Forum Discussion

Bronze I

3 hours ago

Immersive Labs – APT29: Threat Hunting with Splunk

Hi everyone,

I’m currently working through the Immersive Labs – APT29: Threat Hunting with Splunk lab and got stuck on Question 10.

Question:

A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?

What I’ve tried so far:

Searched PowerShell logs (EventCode 4103 / 4104) in Splunk
Looked for base64/encoded content indicators (e.g., FromBase64String, -enc, IEX)
Filtered for image-related activity (e.g., .jpg, .png)
Reviewed process creation context but struggling to identify the exact ParentCommandLine.

Appreciate any guidance—trying to understand the hunting logic, not just the answer.

Thanks in advance!

No RepliesBe the first to reply

Forum Discussion

Immersive Labs – APT29: Threat Hunting with Splunk

Featured Places

Help

Related Content

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills

APT29 Threat Hunting with Splunk Ep.11 Q11

APT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?

APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

Recent Discussions

Investigating IAM Incidents in AWS: Preparation - Question 7

Immersive Labs – APT29: Threat Hunting with Splunk

Mobile Malware: Anubis Malware (Offensive) - Question 8,9

Modern Encryption Issue

Lab not getting complete even it is correct