Detecting SQL and XSS web application attacks

What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.

index="botsv2" amber tor.exe 

Look at the process field. There is an event showing the tor.exe installation file name which has the version ID torbrowser-install-7.0.4_en-US.exe.

Answer: 7.0.4

What is the public IPv4 address of the server running www.brewertalk.com?

index="botsv2" sourcetype="stream:HTTP" "www.brewertalk.com"

Answer: 52.42.208.228

Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.

Same query. Use the src_ip field. It is the address making the most requests. Drill down into its form_data and some attempts at sql injection appear.

Answer: 45.77.65.211

The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example: /phpinfo.php

Look at the URI path.

Answer: /member.php

What SQL function is being abused on the URI path from the previous question?

Check the form_data. There is an updatexml.

Answer: updatexml

What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.

index="botsv2" kevin sourcetype="stream:HTTP" tag=error | table cookie

Answer: 1502408189

What brewertalk.com username was maliciously created by a spear phishing attack?

The attacker stole Kevin’s CSRF token (1bc3eab741900ab25c98eee86bf20feb) and performed a trick from domain squatters by using a homograph attack.

index="botsv2" 1bc3eab741900ab25c98eee86bf20feb sourcetype="stream:HTTP" brewertalk.com | table form_data

Answer: klagerfield