Day 3 SOC Challenge Investigating a Christmas Ransomware Attack with Splunk

 

Investigating a Christmas Ransomware Attack with Splunk

Day 3 SOC Challenge

Introduction

As Christmas approaches in the festive town of Wareville, The Best Festival Company (TBFC) prepares for its biggest celebration of the year. Everything appears normal—until the SOC dashboard suddenly lights up red.

A ransom message appears.

Behind the attack is King Malhare, the jealous ruler of HopSec Island. Angry that Christmas has overshadowed Easter, he deploys his Bandit Bunnies to compromise TBFC’s systems and transform Christmas into EAST-mas.

With McSkidy missing and critical systems under attack, the SOC team turns to Splunk to uncover how the ransomware infiltrated the environment and to stop the attack before Christmas is destroyed.

This post walks through the full Splunk-based investigation, from initial triage to identifying command-and-control activity.

🎯 Learning Objectives

By the end of this investigation, you will understand how to:

  • Ingest and analyze custom log data in Splunk

  • Apply field extractions and SPL filters

  • Identify suspicious behaviour using SPL queries

  • Trace a complete ransomware attack chain

  • Correlate web and firewall logs for incident response

🔌 Setting Up Splunk

Once the Splunk instance is online:

  • Open Search & Reporting

  • Set the time range to All time

  • Start with the base search:

index=main

Available Data Sources

Two primary sourcetypes are present:

  • web_traffic – HTTP/HTTPS access logs

  • firewall_logs – Allowed and blocked network traffic

Target Web Server IP: 10.10.1.15

🧭 Initial Triage

To understand overall activity, begin by reviewing all web traffic:

index=main sourcetype=web_traffic

Observations

  • ~17,000 web events

  • Normal daily traffic pattern

  • One significant traffic spike, indicating a potential attack window

Key extracted fields include:

  • client_ip

  • user_agent

  • path

  • status

📊 Identifying the Traffic Spike

Visualize request volume by day:

index=main sourcetype=web_traffic 
| timechart span=1d count

Sorting to highlight the peak:

index=main sourcetype=web_traffic 
| timechart span=1d count 
| sort -count

The peak attack day is immediately visible.

🕵️ Hunting Suspicious Indicators

Step 1: Abnormal User Agents

Filter out legitimate browsers:

index=main sourcetype=web_traffic 
user_agent!=*Mozilla* 
user_agent!=*Chrome* 
user_agent!=*Safari* 
user_agent!=*Firefox*

This reveals traffic generated by command-line tools and automated scanners.

Step 2: Identifying the Attacker IP

List top offending IPs:

sourcetype=web_traffic 
user_agent!=*Mozilla* 
user_agent!=*Chrome* 
user_agent!=*Safari* 
user_agent!=*Firefox* 
| stats count by client_ip 
| sort -count 
| head 5

Attacker IP Identified:
198.51.100.55

⚔️ Tracing the Attack Chain

From this point, all analysis focuses on the attacker IP.

1️⃣ Reconnaissance Attempts

sourcetype=web_traffic client_ip="198.51.100.55" 
AND path IN ("/.env", "/*phpinfo*", "/.git*") 
| table _time, path, user_agent, status

Findings:

  • Tools: curl, wget

  • Multiple requests for sensitive files

  • Mostly 401 / 403 / 404 responses

2️⃣ Path Traversal Attempts

sourcetype=web_traffic client_ip="198.51.100.55" 
AND (path="*..\/..\/*" OR path="*redirect*") 
| stats count by path

Findings:

  • 658 path traversal attempts

  • Attempts to read system-level files

3️⃣ SQL Injection Activity

sourcetype=web_traffic client_ip="198.51.100.55" 
AND user_agent IN ("*sqlmap*", "*Havij*") 
| table _time, path, status

Findings:

  • Tools used: sqlmap, Havij

  • 993 Havij events

  • Time-based payloads (SLEEP(5))

  • Server responses: 504 Gateway Timeout

  • Indicates successful blind SQL injection

4️⃣ Data Exfiltration Attempts

sourcetype=web_traffic client_ip="198.51.100.55" 
AND path IN ("*backup.zip*", "*logs.tar.gz*") 
| table _time, path, user_agent

Findings:

  • Attempts to download backups and log archives

  • Multiple command-line tools used

5️⃣ Remote Code Execution & Ransomware Deployment

sourcetype=web_traffic client_ip="198.51.100.55" 
AND path IN ("*bunnylock.bin*", "*shell.php?cmd=*") 
| table _time, path, user_agent, status

Findings:

  • Web shell (shell.php) uploaded

  • Ransomware binary staged

  • Command executed:

cmd=./bunnylock.bin

✅ Confirms RCE and ransomware execution

📡 Firewall Logs: Command & Control Detection

sourcetype=firewall_logs 
src_ip="10.10.1.5" 
AND dest_ip="198.51.100.55" 
AND action="ALLOWED" 
| table _time, action, protocol, src_ip, dest_ip, dest_port, reason

Findings:

  • Outbound traffic to attacker IP

  • Traffic marked as allowed

  • Confirms C2 communication

📦 Measuring Data Exfiltration

sourcetype=firewall_logs 
src_ip="10.10.1.5" 
AND dest_ip="198.51.100.55" 
AND action="ALLOWED" 
| stats sum(bytes_transferred) by src_ip

Total Data Exfiltrated:
📤 126,167 bytes

🏁 Investigation Summary

Attacker IP: 198.51.100.55
Peak Attack Day: 2025-10-12
SQL Injection Events: 993
Path Traversal Attempts: 658
Data Exfiltrated: 126,167 bytes

🎄 Final Thoughts

This Splunk investigation reveals a complete ransomware kill chain:

  1. Reconnaissance

  2. Enumeration

  3. SQL Injection

  4. Remote Code Execution

  5. Web shell deployment

  6. Ransomware execution

  7. Command-and-Control communication

  8. Data exfiltration

It clearly demonstrates how effective log analysis can expose even complex attacks when proper visibility exists.

For SOC analysts, Splunk remains a powerful tool for detecting, investigating, and responding to real-world threats—especially when time is critical and Christmas is on the line 🎄

Comments

Post a Comment

Popular Posts