Intrusion Detection With Splunk (Real-world Scenario)

HTB Content Academy
1

Hey everyone! I have been stuck in this question for hours.

Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

I am confused because I have applied clr.dll as my filter and could not find any C# code. Please give me a baseline on how to get the exe file involved. Any leads would be greatly appreciated. Thanks!

1 Like
2

I am stuck here as well. I believe I have located the process that used c# I think but can’t figure out the answer.

3

We just have to follow the step to find if some C# code was used, after this we could easilly find a program which call to other subprocess to perform it’s injection.

To find this, focus on the “first” program with a specific name view all events related, find the Target Image and you will find it ! =)

4

Still stuck here

5

Also stuck on this one, this is my search query right now:

clr.dll
| stats count by TargetImage

There was more to it before I tried to broaden it, but none of the results give the correct answer. Any help would be brilliant.

6

Hi did anyone solve it? I search for clr.dll as it says - then there are only 3 logs for TargetImage - and none of them are correct - even if i try

clr.dll | stats count by Image

I get 26 logs with some very promising looking but none correct - what am i not understanding? Any help much appreciated

7

Ok just for clarity I got the correct answer…even by HTB standards that is cheaky lol!

8

I stopped exactly where you left off previously, can you help how I found the answer?

9

Hi - so if you follow the splunk search I posted:

*clr.dll | count by Image

Then you should get approx 26 results

The answer is one of these results!

Good luck

1 Like
10

Thanks bro

11

Did you try them all? Not trying to be condescending but I didn’t try one in particular… but it turned out this one was the correct one - sorry I cant just say the answer

12

Also make sure you are viewing all results- make sure that results shown is set to 50 or so

15

HI, someone can help me with this question below?
I figure out all other questions, but this I’am stuck.

Module: Intrusion Detection With Splunk (Real-world Scenario)

Question:
Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX

The answer is in this format? 10.0.0.186 and 10.0.0.229
If Yes, can someone give a hint? I follow rundll32.exe and connections to internet with http://* I found this IP above but don’t working.
thanks in advanced.

1 Like
16

One of them is right. Look at the answer format 10.0.0.1xx and 10.0.0.xx (a clue is in the X’s)

1 Like
18

tks so much, this clue help me.

19

Ive been stuck here for a while now. Ive tried this, but out of the 26 or so entries none of them were the answer. Ive also tried these :
CallTrace=clr.dll | stats count by TargetImage
clr.dll EventCode=10 | stats count by TargetImage
clr.dll | stats count by ProcessName ParentProcessName

Still no joy. Would appreciate any help

20

Make sure your answer is all lowercase.

What process can be called to load/execute code into memory. It’s “very” common and is used all the time.

I don’t think HTB are trying to trick anyone with the answer, just trying to drum it into your brain that this process is used a lot.

21

Spent another few hours searching for processes that could load code.

A lot of promising results came from variations of this command, but none of them were the correct answer:
kernel32.dll EventCode=10 | stats count by TargetImage

Digging back through the results from these and looking for parent processes also didnt help. Tried googling regarding code execution, but not yet found anything to guide me towards specific .exe

22

are you tryng anwser this question?
“Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _.exe”
check the comom process that dumped lsass

23

Thanks, Ill give it a shot.