Splunk [Part-1]— Try Hack me Room

What is Splunk?

Task 2 →Can you dig it?

Task 5 →Advanced Persistent Threat

index=botsv1 imreallynotbatman.com 
| stats count by source
| sort -count
| head 10
index = botsv1 imreallynotbatman.com sourcetype = stream:http
|stats count by src_ip
|sort -count
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip=”40.80.148.42" 
|stats count by src_headers
|sort -count
|head 5
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" 
| stats count by dest_ip
| sort -count
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42"
| stats count by uri
| sort -count
| head 10
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" 
| stats count by http_method
| sort -count
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" http_method="POST" username 
| table dest_content
| head 1
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd* 
| stats count by src_ip
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd* 
| rex field=form_data "username=(?<u>\w+)"
| rex field=form_data "passwd=(?<p>\w+)"
| table _time, u, p
| sort by _time
| head 3
rex field=form_data "username=(?<u>\w+)
table _time, u, p 
| sort by _time
| head 3

Till then see youu…!!! Stay safe , stay curious

SLIIT cyber security undergraduate