quickly identified. The analysis then focuses on unusual user agents, which can indicate the use of malicious software or automated tools. For example, a user agent like Havij (an SQL injection tool) or strange character strings are red flags.

The next step is to identify the attacker's IP address. By filtering the logs to exclude standard user agents (such as Mozilla, Chrome, or Safari), it is discovered that all suspicious requests come from a single IP. This IP is then used to refine searches and identify malicious actions. For example, by searching for suspicious access paths like etc/passwd (a sensitive file under Linux) or malicious SQL queries, it can be confirmed that the attacker attempted directory traversal attacks or SQL injections.

The log analysis reveals several key stages of the attack. First, a reconnaissance phase, where the attacker uses tools like curl, wget, or zgrab to probe the web server and identify vulnerabilities. Then, an exploitation phase, where tools like SQLmap are used to perform successful SQL injections, as evidenced by 504 status codes (indicating the database took too long to respond, likely due to a sleep command). Next, a payload delivery phase, where the attacker executes a binary file named bunnylock.bin via a webshell (a PHP script allowing remote command execution). Finally, a command and control (C2) phase, where the compromised server establishes an outgoing connection to the attacker's IP, confirmed by the firewall logs.

To confirm data exfiltration, the firewall logs are analyzed. By filtering allowed connections from the compromised server to the attacker's IP, it is discovered that 126,167 bytes of data were transferred. Although this may seem small (about 0.12 MB), these data are likely compressed files containing sensitive information, such as credit card numbers, passwords, or database configurations. This exfiltration confirms that the attacker succeeded in stealing data in addition to deploying the ransomware.

At the end of the investigation, several questions are asked to validate the acquired skills. For example, participants must identify the attacker's IP, the day with the most traffic, the number of events related to the Havij tool, the number of directory traversal attempts, and the amount of exfiltrated data. By correctly answering these questions, participants complete the challenge and increase their chances of winning prizes.

This challenge perfectly illustrates the importance of log analysis in detecting and responding to cybersecurity incidents. Splunk allows transforming raw data into actionable information, which is crucial for quickly identifying attacks and limiting their impact. The skills acquired here, such as using SPL, analyzing user agents, or correlating different types of logs, are directly applicable in professional environments. For those wishing to deepen their knowledge, the video recommends following the Incident Handling with Splunk challenge, an intermediate-level room to further master this tool.

In summary, this video offers a practical and immersive introduction to log analysis with Splunk, while highlighting the different stages of a cyber attack. It shows how a security team can use this tool to investigate an incident, identify attack vectors, and take corrective actions. Whether you are a beginner or a professional in cybersecurity, this challenge is an excellent opportunity to learn and have fun while protecting Christmas from King Mal's clutches.