Investigating with Splunk

• How many events were collected and Ingested in the index main?

12256

• On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

A1berto

• On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

HKLM\SAM\SAM\domains\acounts\users\names\a1berto

• Examine the logs and identify the user that the adversary was trying to impersonate.

alberto

• What is the command used to add a backdoor user from a remote computer?

 C:\Windows\System32\wbem\wmic.exe"/note:workstation6 process call create -net1 user /add A1berto paw0rd1

• How many times was the login attempt from the backdoor user observed during the investigation?

0

• What is the name of the infected host on which suspicious Powershell commands were executed?

james.browne

• PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

79

• An encoded Powershell script from the infected host initiated a web request. What is the full URL?

hxxp[://]10[.]10[.]10[.]5[.]/news[.]php