Premise

In this video walkthrough, we covered investigating malware / ransomware usb attacks with splunk to unleash artifacts related to the nature of the incident. This training is part of splunk SIEM Boss of the SOC v2 300 series questions.

 

Get Splunk Field Notes

 

Room Questions and Answers

Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. What is the name of this file after it was encrypted?

There is a Games of Thrones movie file that was encrypted as well. What season and episode is it?

Kevin Lagerfield used a USB drive to move malware onto kutekitten, Mallory’s personal MacBook. She ran the malware, which obfuscates itself during execution. Provide the vendor name of the USB drive Kevin likely used. Answer Guidance: Use time correlation to identify the USB drive.

What programming language is at least part of the malware from the question above written in?

When was this malware first seen in the wild? Answer Guidance: YYYY-MM-DD

The malware infecting kutekitten uses dynamic DNS destinations to communicate with two C&C servers shortly after installation. What is the fully-qualified domain name (FQDN) of the first (alphabetically) of these destinations?

From the question above, what is the fully-qualified domain name (FQDN) of the second (alphabetically) contacted C&C server?

Room Link: Splunk 2

Video Walk-through

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles