Investigating with Splunk

Investigate anomalies using Splunk.

A SOC Analyst has observed some anomalous behavior's in the logs of a few Windows machines. It seems the adversary has access to some of these machines and successfully created a backdoor. The analyst has been asked to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. The SOC Analyst's task is to examine the logs and identify the anomalies.

How many events were collected and Ingested in the index main?

12256

On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

A1berto

On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

Examine the logs and identify the user that the adversary was trying to impersonate.

Alberto

What is the command used to add a backdoor user from a remote computer?

How many times was the login attempt from the backdoor user observed during the investigation?

What is the name of the infected host on which suspicious Powershell commands were executed?

PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

An encoded Powershell script from the infected host initiated a web request. What is the full URL?

hxxp[://]10[.]10[.]10[.]5/news[.]php

PreviousIncident Handling with Splunk NextBenign

Last updated 1 year ago