BOTSv1 Level 2: Identifying Threat Actors (50 pts)

BOTSv1 2.1: Staging Server IP (10 pts)

In Level 1, you found the staging server domain name (used to host the defacement file). Find that server's IP adddress.

Hints:

  • Search for HTTP GET events containing the target FQDN.

BOTSv1 2.2: Leetspeak Domain (10 pts)

Use a search engine (outside Splunk) to find other domains on the staging server. Search for that IP address. Find a domain with an name in Leetspeak (like "1337sp33k.com").

BOTSv1 2.3: Brute Force Attack (15 pts)

Find the IP address performing a brute force attack against "imreallynotbatman.com".

Hints:

  • Find the 15,570 HTTP events using the POST method.
  • Exclude the events from the vulnerability scanner.
  • Examine the form_data of the remaining 441 events.

BOTSv1 2.4: Uploaded Executable File Name (15 pts)

Find the name of the executable file the attacker uploaded to the server.

Hints:

  • Find the 15,570 HTTP events using the POST method.
  • Exclude the events from the vulnerability scanner.
  • Search for common Windows executable filename extensions.

Posted 10-30-20