Posts

Integrate ChatGPT and Splunk in Sysmon Log Analysis

Image
Integrate ChatGPT and Splunk in Sysmon Log Analysis Integrate ChatGPT and Splunk in Sysmon Log Analysis In this project, we attempt to use two add-ons of Splunk: “ OB OpenAI ChatGPT ” and “ Sysmon Splunk Add-on for Microsoft Windows ” to integrate Splunk and ChatGPT for analyzing Sysmon events, exploring the applications of artificial intelligence in incident response. Tools Tool version Sysmon v15.0 Splunk Enterprise Server 9.1.0.1 ChatGPT ChatGPT-4 API OB OpenAI ChatGPT 1.0.2 Splunk Add-on for Microsoft Windows 8.7.0 Process Install Splunk This project uses a trial version of Splunk Enterprise, which can be registered and downloaded from the official Splunk website. https://www.splunk.com/en_us/download.html?301=/en_us/download/get-started-with-your-free-trial.html Install Sysmon Sysmon can be downloaded from Microsoft Sysinternal official website. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon After downl

Mason TCTF - Writeup (Update in progress)

Image
Welcome file Mason TCTF is an cyber security CTF (Capture the Flag) deployed by Mason Competitive Cyber (MasonCC), an cyber security group at George Mason University. The challenges include Threat Detection, Linux/Scripting, Protocol Hopping, Digital Forensics, Cryptography, Password Cracking, Steganography, Recon, and Web with difficulty ranging from simple to moderately complex. It is an good CTF for learning various aspects of cyber security knowledge. This write-up will document my thinking and process of solving the problem according to the category of the challenge. (Update in progress) The Office “The Office” category is an incident response scenario about ransomware. The solver needs to analyze the “LiveResponseData” dataset to get the flags of the 4 problems. #1 ASAP as Possible (150) Read the scenario, and then look at the forensic data to answer the questions. What was the name of the file that ran the ransomware? Remember to enter the flag in

PCAP analysis report - Nitroba University

Image
Introduction/objectives/Background Case Background Lily Tuckrige is teaching chemistry CHEM109 this summer at NSU and she has been receiving harassing email at her personal email address: lilytuckrige@yahoo.com. She suspects that they are being sent by a student in her class CHEM109. About this case, I received a packet capture files called "nitroba.pcap" containing the network traffic packets recorded from Nitroba student dormitories by a network sniffer and a slide called "slides.pdf". According to the document "slides.pdf" that I have received, the following information was provided: The email address used by victim Lily Tuckrige was “lilytuckrige@yahoo.com”, and she received the harassing emails at this address. The first harassing email was sent on Sun, 13 Jul 2008 17:21:01 -0700 from the email address “ nobody@nitroba.com ” with IP address “140.247.62.34”. The IP address points to a nitroba dorm room that shared by three women Alice, Barbara, and Can