SOC LEVEL 1
  • Path 1
    • Cyber Defense Framework
      • Security Analyst Intro
      • Pyramid of Pain
      • Cyber Kill Chain
      • Unified Kill Chain
      • Diamond Model
      • MITRE
  • PATH 2
    • Cyber Threat Intelligence
      • Intro to Cyber Threat Intel
      • Threat Intelligence Tools
      • Yara
      • OpenCTI
      • MISP
  • PATH 3
    • Network Security and Traffic Analysis
      • Traffic Analysis Essentials
      • Snort
      • Snort Challenge - The Basics
      • Snort Challenge - Live Attacks
      • NetworkMiner
      • Zeek
      • Zeek Exercises
      • Brim
      • Wireshark: The Basics
      • Wireshark: Packet Operations
      • Wireshark: Traffic Analysis
  • PATH 4
    • Endpoint Security Monitoring
      • Intro to Endpoint Security
      • Core Windows Processes
      • Sysinternals
      • Windows Event Logs
      • Sysmon
      • Osquery: The basics
      • Wazuh
  • PATH 5
    • Security Information and Event Management
      • Introduction to SIEM
      • Investigating with ELK 101
      • ItsyBitsy
      • Splunk: Basics
      • Incident Handling with Splunk
      • Investigating with Splunk
      • Benign
  • PATH 6
    • Digital Forensics and Incident Response
      • DFIR: An Introduction
      • Windows Forensics 1
      • Windows Forensics 2
      • Linux Forensics
      • Autopsy
      • Redline
      • Kape
      • Volatility
      • Velociraptor
      • TheHive Project
      • Intro to Malware Analysis
  • PATH 7
    • Phishing
      • Phishing Analysis Fundamentals
      • Phishing Emails in Action
      • Phishing Analysis Tools
      • Phishing Prevention
      • The Greenholt Phish
Powered by GitBook
On this page
  1. PATH 5
  2. Security Information and Event Management

Investigating with Splunk

Investigate anomalies using Splunk.

PreviousIncident Handling with SplunkNextBenign

Last updated 2 years ago

A SOC Analyst has observed some anomalous behavior's in the logs of a few Windows machines. It seems the adversary has access to some of these machines and successfully created a backdoor. The analyst has been asked to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. The SOC Analyst's task is to examine the logs and identify the anomalies.

How many events were collected and Ingested in the index main?

12256

On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

A1berto

On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

Examine the logs and identify the user that the adversary was trying to impersonate.

Alberto

What is the command used to add a backdoor user from a remote computer?

How many times was the login attempt from the backdoor user observed during the investigation?

0

What is the name of the infected host on which suspicious Powershell commands were executed?

PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

An encoded Powershell script from the infected host initiated a web request. What is the full URL?

hxxp[://]10[.]10[.]10[.]5/news[.]php

James.Browne
79
hxxp[://]10[.]10[.]10[.]5/news[.]php