Forum Discussion

Bronze II

2 months ago

Solved

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

I need help with Q6. Any hint please The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script? I searched (EventCode=4103 OR Eve...

defensive cyber

immersive labs

retornet
2 months ago
Found it at the end. Thanks

netcat

Silver II

2 months ago

Well, in this case you should narrow down the search, next step:
(EventCode=4103 OR EventCode=4104) powershell .ps1

Narrow down further, removing non relevant scripts:
(EventCode=4103 OR EventCode=4104) powershell .ps1 NOT sample.ps1

retornet

Bronze II

2 months ago

Thank you for your reply. I ran it like below and still having difficulties finding that script

(EventCode=4103 OR EventCode=4104) powershell AND "*.ps1" NOT ("psversion.ps1" OR "readme.ps1")
| table _raw

retornet
Bronze II
2 months ago
Found it at the end. Thanks

Forum Discussion

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

Featured Places

Help & Support Forum

Related Content

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

Help needed for Threat Hunting: Mining Behaviour

APT29 Threat Hunting with Splunk Ep.11 Q11

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

FIN7 Threat Hunting with Splunk: Ep.2 – Initial Access

Recent Discussions

Help with Introduction to Python Scripting: Ep.7 – Demonstrate Your Skills

Threat Research: Dependency Confusion Lab

Fundamental AI Algorithms: Decision Trees Script Detection Question 6

Active Directory Basics: Demonstrate Your Skills

Introduction to Detection Engineering: Ep.3 – Parent Processes - Kibana says no