Solving the Threat Hunter Olympics – Puzzle 1 with Awake
Are You Afraid of the Dark(Theme)
In a separate post, we talked about the solution to our curling focused Threat Hunter Olympics puzzle. If you’re curious about what it would look like if we ran the traffic from the challenge through Awake, then you’ve come to the right blog post. There were a few notable artifacts here (traffic that the Awake determines is worth looking into).
The user agent is interesting because, at least on this network, it is uncommon. Someone using curl may or may not be interesting in your environment based on what you expect to see. Coupled with the fact that this device was also seen requesting a domain that was deemed notable, however, and the fact that an interesting Cert Subject Organization was seen, investigating this device seems much more reasonable.
You may notice that awakecurling.com has the number ‘6’ next to it. This is its domain notability score, which essentially aims to assist you, the analyst, in identifying domains that are interesting or unique for a variety of reasons.
If you look at the domain details page for this particular domain, then you will see a lot of interesting information that, in a real-world scenario, would help us determine whether or not traffic to this particular domain on our network may be interesting. We can see that only one IP address/device was communicating with this domain, as well as what protocols were used during said communication, any subdomains that were accessed and more. In this case, the domain is not actually registered, so we don’t have a registered date.
Much like we did with Wireshark, we can also look at (and export) the base64 encoded data.
We can look at the unique status response codes.
Another bonus is that you can search for the TLS traffic from this challenge by searching for self-signed certs (where the issuer == the subject name), since this certificate was in fact self-signed by me with the information I talked about earlier.
If we look at the byte counts of the results of the above query, then we can see the outliers:
Then, by adding the byte count range for the outliers (100000 – 200000) to the query, we can find the activity that includes the successful login.
If you look at the HTTP request prior to the above TLS traffic, you will see the activity we’re interested in: the solution to the challenge.
Well, I hoped you enjoyed solving the challenge as much as I enjoyed creating it. Stay tuned for a rundown of challenges 2 – 6!
Dig Deeper with These Resources
Real World Incidents Detected and Stopped by Awake
Organizations across industries use Awake every day to identify and stop modern threats from both internal and…
EMA Top 3 Report and Decision Guide for Security Analytics
This Enterprise Management Associates (EMA) report identifies the leading priorities organizations face with resolving challenges and meeting…