Immersive Labs – APT29: Threat Hunting with Splunk

Question

Hi everyone,I’m currently working through the Immersive Labs – APT29: Threat Hunting with Splunk lab and got stuck on Question 10.Question:A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?What I’ve tried so far:Searched PowerShell logs (EventCode 4103 / 4104) in SplunkLooked for base64/encoded content indicators (e.g., FromBase64String, -enc, IEX)Filtered for image-related activity (e.g., .jpg, .png)Reviewed process creation context but struggling to identify the exact ParentCommandLine.Appreciate any guidance—trying to understand the hunting logic, not just the answer.Thanks in advance!

samdickison · Answer

Hopefully someone can give you some tips, I'll keep an eye on it.&nbsp; Also, this is a brilliant example of how to ask a question on this forum! Really well written.

Forum Discussion

Immersive Labs – APT29: Threat Hunting with Splunk

1 Reply

Featured Places

Help

Related Content

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills

APT29 Threat Hunting with Splunk Ep.11 Q11

APT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?

APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

Recent Discussions

Immersive Labs – APT29: Threat Hunting with Splunk

Modern Encryption Issue

Cross_site Scripting DOM-based XSS vulnerability

Investigating IAM Incidents in AWS: Preparation - Question 7

Mobile Malware: Anubis Malware (Offensive) - Question 8,9