APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

Log with EventID: 4103

ParameterBinding(Get-ChildItem): name="Path"; value="C:\Users\Administrator.BARTERTOWNGROUP\" ParameterBinding(Get-ChildItem): name="Include"; value="*.doc, *.xps, *.xls, *.ppt, *.pps, *.wps, *.wpd, *.ods, *.odt, *.lwp, *.jtd, *.pdf, *.zip, *.rar, *.docx, *.url, *.xlsx, *.pptx, *.ppsx, *.pst, *.ost, *psw*, *pass*, *login*, *admin*, *sifr*, *sifer*, *vpn, *.jpg, *.txt, *.lnk" ParameterBinding(Get-ChildItem): name="Recurse"; value="True" ParameterBinding(Get-ChildItem): name="ErrorAction"; value="SilentlyContinue" CommandInvocation(Select-Object): "Select-Object" ParameterBinding(Select-Object): name="ExpandProperty"; value="FullName" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Desktop\Google Chrome.lnk" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Desktop\Microsoft Edge.lnk" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Documents\SecretFile.txt" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Downloads\7zip4powershell.1.9.0.zip" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Favorites\Bing.url" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Links\Desktop.lnk" ParameterBinding(Select-Object): name="InputObject"; value="C:\Users\Administrator.BARTERTOWNGROUP\Links\Downloads.lnk"