Two-scenario investigation on the BOTSv1 dataset, playing as a SOC analyst for Wayne Enterprises. The first scenario was an APT intrusion by the Po1s0n1vy group that ended in website defacement. The second was a Cerber ransomware infection on an internal workstation. Both investigated entirely through Splunk using HTTP, DNS, Suricata, Zeek, and endpoint logs.
Wayne Enterprises' website imreallynotbatman.com was reported defaced.
Goal: trace the attack from recon through to defacement using the Kill Chain model.
Filtered HTTP traffic to imreallynotbatman.com and sorted by source IP volume.
Two IPs stood out — 40.80.148.42 was hammering the server with thousands of
requests. Suricata logs confirmed it was running Acunetix vulnerability scans and attempting
SQL injection.
index=botsv1 sourcetype="stream:http" imreallynotbatman.com | stats count by src_ip | sort - count
The second suspicious IP, 23.22.63.114, was cross-referenced on VirusTotal and
ThreatMiner — tied to the Po1s0n1vy APT group, hosting phishing domains mimicking Wayne Enterprises.
The attacker brute-forced the Joomla admin login at
/joomla/administrator/index.php via POST requests. Extracted passwords from the
form_data field using rex:
index=botsv1 sourcetype="stream:http" dest_ip="192.168.250.70" http_method=POST uri=/joomla/administrator/index.php | rex field=form_data "passwd=(?<password>\w+)" | sort _time | table _time src_ip password
Identified the correct password that granted access and calculated time elapsed between the cracked password and the successful login.
After gaining access, the attacker uploaded a defacement image to the web server. Traced the
file back to a staging server at 23.22.63.114 using dynamic DNS. Found the
defacement filename by reviewing GET requests from the attacker's IP to the server.
GCPD intel indicated Po1s0n1vy also uses spearphishing as a fallback. Searched VirusTotal for
files communicating with 23.22.63.114 — found
MirandaTateScreensaver.scr.exe with SHA256:
9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
User Bob Smith's workstation (we8105desk, IP 192.168.250.100) was hit
with Cerber ransomware. Files encrypted, ransom note displayed.
Checked DNS logs from the workstation around the infection time. First suspicious domain
visited was solidaritedeproximite.org.
index=botsv1 sourcetype="stream:dns" src_ip="192.168.250.100" | table _time, query | sort _time
Queried HTTP GET requests from the workstation to the suspicious domain — found a file
downloaded called mhtr.jpg. Despite the .jpg extension, research
confirmed this was the Cerber cryptor payload (obfuscation via fake extension).
A VB script was launched during the infection phase — found in Splunk endpoint logs prepended
by the launching .exe name. Parent process of 121214.tmp traced to
PID 3968. Verified the workstation was connected to a file server at
192.168.250.20 and checked for spread indicators.
Cerber generated 21,596 Suricata alerts. Filtered by signature ID to find
the least-noisy signature — 2816763. Also traced the FQDN Cerber tried to
redirect the user to at the end of the encryption phase via DNS logs.
index=botsv1 sourcetype="suricata" cerber | stats count by alert.signature_id | sort count
| Tactic | Technique | ID | Scenario |
|---|---|---|---|
| Reconnaissance | Active Scanning | T1595 | APT |
| Initial Access | Exploit Public-Facing Application | T1190 | APT |
| Credential Access | Brute Force | T1110 | APT |
| Initial Access | Spearphishing Attachment | T1566.001 | APT |
| Execution | User Execution | T1204 | Ransomware |
| C2 | Application Layer Protocol | T1071 | Ransomware |
| Impact | Data Encrypted for Impact | T1486 | Ransomware |
| Lateral Movement | Remote Services | T1021 | Ransomware |
| Type | Value |
|---|---|
| Attacker IP (scanner) | 40.80.148.42 |
| Attacker IP (C2/staging) | 23.22.63.114 |
| Malware SHA256 | 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8 |
| Ransomware C2 domain | solidaritedeproximite.org |
| Ransomware payload | mhtr.jpg (fake extension — Cerber cryptor) |
This was the most complete investigation I had done at that point. Having two separate scenarios in the same dataset was useful because it forced a context switch — external APT mindset (recon → brute force → defacement) vs. internal ransomware mindset (endpoint logs → lateral movement → impact).
The Cerber scenario reinforced that file extensions mean nothing — always check actual file content and cross-reference hashes. The APT scenario showed how much you can pivot from a single suspicious IP in Suricata logs. Threat intel sources like VirusTotal and ThreatMiner filled gaps that Splunk alone couldn't answer.
Suricata and Zeek logs were the backbone of both investigations — without them the HTTP traffic alone wouldn't have told the full story.