Hunting with SPLUNK Part-1

TryHackMe — Splunk 2

Published in

InfoSec Write-ups

6 min readJul 23, 2021

Welcome to my first blog! This blog is for people who are trying to get comfortable using Splunk.

In this blog I will be solving a TryHackMe room that is solely based to test ones skills on Splunk. The rooms name is Splunk 2 which gives beginner to intermediate understanding.

I will cover this room in 4 different blogs.

Enjoy the first one. HAPPY LEARNING !!

I will be using BOTSv2 dataset to solve the answers. Read the task 1 and 2 thoroughly and deploy the machine.

I will directly jump to the scenarios of task 3

Question 1 : Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?

I entered the following command in the splunk search tab ->

index= “botsv2” amber

In this command I took the data source as botsv2 and I used amber (As given in the question) as the name of the employee to filter out the events in splunk.

As I received a lot of events, I clicked on the sourcetype field and selected sourcetype as “pan:traffic” which filtered all the events accordingly. I selected the sourcetype as pan:traffic to get the IP address of amber.

Once the results came I ran the following command ->

index= “botsv2” sourcetype= “pan:traffic” amber

This command filtered out those events that contained amber. After this I looked into “Interesting Fields” tab in which I found a field known as “src_ip”. I clicked on the same field and got amber’s IP address which was 10.0.2.101

Now that I had the IP address of amber I changed the command to ->

index= “botsv2” 10.0.2.101 sourcetype= “stream:http”

In this command I used sourcetype as http because I require all the events that used http. After this I looked into “Interesting Fields” tab in which I found a field named “site” but there were a lot of duplicates that weren’t needed in order to find the answer. I filtered the duplicates by using keyword(s)

Keyword(s) can be really helpful when assessing the logs. To solve this task I used 2 keyword(s) table & dedup.

Table -> This will show the data in a tabular format in statistics tab.

Dedup -> This will remove all the duplicate data.

Command after using keywords ->

index= “botsv2” sourcetype= “stream:http” 10.0.2.101 | dedup site | table site

After executing this command there were still a lot of events in which I had to look for the answer. There was a specific sentence in task 2 which gave the hint to solve this question -> “In this exercise, you assume the persona of Alice Bluebird, the analyst who successfully assisted Wayne Enterprises and was recommended to Grace Hoppy at Frothly (a beer company) to assist them with their recent issues.”

Final command ->

index= “botsv2” sourcetype= “stream:http” 10.0.2.101 *beer*| dedup site | table site

The answer was right in front of me.

Question 2 : Amber found the executive contact information and sent him an email. What image file displayed the executive’s contact information? Answer example: /path/image.ext

To answer this question I entered the following command ->

index= “botsv2” 10.0.2.101 sourcetype= “stream:http” {“Domain of the company found in answer 1"}

As I still got 12 events I looked into the “Interesting Fields” tab and selected “uri_path” as the filter. I selected the path that was most similar to the domain name of the company by clicking on the particular path.

I entered the following command ->

index= “botsv2” 10.0.2.101 sourcetype= “stream:http” uri_path = “*******************”

Question 3 : What is the CEO’s name? Provide the first and last name.

To answer this question I first figured out the email id of amber. The command I entered was ->

index= “botsv2” sourcetype= “stream:smtp” {“Domain of the company found in answer 1”} amber

I used smtp instead of http as I had to find an email address and for that I required protocol of email i.e, smtp.

After executing the command, 4 events were returned. I looked into the logs to try my luck. After a few logs I came across a log in which I had to click on “show as raw text” and after some investigation I was able to find out the CEO’s first and last name.

Hint : Look for the log which has a timestamp of 8/20/17 11:03:08.879AM.

Question 4 : What is the CEO’s email address?

To answer this question I used amber’s email id to filter the log (you can find this easily on investigating the logs)

Question 5 : After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

To answer this question I used the following command ->

index= “botsv2” sourcetype= “stream:smtp” {“Domain of the company found in answer 1”} {“Amber’s email ID”}

After the results came in I looked at the time stamps.

The conversation took place in the following parts :

Amber -> CEO
CEO -> Amber
H****Hard (Employee) -> Amber
Amber -> H****Hard (Employee).

If you follow the time stamps and read the raw data in the logs you will be able to get the answer.

Question 6 : What is the name of the file attachment that Amber sent to a contact at the competitor?

To answer this question I used the same command as I used in the above question ->

index= “botsv2” sourcetype= “stream:smtp” berkbeer.com {Amber’s email ID}

By looking into “Interesting Fields” tab I found a field known as attach_filename{}. This should be a cake walk for all of you .

Question 7 : What is Amber’s personal email address?

To answer this question I used the same command as we used for the above question ->

index= “botsv2” sourcetype= “stream:smtp” berkbeer.com {Amber’s email ID}

According to the conversation being described in answer 5, I knew that I have to look into the most recent log. I tried to open the raw data by clicking on it, and I noticed that the data is encoded in base 64.