Introduction
We covered investigating a cyber incident with splunk. We investigated the events generated on compromised windows machines and uncovered the attack artifacts. This was part of TryHackMe Investigating with Splunk
Scenario
SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.
Challenge Answers
On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
Examine the logs and identify the user that the adversary was trying to impersonate.
What is the command used to add a backdoor user from a remote computer?
How many times was the login attempt from the backdoor user observed during the investigation?
What is the name of the infected host on which suspicious Powershell commands were executed?
PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
An encoded Powershell script from the infected host initiated a web request. What is the full URL?