superducktoes · November 8, 2022 22:15 · Supriya-Maz · Nov 2, 2022
diff --git a/workshop.txt b/workshop.txt
 Stop Chasing Ghosts: California Roadshow
 Cheat Sheet

 You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting.

 Question Answer Form
 https://stopchasingghosts.typeform.com/to/JWKos6K2

 [Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc


 //

 The following tools may be helpful in your investigation.

 Internet Scanners
 Censys: censys.io
 Shodan: shodan.io 

 Internet Listeners
 GreyNoise: https://viz.greynoise.io/analysis

 Malware Repositories
 VirusTotal: virustotal.com

 Decoders
 CyberChef: https://gchq.github.io/CyberChef/
 Base64: https://www.base64decode.org/
 CharCode: https://charcode98.neocities.org/

 Splunk Hints
 This is for questions involving Splunk. 
 Splunk Login Credentials
 URL: http://54.175.0.105:443
 Username: workshop
 Password: stop_chasing_ghosts

 Alternatively, if you are allergic to Splunk,  you can download this raw log file:  http://milkco.xyz/milkco_logs.csv

 Note: Make sure all queries are set to ‘All Time’
 Extract IP’s from solr logs
 source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 Count the number of IP’s
 source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by src_ip
 Output a list of IP’s
 source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | table src_ip
 Query IP’s against GreyNoise
 source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnquick ip_field=src_ip
 Query IP’s against GreyNoise by Geolocation 
 source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection | rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup src_ip | gnenrich ip_field=src_ip | search greynoise_country=Russia | dedup src_ip | table src_ip, greynoise_country
	Stop Chasing Ghosts: California Roadshow
	Cheat Sheet

	You’re working at a sticker company called “Milk Co.” One of your developers leaves a vulnerable dev environment exposed to the internet. Users at the workshop will play the role of the Security Analyst at “Milk Co.” and have to investigate the alert to understand what happened, decide how they can stop additional attacks quickly, and then do additional investigation into indicators that can be used for hunting.

	Question Answer Form
	https://stopchasingghosts.typeform.com/to/JWKos6K2

	[Optional] Slack Channel: Join GreyNoise Community Slack and find channel #roadshow-dc


	//

	The following tools may be helpful in your investigation.

	Internet Scanners
	Censys: censys.io
	Shodan: shodan.io

	Internet Listeners
	GreyNoise: https://viz.greynoise.io/analysis

	Malware Repositories
	VirusTotal: virustotal.com

	Decoders
	CyberChef: https://gchq.github.io/CyberChef/
	Base64: https://www.base64decode.org/
	CharCode: https://charcode98.neocities.org/

	Splunk Hints
	This is for questions involving Splunk.
	Splunk Login Credentials
	URL: http://54.175.0.105:443
	Username: workshop
	Password: stop_chasing_ghosts

	Alternatively, if you are allergic to Splunk, you can download this raw log file: http://milkco.xyz/milkco_logs.csv

	Note: Make sure all queries are set to ‘All Time’
	Extract IP’s from solr logs
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
	Count the number of IP’s
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| stats count by src_ip
	Output a list of IP’s
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| table src_ip
	Query IP’s against GreyNoise
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| gnquick ip_field=src_ip
	Query IP’s against GreyNoise by Geolocation
	source="solr.log" index="workshop" sourcetype="generic_single_line" o.e.j.s.HttpConnection \| rex field=r "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \| dedup src_ip \| gnenrich ip_field=src_ip \| search greynoise_country=Russia \| dedup src_ip \| table src_ip, greynoise_country