When Easter Bunnies Attack: A Splunk Adventure in Wareville

The Plot Thickens (Like Holiday Gravy) Picture this: It's almost Christmas in Wareville, and everything is running smoother than eggnog at an office party. Suddenly, the SOC dashboard starts flashing red like Rudolph's nose after a 5K run. A ransom message appears on screen, and it's not from your typical cybercriminal. No, this one comes courtesy of King Malhare, the jealous ruler of HopSec Island, who's apparently had enough of Easter being the forgotten holiday. His evil plan? Deploy his army of Bandit Bunnies to turn Christmas into "EAST-mas." Because nothing says "holiday cheer" quite like ransomware delivered by rodents with a grudge. With McSkidy missing (probably drowning in hot cocoa somewhere), it's up to the TBFC SOC team to dive into Splunk and figure out how these fuzzy felons infiltrated the network. Spoiler alert: They weren't exactly subtle about it.

LeadHand

12/7/20255 min read

The Investigation Begins: Splunk to the Rescue

For those unfamiliar, Splunk is like the Swiss Army knife of log analysis. It's a Security Information and Event Management (SIEM) platform that ingests, indexes, and makes sense of massive amounts of machine data. Think of it as having a super-powered search engine for everything happening on your network, from web requests to firewall logs to that printer that won't stop complaining about low toner.

Setting the Stage

Our investigation starts with two key datasets pre-ingested into Splunk:

  1. web_traffic: Every connection to and from the web server, captured in glorious detail

  2. firewall_logs: The gatekeeper's ledger, showing what traffic was allowed or blocked (the web server lives at 10.10.1.15)

The first search query is beautifully simple:

index=main sourcetype=web_traffic

This retrieves all 17,172 events tagged as web traffic. Immediately, we spot something interesting in the timeline visualization—a massive spike in activity that looks like someone threw a rave on our server.

Playing Detective: The Timeline Tells Tales

Using Splunk's timechart command, we group events by day:

index=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse

The timechart function is Splunk's way of saying "show me when stuff happened," while span=1d groups everything into daily buckets. The reverse function flips the results so we see the day with maximum mayhem first. And boy, was there mayhem.

One particular day stands out like a candy cane in July—a clear period of intense activity marking King Malhare's main assault phase.

The Smoking Gun: Suspicious User Agents

In the world of web traffic, the user agent is like a digital fingerprint. It tells you what browser or tool made a request. Legitimate traffic shows up as Mozilla, Chrome, Safari, or Firefox. But our Bandit Bunnies? Not so subtle.

Filtering out the legitimate user agents reveals a treasure trove of automated attack tools:

index=main sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox*

What emerges is a parade of attack tools: curl, wget, SQLmap, and more. These aren't tools your average user employs to check their email. One particular IP address dominates the results—our prime suspect.

The Attack Chain: A Step-by-Step Heist

Phase 1: Reconnaissance (AKA "Casing the Joint")

The attackers started with footprinting, probing for exposed configuration files:

sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("/.env", "/*phpinfo*", "/.git*")

They used curl and wget—command-line tools that are the cyber equivalent of jiggling door handles to see what's unlocked. The .env files often contain database credentials and API keys. The Git files can reveal source code. Think of this as the bunnies hopping around, checking which windows were left open.

The server responded with 404 (Not Found), 403 (Forbidden), and 401 (Unauthorized) codes—basically telling the bunnies "nice try, but no."

Phase 2: Enumeration (Testing the Waters)

Next up: path traversal attacks, attempting to navigate outside the web root using the classic ../../ technique:

sourcetype=web_traffic client_ip="<REDACTED>" AND path="*..\/..\/*" OR path="*redirect*"

Path traversal is like trying to sneak out of the waiting room and into the doctor's office by going through the air vents. The attackers were trying to read system files they shouldn't have access to, looking for /etc/passwd and other juicy targets.

Phase 3: SQL Injection (Going for the Database)

Here's where things get spicy. The logs revealed SQLmap in the user agent field—a notorious automated SQL injection tool:

sourcetype=web_traffic client_ip="<REDACTED>" AND user_agent IN ("*sqlmap*", "*Havij*")

SQLmap is the tool of choice for exploiting SQL injection vulnerabilities. It automates the process of finding and exploiting database flaws. The presence of SLEEP(5) in the attack strings is particularly telling—this is a time-based blind SQL injection technique. The attacker makes the database pause for 5 seconds, and if the response takes 5 seconds, boom—you know the injection worked.

The 504 (Gateway Timeout) status codes? That's confirmation of successful time-based SQL injection. The database went to sleep, and so did the web server's ability to respond in time.

Havij also made an appearance—another automated SQL injection tool popular in the bad-guy toolkit. It's got a GUI and everything, making SQL injection accessible to script kiddies everywhere.

Phase 4: Data Exfiltration (Grabbing the Loot)

The bunnies started downloading large, sensitive files:

sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("*backup.zip*", "*logs.tar.gz*")

Tools like curl and zgrab were used to pull down compressed archives. Zgrab is particularly interesting—it's originally a network scanner but can be repurposed for data exfiltration. These compressed files likely contained backups, logs, and configuration data—the crown jewels for a ransomware operation's "double extortion" strategy (encrypt AND threaten to leak).

Phase 5: Remote Code Execution (Game Over)

The coup de grâce appeared in the logs:

sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("*bunnylock.bin*", "*shell.php?cmd=*")

A webshell (shell.php) was deployed, allowing the attackers to execute arbitrary commands on the server. The execution of ./bunnylock.bin confirms ransomware deployment. RCE (Remote Code Execution) means the attackers achieved total server control—they went from knocking on the door to owning the house.

The Pivot: Firewall Logs Don't Lie

Switching to firewall logs revealed the Command and Control (C2) communication:

sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip="<REDACTED>" AND action="ALLOWED"

The compromised server (10.10.1.5) established an outbound connection to the attacker's IP. The firewall logs showed ACTION=ALLOWED and REASON=C2_CONTACT—proof that the malware was phoning home.

Using Splunk's sum() function, we calculated the data exfiltration volume:

stats sum(bytes_transferred) by src_ip

A massive amount of data flowed from the server to the C2 server—the digital equivalent of backing up a truck to the loading dock.

The Splunk SPL Magic

Throughout this investigation, we leveraged Search Processing Language (SPL)—Splunk's query language. Key commands used:

  • timechart: Visualize events over time

  • stats: Aggregate data (counts, sums, averages)

  • table: Display specific fields in table format

  • sort: Order results

  • reverse: Flip the order

  • IN: Match multiple values

  • !=: Exclude values (NOT operator)

SPL is deceptively powerful. It reads almost like English but packs the punch of SQL and regular expressions combined.

Lessons from the Bunny Bandit Brigade

This investigation demonstrates why SIEM platforms like Splunk are indispensable:

  1. Correlation: Connecting web traffic logs to firewall logs revealed the complete attack chain

  2. Timeline Analysis: Identifying anomalous traffic spikes pinpointed the attack window

  3. Field Extraction: Breaking down logs into searchable fields (user_agent, client_ip, path) made pattern detection possible

  4. Aggregation: Statistical functions revealed the extent of the breach

The attackers followed a textbook progression: reconnaissance → enumeration → exploitation → payload delivery → C2 establishment → data exfiltration. Each phase left breadcrumbs in the logs, waiting to be discovered by an alert SOC analyst.

The Takeaway

King Malhare's Bandit Bunnies might have hopped into the network, but they couldn't hop out without leaving tracks. Every curl command, every SQLmap probe, every byte transferred to the C2 server—all meticulously logged and waiting to tell their story in Splunk.

The moral? Logs don't lie, attackers aren't as clever as they think, and Easter bunnies should stick to hiding eggs, not deploying ransomware.

Now if you'll excuse me, I need to go update my incident response plan to include "malicious lagomorphs" as a threat vector.

Stay safe out there, and may your logs be ever searchable. 🔍🎄

Tools Mentioned:

  • Splunk: SIEM platform for log analysis

  • curl/wget: Command-line tools for HTTP requests

  • SQLmap: Automated SQL injection exploitation tool

  • Havij: GUI-based SQL injection tool

  • zgrab: Network scanner/data exfiltration tool

  • Webshells: Malicious scripts for remote command execution

Want to try this investigation yourself? Check out the Splunk for Log Analysis room on TryHackMe!

Stay secure. Stay informed. Stay ahead

Empowering you to navigate online safely today.

Guide

Alert

info@lnsentinel.com

© 2025. All rights reserved.