Forum Discussion

retornet's avatar
retornet
Icon for Bronze II rankBronze II
2 months ago
Solved

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

I need help with Q6. Any hint please

The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script?
I searched (EventCode=4103 OR EventCode=4104) combined with powershell. 

5 Replies

  • Well, in this case you should narrow down the search, next step:
    (EventCode=4103 OR EventCode=4104) powershell .ps1

    Narrow down further, removing non relevant scripts:
    (EventCode=4103 OR EventCode=4104) powershell .ps1 NOT sample.ps1

    • retornet's avatar
      retornet
      Icon for Bronze II rankBronze II

      Thank you for your reply. I ran it like below and still having difficulties finding that script 

      (EventCode=4103 OR EventCode=4104) powershell AND "*.ps1" NOT ("psversion.ps1" OR "readme.ps1")
      | table _raw

  • How did you find the answer to the first question.

    I solved all of them except the "The attacker uploads additional tools via a compressed archive. What is the full path of this folder? Look for IOCs in the event logs to find the correct answer." I am quite sure the file is an image extension with the name of an animal, but tried all the combinations with full path, path without file name... and nothing is working :( Any help?

    • netcat's avatar
      netcat
      Icon for Silver II rankSilver II

      At some point the archive will be decompressed.
      Anyway, the original question was answered, so you'd better start a new thread.