astronaut
Logbook
Web Security • Research • CTF
Menu
May 12, 2026

SIEM Analysis Using Splunk BOTS v1

SIEM analysis report converted from PDF to MDX format.

for

Question 101

Question: What is the likely IPv4 address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

Answer: 40.80.148.42

Splunk Query

index="botsv1" imreallynotbatman.com source="stream:http" | top src_ip

Notes

  • index="botsv1": search only the botsv1 dataset.
  • imreallynotbatman.com: keep events that mention this domain.
  • source="stream:http": restrict to HTTP logs collected by Splunk Stream.
  • top src_ip: ranks the most common source IPs. The top IP is most likely the scanner.

Screenshots

Page 2 Image 1 Page 2 Image 2

Question 102

Question: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name.

Answer: Acunetix

Splunk Query

index="botsv1" imreallynotbatman.com source="stream:http" src_ip="40.80.148.42"

Notes

  • src_ip="40.80.148.42" reuses the scanner IP from Question 101.
  • Reviewing request headers (src_headers) identifies the scanner software as Acunetix.

Screenshots

Page 3 Image 3 Page 3 Image 4

Question 103

Question: What content management system is imreallynotbatman.com likely using?

Answer: Joomla

Splunk Query

index="botsv1" imreallynotbatman.com source="stream:http" src_ip="40.80.148.42"

Notes

The CMS was identified from CMS-specific request paths and signatures in web traffic.

Screenshots

Page 4 Image 5 Page 4 Image 6 Page 4 Image 7

Question 104

Question: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with extension?

Answer: poisonivy-is-coming-for-you-batman.jpeg

Splunk Query

index=botsv1 sourcetype=stream:http src_ip=192.168.250.70 | table src_headers, site

Notes

The defacement filename appears in request path / related HTTP log fields.

Screenshots

Page 5 Image 8 Page 5 Image 9

Question 105

Question: This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?

Answer: prankglassinebracket.jumpingcrab.com

Notes

The FQDN was identified from the same defacement-related traffic used in Question 104.

Screenshots

Page 6 Image 10

Question 106

Question: What IPv4 address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Answer: 23.22.63.114

Splunk Query

index=botsv1 sourcetype=stream:http src_ip=192.168.250.70 "/poisonivy-is-coming-for-you-batman.jpeg"

Notes

This traces the defacement file request to identify the destination IP tied to malicious pre-staged domains.

Screenshots

Page 7 Image 11 Page 7 Image 12

Question 108

Question: What IPv4 address is likely attempting a brute force password attack against imreallynotbatman.com?

Answer: 23.22.63.114

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST | stats count by src_ip, form_data

Notes

High volume POST attempts with form data indicate brute-force behavior.

Screenshots

Page 8 Image 13 Page 8 Image 14

Question 109

Question: What is the name of the executable uploaded by Po1s0n1vy?

Answer: 3791.exe

Splunk Query

index="botsv1" imreallynotbatman.com sourcetype="fgt_utm" .exe virus

Notes

UTM logs reveal malware transfer details including the uploaded executable name.

Screenshots

Page 9 Image 15 Page 9 Image 16

Question 110

Question: What is the MD5 hash of the executable uploaded?

Answer: aae3f5a29935e6abcc2c2754d12a9af0

Notes

Used file checksum context and VirusTotal lookup to confirm MD5.

Screenshots

Page 10 Image 17 Page 10 Image 18 Page 10 Image 19

Question 111

Question: GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vys initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

Notes

  • Pivoted on attacker infrastructure IP: 23.22.63.114.
  • In VirusTotal relations (communicating/referring files), the candidate was MirandaTateScreensaver.scr.exe.
  • Copied the file SHA256 from its details page.

Screenshots

Page 11 Image 20 Page 12 Image 21 Page 12 Image 22

Question 112

Question: What special hex code is associated with the customized malware discussed in question 111?

Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21

Notes

Hex string was taken from malware discussion/details context in VirusTotal.

Screenshots

Page 13 Image 23 Page 13 Image 24

Question 114

Question: What was the first brute force password used?

Answer: 12345678

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | sort _time | where password != "" | table password, _time

Notes

  • Extracted passwd from form_data, sorted by time, and took the first non-empty attempt.

Screenshots

Page 14 Image 25 Page 15 Image 26

Question 115

Question: One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. We are looking for a six character word on this one. Which is it?

Answer: yellow

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | search password IN (Yellow, Clocks, Shiver, Sparks, Oceans) | table password, _time

Notes

  • Filtered extracted passwords against six-letter Coldplay candidates.

Screenshots

Page 16 Image 27 Page 16 Image 28 Page 16 Image 29

Question 116

Question: What was the correct password for admin access to the content management system running “imreallynotbatman.com”?

Answer: batman

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | stats count by password | table password, count

Notes

  • Counted submitted passwords and identified the credential that matched successful admin access behavior.

Screenshots

Page 17 Image 30 Page 17 Image 31

Question 117

Question: What was the average password length used in the password brute forcing attempt?

Answer: 6

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | eval leng_password=len(password) | stats avg(leng_password)

Notes

  • Calculated per-password length with eval, then averaged with stats avg(...).
  • Splunk refs: https://help.splunk.com/en/splunk-cloud-platform/spl-search-reference/10.1.2507/statistical-and-charting-functions/aggregate-functions
  • Splunk refs: https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.3/search-commands/eval

Screenshots

Page 18 Image 32 Page 18 Image 33

Question 118

Question: How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login?

Answer: 92.17

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | transaction password | table duration

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST form_data=*passwd*batman*
| rex field=form_data "passwd=(?<password>[^&]+)" | transaction password | table duration

Notes

  • Used transaction password on the duplicated batman attempts and read duration.

Screenshots

Page 19 Image 34 Page 19 Image 35 Page 20 Image 36

Question 119

Question: How many unique passwords were attempted in the brute force attempt?

Answer: 412

Splunk Query

index=botsv1 sourcetype=stream:http dest_ip=192.168.250.70 http_method=POST
| rex field=form_data "passwd=(?<password>[^&]+)" | dedup password | stats count(password)

Notes

  • Deduplicated password attempts and counted unique values.
  • Splunk ref: http://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/10.2/search-commands/dedup

Screenshots

Page 21 Image 37 Page 21 Image 38