Forum Discussion

Bronze III

3 months ago

Solved

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

I need help with Q6. Any hint please The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script? I searched (EventCode=4103 OR Eve...

defensive cyber

immersive labs

retornet
3 months ago
Found it at the end. Thanks

netcat

Silver III

3 months ago

Well, in this case you should narrow down the search, next step:
(EventCode=4103 OR EventCode=4104) powershell .ps1

Narrow down further, removing non relevant scripts:
(EventCode=4103 OR EventCode=4104) powershell .ps1 NOT sample.ps1

retornet

Bronze III

3 months ago

Thank you for your reply. I ran it like below and still having difficulties finding that script

(EventCode=4103 OR EventCode=4104) powershell AND "*.ps1" NOT ("psversion.ps1" OR "readme.ps1")
| table _raw

retornet
Bronze III
3 months ago
Found it at the end. Thanks

Forum Discussion

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

Featured Places

Help & Support Forum

Related Content

Help needed for Threat Hunting: Mining Behaviour

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

APT29 Threat Hunting with Splunk Ep.11 Q11

Help needed for Threat Hunting - Credential Access

Recent Discussions

Foundational Static Analysis: API Analysis step 10

Microsoft Defender for Cloud: Inventory, Resource Health and Recommendations.

Snort Rules: Ep.9 – Exploit Kits

Snort Rules: Ep.7 – Lokibot Infection Traffic

Pen Test CTFs: Artica Shipping Company