APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

Question

I need help with Q6. Any hint pleaseThe attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script?I searched (EventCode=4103 OR EventCode=4104) combined with powershell.&nbsp;

netcat · Answer

Well, in this case you should narrow down the search, next step:
(EventCode=4103 OR EventCode=4104) powershell .ps1

Narrow down further, removing non relevant scripts:
(EventCode=4103 OR EventCode=4104) powershell .ps1 NOT sample.ps1

retornet · Answer

Thank you for your reply. I ran it like below and still having difficulties finding that script

(EventCode=4103 OR EventCode=4104) powershell AND "*.ps1" NOT ("psversion.ps1" OR "readme.ps1")
| table _raw

Forum Discussion

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

2 Replies

Featured Places

Help & Support Forum

Related Content

Help needed for Threat Hunting: Mining Behaviour

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

Help needed for Threat Hunting - Credential Access

APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

APT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?

Recent Discussions

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

Web App Hacking Lab

Autopsy Ep 3: Tags, Comments and Reports

Incident Response

CVE-2020-11651 (SaltStack RCE) – Defensive