{"id":7823,"date":"2026-02-12T12:44:51","date_gmt":"2026-02-12T10:44:51","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?post_type=docs&#038;p=7823"},"modified":"2026-02-12T12:48:12","modified_gmt":"2026-02-12T10:48:12","password":"","slug":"intrusion-detection-with-splunk","status":"publish","type":"docs","link":"https:\/\/scalemedia.co.za\/cybermedia\/docs\/intrusion-detection-with-splunk\/","title":{"rendered":"Intrusion Detection With Splunk (Real-world Scenario)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"introduction\">Introduction to Intrusion Detection With Splunk<\/h2>\n\n\n\n<p>The <code>Windows Event Logs &amp; Finding Evil<\/code> module familiarized us with log exploration on a single machine to pinpoint malicious activity. Now, we&#8217;re stepping up our game. We&#8217;ll be conducting similar investigations, but on a much larger scale, across numerous machines to uncover irregular activities within the entire network instead of just one device. Our tools will still include Windows Event logs, but the scope of our work will broaden significantly, demanding careful scrutiny of a larger pool of information, and identifying and discarding false positives whenever possible.Copy<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-eeec4cee\"\n     id=\"betterdocs-code-snippet-eeec4cee\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-eeec4cee .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; earliest=0<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-eeec4cee');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FGk3myVSsSlOF8nlYm2ur%252F1.webp%3Falt%3Dmedia%26token%3Dc5ec98ab-3268-440f-8f35-c0088a32152c&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=77694a3c&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"searching-effectively\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/intrusion-detection-with-splunk-real-world-scenario#searching-effectively\" target=\"_blank\" rel=\"noopener\"><\/a>Searching Effectively<\/h2>\n\n\n\n<p>Let&#8217;s dive into our data. Our first objective is to see what we can identify within the Sysmon data. We&#8217;ll start by listing all our sourcetypes to approach this as an unknown environment from scratch. Run the following query to observe the possible sourcetypes (the screenshot may contain a WinEventLog sourcetype that you will not have).Copy<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-aoa7c7w\"\n     id=\"betterdocs-code-snippet-aoa7c7w\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-aoa7c7w .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; | stats count by sourcetype<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-aoa7c7w');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FEGX29YcqaMMif67IMemM%252F2.png%3Falt%3Dmedia%26token%3D5e9ef7eb-e708-4b1d-a4b2-bd0078a7effb&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9ea941df&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>This will list all the sourcetypes available in your Splunk environment. Now let&#8217;s query our Sysmon sourcetype and take a look at the incoming data.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-usgu7uk\"\n     id=\"betterdocs-code-snippet-usgu7uk\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-usgu7uk .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot;<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-usgu7uk');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FHgFkqw1V3UkVzhtGNnzh%252F3.webp%3Falt%3Dmedia%26token%3D68a155ed-3dea-4f98-b460-30c6305ca5fb&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=5205cc4&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We can delve into the events by clicking the arrow on the left.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F6bF7HkGcd9FM2MrPBZRF%252F4.webp%3Falt%3Dmedia%26token%3Da1dc593b-ccd8-4df1-aa6a-4a031971218c&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=26a5ee83&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Let&#8217;s execute some generalized queries to illustrate performance differences. Let&#8217;s search for all possible instances of <code>uniwaldo.local<\/code>.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-2mr5wpp\"\n     id=\"betterdocs-code-snippet-2mr5wpp\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-2mr5wpp .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; uniwaldo.local<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-2mr5wpp');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fh0V4TSgCKaq9vqJpmqHt%252F5.webp%3Falt%3Dmedia%26token%3D438cb724-854d-4852-aa6c-1fb1a5b54993&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=ca4ac673&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now let&#8217;s attempt to find all instances of this string concatenated within any other string such as &#8220;myuniwaldo.localtest&#8221; by using a wildcard before and after it.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-iqaed3r\"\n     id=\"betterdocs-code-snippet-iqaed3r\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-iqaed3r .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; *uniwaldo.local*<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-iqaed3r');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FxWYQNnHCzpBhXldFG01e%252F6.png%3Falt%3Dmedia%26token%3Dba3cd41d-76af-4fa7-8cc2-29bc9290c30e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=a3d07b0d&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now let&#8217;s target this string within the <code>ComputerName<\/code> field only, as we might only care about this string if it shows up in <code>ComputerName<\/code>. Because no <code>ComputerName<\/code> <code>only<\/code> contains this string, we need to prepend a wildcard to return relevant results.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-vflc4vi\"\n     id=\"betterdocs-code-snippet-vflc4vi\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-vflc4vi .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; ComputerName=&quot;*uniwaldo.local&quot;<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-vflc4vi');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FB1HumyiFVfCewgHrwdcV%252F7.webp%3Falt%3Dmedia%26token%3D50817ca1-c31f-4b1a-83ff-28ab9dcfe122&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=edc381e9&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>You&#8217;ll find that this query returns results <code>much<\/code> more swiftly than our previous search. The point being made here is that targeted searches in your SIEM will execute and return results much more quickly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"embracing-the-mindset-of-analysts-threat-hunters-and-detection-engineers\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/intrusion-detection-with-splunk-real-world-scenario#embracing-the-mindset-of-analysts-threat-hunters-and-detection-engineers\" target=\"_blank\" rel=\"noopener\"><\/a>Embracing The Mindset Of Analysts, Threat Hunters, &amp; Detection Engineers<\/h3>\n\n\n\n<p>Making progress on our journey, let&#8217;s pivot our focus towards spotting anomalies in our data. Remember the foundation we established in the <code>Windows Event Logs &amp; Finding Evil<\/code> module, where we explored the potential of event codes in tracing peculiar activities? We utilized public resources such as the Microsoft Sysinternals guide for <a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">Sysmon<\/a>. Let&#8217;s apply the same approach and identify all Sysmon EventCodes prevalent in our data with this query.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-c5q7tf0\"\n     id=\"betterdocs-code-snippet-c5q7tf0\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-c5q7tf0 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; | stats count by EventCode<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-c5q7tf0');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FvR9O17qeWWUdQdWNmf1i%252F8.webp%3Falt%3Dmedia%26token%3D35a3b1ec-7b71-40b6-9e34-670f5bf79eb9&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=b692dc4f&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Based on these <code>EventCodes<\/code>, we can perform preliminary queries. As previously stated, unusual parent-child trees are always suspicious. Let&#8217;s inspect all parent-child trees with this query.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-4vhpxhn\"\n     id=\"betterdocs-code-snippet-4vhpxhn\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-4vhpxhn .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 | stats count by ParentImage, Image<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-4vhpxhn');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FbL4lnIv4M2EyXIZ09VEx%252F9.png%3Falt%3Dmedia%26token%3D89dd2e09-712a-42df-861d-9c9780d2d5fa&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=bb3a405c&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We&#8217;re met with 5,427 events, quite a heap to manually sift through. We have choices, weed out what seems benign or target child processes known to be problematic, like <code>cmd.exe<\/code> or <code>powershell.exe<\/code>. Let&#8217;s target these two.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-rwqd9w0\"\n     id=\"betterdocs-code-snippet-rwqd9w0\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-rwqd9w0 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 (Image=&quot;*cmd.exe&quot; OR Image=&quot;*powershell.exe&quot;) | stats count by ParentImage, Image<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-rwqd9w0');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fj4RHyUIO4R7d299ud7P5%252F10.webp%3Falt%3Dmedia%26token%3D763a2a17-8f53-4eef-9390-f1372d4e1847&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=a7f9f3ac&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>The <code>notepad.exe<\/code> to <code>powershell.exe<\/code> chain stands out immediately. It implies that notepad.exe was run, which then spawned a child powershell to execute a command. The next steps? Question the <code>why<\/code> and validate if this is typical.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-8mv22fx\"\n     id=\"betterdocs-code-snippet-8mv22fx\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-8mv22fx .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=1 (Image=&quot;*cmd.exe&quot; OR Image=&quot;*powershell.exe&quot;) ParentImage=&quot;C:\\\\Windows\\\\System32\\\\notepad.exe&quot;<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-8mv22fx');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F3yRLt8m9rnDoQnMXqMJJ%252F11.png%3Falt%3Dmedia%26token%3Df1f36aab-ff27-4cd7-90b3-a1ee245dad5f&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=15501e1a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FoCgcttUXXWnrmYqdlMxQ%252F12.webp%3Falt%3Dmedia%26token%3D09ede80e-84c7-4541-b305-6c524259e689&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=8e0f0d50&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We see the <code>ParentCommandLine<\/code> (just <code>notepad.exe<\/code> with no arguments) triggering a <code>CommandLine<\/code> of <code>powershell.exe<\/code> seemingly downloading a file from a server with the IP of <code>10.0.0.229<\/code>!<\/p>\n\n\n\n<p>Our path now forks. We could trace what initiated the <code>notepad.exe<\/code>, or we could investigate other machines interacting with this IP and assess its legitimacy. Let&#8217;s unearth more about this IP by running some queries to explore all sourcetypes that could shed some light.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-bmsshxj\"\n     id=\"betterdocs-code-snippet-bmsshxj\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-bmsshxj .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; 10.0.0.229 | stats count by sourcetype<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-bmsshxj');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F61JdjbBc3QtCqcayvDOL%252F13.webp%3Falt%3Dmedia%26token%3Da91ce00a-2ad1-40b7-938d-e5ffe9853c9b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=d032bcf9&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-bjtcz8m\"\n     id=\"betterdocs-code-snippet-bjtcz8m\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-bjtcz8m .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; 10.0.0.229 sourcetype=&quot;linux:syslog&quot;<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-bjtcz8m');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F4VWGm0KvWcOQMmBUymEg%252F14.webp%3Falt%3Dmedia%26token%3D8c461132-21e2-41c2-b735-2b12e58c76d7&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=11686071&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Here we see that based on the data and the <code>host<\/code> parameter, we can conclude that this IP belongs to the host named <code>waldo-virtual-machine<\/code> on its <code>ens160<\/code> interface. The IP seems to be doing some generic stuff.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FKBH9VplZ28s5JF2XOhpd%252F15.webp%3Falt%3Dmedia%26token%3D7efc5ccc-9269-428c-bfea-db9d547e58b3&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=600e6d6b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>This finding indicates that our machine has engaged in some form of communication with a Linux system, notably downloading executable files through <code>PowerShell<\/code>. This sparks some concerns, hinting at the potential compromise of the Linux system as well!<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-imnljm6\"\n     id=\"betterdocs-code-snippet-imnljm6\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-imnljm6 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; 10.0.0.229 sourcetype=&quot;WinEventLog:sysmon&quot; | stats count by CommandLine<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-imnljm6');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fean1zC6JS6qdT2QhA6h0%252F16.webp%3Falt%3Dmedia%26token%3Dda7c343a-c6d8-4495-ade5-af20e194021b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9c96f9e2&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>At this juncture, alarm bells should be sounding! We can spot several binaries with conspicuously malicious names, offering strong signals of their hostile intent.<\/p>\n\n\n\n<p>From our assessment, it&#8217;s becoming increasingly clear that not only was the spawning of <code>notepad.exe<\/code> to <code>powershell.exe<\/code> malicious in nature, but the Linux system also appears to be infected.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-dblghkk\"\n     id=\"betterdocs-code-snippet-dblghkk\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-dblghkk .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; 10.0.0.229 sourcetype=&quot;WinEventLog:sysmon&quot; | stats count by CommandLine, host<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-dblghkk');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<p>Our analysis indicates that two hosts fell prey to this Linux pivot. Notably, it appears that the DCSync PowerShell script was executed on the second host, indicating a likely <code>DCSync<\/code> attack.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-i0cadru\"\n     id=\"betterdocs-code-snippet-i0cadru\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-i0cadru .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; EventCode=4662 Access_Mask=0x100 Account_Name!=*$<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-i0cadru');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZ7p82Cy1xYYOa9wg1Tm9%252F18.webp%3Falt%3Dmedia%26token%3D9781f110-acac-4a32-85aa-537bcde37157&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=cbd1bef7&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now, let&#8217;s dissect the rationale behind this query. Event Code <code>4662<\/code> is triggered when an Active Directory (AD) object is accessed. It&#8217;s typically disabled by default and must be deliberately enabled by the Domain Controller to start appearing. <code>Access Mask 0x100<\/code> specifically requests <code>Control Access<\/code> typically needed for DCSync&#8217;s high-level permissions. The <code>Account_Name<\/code> checks where AD objects are directly accessed by users instead of accounts, as DCSync should only be performed legitimately by <code>machine accounts<\/code> or <code>SYSTEM<\/code>, not users.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fki2tZYnvnB4MgTDGgOGH%252F19.webp%3Falt%3Dmedia%26token%3D7cc76550-029d-4f00-b321-8e63175777d3&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=aa5b8631&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We notice two intriguing GUIDs. A quick Google search can yield valuable insights. Let&#8217;s look them up.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F3Lq2DAD6dRJQaZnMH3CE%252F20.webp%3Falt%3Dmedia%26token%3Db2417f89-9849-483b-b52f-ddc0a49b3729&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=df12118a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FGvsUEhMWM1apnk2ADBL4%252F21.webp%3Falt%3Dmedia%26token%3D1d1af3b4-85b2-4cdb-bcd8-bb14d4f57df1&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9b21b477&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FsiCpJdIZ0Y5x0Ld6sNDU%252F22.webp%3Falt%3Dmedia%26token%3Dce9c2998-6187-4ff7-944a-dd722a8891df&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=53486bb&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Upon researching, we find that the first one is linked to <code>DS-Replication-Get-Changes-All<\/code>, which, as per its description, &#8220;&#8230;allows the replication of secret domain data&#8221;.<\/p>\n\n\n\n<p>This gives us solid confirmation that a DCSync attempt was made and successfully executed by the Waldo user on the <code>UNIWALDO<\/code> domain. It&#8217;s reasonable to presume that the Waldo user either possesses <code>Domain Admin<\/code> rights or has a certain level of access rights permitting this action.<\/p>\n\n\n\n<p>However, it&#8217;s evident that we&#8217;ve barely scratched the surface of the attacker&#8217;s activities. The attacker must have initially infiltrated the system and undertaken several maneuvers to obtain domain admin rights, orchestrate lateral movement, and dump the domain credentials.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-9nn1uyc\"\n     id=\"betterdocs-code-snippet-9nn1uyc\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-9nn1uyc .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; EventCode=10 lsass | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-9nn1uyc');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FFARf6iML8XKqOfxxl9w2%252F23.png%3Falt%3Dmedia%26token%3Dd2a6980c-df15-45b1-b40d-c4233f4a5110&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=a8145454&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We&#8217;ll begin by examining any conspicuous strange process accesses to lsass.exe by any source image. The most noticeable ones are <code>notepad<\/code> (given its absurdity) and <code>rundll32<\/code> (given its limited frequency). We can further explore these as we usually do.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-m08o741\"\n     id=\"betterdocs-code-snippet-m08o741\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-m08o741 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; EventCode=10 lsass SourceImage=&quot;C:\\\\Windows\\\\System32\\\\notepad.exe&quot;<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-m08o741');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FL9rkNShaeuDx8ZbQUy7a%252F24.webp%3Falt%3Dmedia%26token%3Dffccdb03-64c1-4905-bb08-16a042bf032e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=3cb5dbf4&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F6DjzXqkwPO0OWM1vZSLz%252F25.webp%3Falt%3Dmedia%26token%3Dd38e65d6-9379-45f7-92f0-98cb45eb0b50&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=28d95c6b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>To the untrained eye, it might not be immediately apparent that the callstack refers to an <code>UNKNOWN<\/code> segment into <code>ntdll<\/code>. In most cases, any form of shellcode will be located in what&#8217;s termed an <code>unbacked<\/code> memory region. This implies that ANY API calls from this shellcode don&#8217;t originate from any identifiable file on disk, but from arbitrary, or <code>UNKNOWN<\/code>, regions in memory that don&#8217;t map to disk at all. While false positives can occur, the scenarios are limited to processes such as <code>JIT<\/code> processes, and they can mostly be filtered out.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"creating-meaningful-alerts\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/intrusion-detection-with-splunk-real-world-scenario#creating-meaningful-alerts\" target=\"_blank\" rel=\"noopener\"><\/a>Creating Meaningful Alerts<\/h2>\n\n\n\n<p>Armed with this newfound source of information, we can now aim to create alerts from malicious malware based on API calls from <code>UNKNOWN<\/code> regions of memory. It&#8217;s crucial to remember that generating alerts differs from hunting. Our alerts must be resilient and effective, or we risk flooding our defense team with a glut of data, inadvertently providing a smokescreen for attackers to slip through our false positives. Moreover, we must ensure they aren&#8217;t easily circumvented, where a few tweaks and seconds is all it takes.<\/p>\n\n\n\n<p>We&#8217;ll start by listing all the call stacks containing <code>UNKNOWN<\/code> during this lab period based on event code to see which can yield the most meaningful data.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-fnwp0xl\"\n     id=\"betterdocs-code-snippet-fnwp0xl\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-fnwp0xl .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; | stats count by EventCode<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-fnwp0xl');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FJkvUPAk9J1Ys1HuK5eMQ%252F26.png%3Falt%3Dmedia%26token%3Da6b6ff0e-d95a-43a6-9331-ba59916d1642&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=8a6d94dd&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>It appears that only event code 10 shows anything related to our <code>CallTrace<\/code>, so our alert will be tied to process access! This means we&#8217;ll be alerting on anything attempting to open handles to other processes that don&#8217;t map back to disk, assuming it&#8217;s shellcode. We see 1575 counts though&#8230;so we&#8217;ll begin by grouping based on <code>SourceImage<\/code>.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-vnyewsm\"\n     id=\"betterdocs-code-snippet-vnyewsm\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-vnyewsm .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-vnyewsm');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FQy6vzNTVlOhK1YATVlhk%252F27.png%3Falt%3Dmedia%26token%3Db7a3291f-8479-49cd-ae50-1a2039998d4b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=3d21d9e2&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Here are the false positives we mentioned, and they&#8217;re all <code>JITs<\/code> as well! <code>.Net<\/code> is a <code>JIT<\/code>, and <code>Squirrel<\/code> utilities are tied to <code>electron<\/code>, which is a chromium browser and also contains a JIT. Even with our smaller dataset, there&#8217;s a lot to sift through, and we&#8217;re not sure what&#8217;s malicious and what&#8217;s not. The most effective way to manage this is by linking a few queries together.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-9sk4az3\"\n     id=\"betterdocs-code-snippet-9sk4az3\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-9sk4az3 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; | where SourceImage!=TargetImage | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-9sk4az3');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F52vWKbzvJ0GlyGj6itv8%252F28.webp%3Falt%3Dmedia%26token%3Dc8ecca11-0506-4414-bc23-e3d204460877&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=15db8a3a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Next, we know that <code>C Sharp<\/code> will be hard to weed out, and we want a high-fidelity alert. So we&#8217;ll exclude anything <code>C Sharp<\/code> related due to its <code>JIT<\/code>. We can achieve this by excluding the Microsoft.Net folders and anything that has <code>ni.dll<\/code> in its call trace or <code>clr.dll<\/code>.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-5gumoly\"\n     id=\"betterdocs-code-snippet-5gumoly\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-5gumoly .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; SourceImage!=&quot;*Microsoft.NET*&quot; CallTrace!=*ni.dll* CallTrace!=*clr.dll* | where SourceImage!=TargetImage | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-5gumoly');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FomfdPQ3l1OxDQFI09GsI%252F29.webp%3Falt%3Dmedia%26token%3D975834b7-e843-410b-b5a2-924b1f7f34a2&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=d531d558&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>In the next phase, we&#8217;ll be focusing on eradicating anything related to <code>WOW64<\/code> within its call stact.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-4cokv9w\"\n     id=\"betterdocs-code-snippet-4cokv9w\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-4cokv9w .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; SourceImage!=&quot;*Microsoft.NET*&quot; CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64* | where SourceImage!=TargetImage | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-4cokv9w');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FuVaEo3Nn75bDHmptvinf%252F30.png%3Falt%3Dmedia%26token%3Deb48cb92-aa0f-45f8-ab70-14f6188b4900&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=2d91c3b0&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Moving forward, we&#8217;ll also exclude <code>Explorer.exe<\/code>, considering its versatile nature. It&#8217;s akin to a wildcard, capable of undertaking an array of tasks. Identifying any malicious activity within Explorer directly is almost a Herculean task.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-c3ceeij\"\n     id=\"betterdocs-code-snippet-c3ceeij\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-c3ceeij .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; SourceImage!=&quot;*Microsoft.NET*&quot; CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64* SourceImage!=&quot;C:\\\\Windows\\\\Explorer.EXE&quot; | where SourceImage!=TargetImage | stats count by SourceImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-c3ceeij');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FXS0D18cPkumLKwgdK1un%252Fbrowser.webp%3Falt%3Dmedia%26token%3De49c42f7-8b01-43cb-a815-a41674d6df32&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=e3ea096e&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>With the steps outlined above, we&#8217;ve now established a reasonably robust alert system for our environment. This alert system is adept at identifying known threats. However, it&#8217;s essential that we review the remaining data to verify its legitimacy.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-o0zvvc6\"\n     id=\"betterdocs-code-snippet-o0zvvc6\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-o0zvvc6 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; CallTrace=&quot;*UNKNOWN*&quot; SourceImage!=&quot;*Microsoft.NET*&quot; CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64* SourceImage=&quot;C:\\\\Windows\\\\Explorer.EXE&quot; | where SourceImage!=TargetImage | stats count by SourceImage, TargetImage, CallTrace<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-o0zvvc6');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FcoVNvaF2ab8VXil55G80%252F31.webp%3Falt%3Dmedia%26token%3De2c7f1fb-2123-48be-9688-6584a847f054&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=67a114e&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>uilding this alert system was relatively simple due to the limited data and false positives in our current environment. However, in a real-world scenario, the volume of data would be much larger, necessitating more sophisticated methods to detect potential malicious activities. It&#8217;s also crucial to consider the effectiveness of the alert\u2014how easily could it be bypassed? For example, a hacker could evade detection by loading a random DLL with &#8220;NI&#8221; appended to its name. Enhancing the alert would require considering such bypass techniques and fortifying against them.<\/p>\n\n\n\n<p>In summary, we&#8217;ve developed skills to analyze large datasets, identify potential threats, explore SIEM systems for valuable data sources, trace attacks, and create effective alerts. While our examples were simplified with a smaller dataset of about 500,000 events, real-world scenarios might involve different scales of data, requiring more advanced techniques. As you progress in cybersecurity, remember the importance of effective search strategies, innovative data analysis, leveraging open-source intelligence, and creating robust alerts that are difficult to bypass.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"practical-exercises\"><a href=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/soc-hackthebox-notes-and-labs\/understanding-log-sources-and-investigating-with-splunk-module\/intrusion-detection-with-splunk-real-world-scenario#practical-exercises\" target=\"_blank\" rel=\"noopener\"><\/a>Practical Exercises<\/h2>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _.exe<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-tqzdn0x\"\n     id=\"betterdocs-code-snippet-tqzdn0x\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-tqzdn0x .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=10 lsass \n| stats count by SourceImage, TargetImage<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-tqzdn0x');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F7dwl0Ev6woFZlJITE0iR%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3Dd9baec26-fec9-4aa7-885b-53b082fc089d&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=94ff1d3e&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: rundll32.exe<\/p>\n\n\n\n<p>2) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL&#8217;s name as your answer. Answer format: _.dll<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-vmke8hn\"\n     id=\"betterdocs-code-snippet-vmke8hn\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-vmke8hn .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=10 lsass SourceImage=&quot;C:\\\\Windows\\\\System32\\\\rundll32.exe&quot;\n| stats count by SourceImage, TargetImage, CallTrace<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-vmke8hn');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FDcR4H35pZRDhOX9yAH0D%252FScreenshot%2811%29.png%3Falt%3Dmedia%26token%3D203bf3b0-9727-4cf5-9079-f228f397e4f9&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=4897187a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p><code>rundll32.exe<\/code> is a legitimate Windows utility used to execute DLLs (Dynamic Link Libraries) and call specific functions from them. However, attackers often misuse <code>rundll32.exe<\/code> to execute malicious activities, as it allows them to run code in a way that might evade detection.<\/p>\n\n\n\n<p><code>comsvcs.dll<\/code> is a legitimate Windows system DLL that is associated with COM+ services and is part of the Microsoft COM+ application environment. One of its lesser-known functions is the <code>MiniDump<\/code> function, which can be used to create memory dumps of processes, including the Local Security Authority Subsystem Service (LSASS).<\/p>\n\n\n\n<p>Answer: comsvcs.dll<\/p>\n\n\n\n<p>3) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection\/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-tkf2c91\"\n     id=\"betterdocs-code-snippet-tkf2c91\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-tkf2c91 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; EventCode=7 ImageLoaded=&quot;*clr.dll&quot; \n| stats count by Image<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-tkf2c91');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F6rFi09acDaRQSy6IwxtJ%252FScreenshot%2812%29.png%3Falt%3Dmedia%26token%3D5df85f84-ebd1-40cb-87a7-7f057a01c776&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=48fd79f1&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>In a standard, legitimate scenario, <code>clr.dll<\/code> would not be loaded by <code>rundll32.exe<\/code>. Seeing this behavior in logs or security events can be an indicator of malicious activity or process injection. This pattern is not typical for legitimate software, suggesting that an attacker may be trying to use native Windows utilities to execute their malicious code.<\/p>\n\n\n\n<p>Using <code>rundll32.exe<\/code> to invoke the CLR provides a stealthy way to execute .NET-based payloads without triggering alarms.<\/p>\n\n\n\n<p>Answer: rundll32.exe<\/p>\n\n\n\n<p>4) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-3uy330x\"\n     id=\"betterdocs-code-snippet-3uy330x\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-3uy330x .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=3\n| stats count by Image, DestinationIp<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-3uy330x');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F3moiqxtxMUhlpyzFBobi%252FScreenshot%2813%29.png%3Falt%3Dmedia%26token%3Db354a11f-1016-4d7b-81db-f9cd2b8280b0&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=16334031&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-oyd2vug\"\n     id=\"betterdocs-code-snippet-oyd2vug\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-oyd2vug .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=3 Image=&quot;C:\\\\Windows\\\\system32\\\\notepad.exe&quot; \n| stats values(DestinationIp) as destination_ips<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-oyd2vug');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FLy4zI7sG1at3O0UBGQOR%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3Db7e847c9-bb04-42e9-94f1-52b81d289211&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9a19a522&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: 10.0.0.186 and 10.0.0.91<\/p>\n\n\n\n<p>5) Navigate to http:\/\/[Target IP]:8000, open the &#8220;Search &amp; Reporting&#8221; application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.<\/p>\n\n\n\n<div class=\"betterdocs-code-snippet-wrapper theme-light betterdocs-code-snippet-nv0gmy2\"\n     id=\"betterdocs-code-snippet-nv0gmy2\"\n     data-language=\"typescript\"\n     data-copy-button=\"true\">\n\n            <div class=\"betterdocs-code-snippet-header betterdocs-file-preview-header\">\n        <div class=\"betterdocs-file-preview-left\">\n                            <div class=\"betterdocs-traffic-lights\">\n                    <span class=\"traffic-light traffic-light-red\"><\/span>\n                    <span class=\"traffic-light traffic-light-yellow\"><\/span>\n                    <span class=\"traffic-light traffic-light-green\"><\/span>\n                <\/div>\n            \n            <div class=\"betterdocs-file-info\">\n                                    <div class=\"betterdocs-file-icon\">\n                                                    <span class=\"betterdocs-file-icon-emoji\">\ud83d\udcd8<\/span>\n                                            <\/div>\n                \n                                    <div class=\"betterdocs-file-name\">\n                        <span class=\"file-name-text\">filename.js<\/span>\n                    <\/div>\n                            <\/div>\n        <\/div>\n\n        <div class=\"betterdocs-file-preview-right\">\n                            <div class=\"betterdocs-code-snippet-copy-container\">\n                    <button class=\"betterdocs-code-snippet-copy-button\"\n                            type=\"button\"\n                            data-clipboard-target=\"#betterdocs-code-snippet-nv0gmy2 .betterdocs-code-snippet-code code\"\n                            aria-label=\"Copy code to clipboard\">\n                        <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M16 1H4C2.9 1 2 1.9 2 3V17H4V3H16V1ZM19 5H8C6.9 5 6 5.9 6 7V21C6 22.1 6.9 23 8 23H19C20.1 23 21 22.1 21 21V7C21 5.9 20.1 5 19 5ZM19 21H8V7H19V21Z\" fill=\"currentColor\"\/>\n                        <\/svg>\n                    <\/button>\n                                    <\/div>\n                    <\/div>\n        <\/div>\n    \n    <div class=\"betterdocs-code-snippet-content\">\n        \n        <pre class=\"betterdocs-code-snippet-code language-typescript\"><code>index=&quot;main&quot; sourcetype=&quot;WinEventLog:Sysmon&quot; EventCode=3 (SourceIp=&quot;10.0.0.186&quot; OR SourceIp=&quot;10.0.0.91&quot;)\n| stats values(DestinationPort) as destination_ports<\/code><\/pre>\n    <\/div>\n<\/div>\n\n<script type=\"text\/javascript\">\ndocument.addEventListener('DOMContentLoaded', function() {\n    \/\/ Initialize copy functionality for this specific snippet\n    const snippet = document.getElementById('betterdocs-code-snippet-nv0gmy2');\n    if (snippet && window.BetterDocsCodeSnippet) {\n        window.BetterDocsCodeSnippet.initCopyButton(snippet);\n    }\n});\n<\/script>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FgsXDl1x6eD8qUdzh7Jt9%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3D49eed372-6992-47f4-8265-ed122d763976&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=38d4531d&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: 3389<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction to Intrusion Detection With Splunk The Windows Event Logs &amp; Finding Evil module familiarized us with log exploration on a single machine to pinpoint malicious activity. Now, we&#8217;re stepping up our game. We&#8217;ll be conducting similar investigations, but on a much larger scale, across numerous machines to uncover irregular activities within the entire network&#8230;<\/p>\n","protected":false},"author":1,"featured_media":7585,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[35],"doc_tag":[],"class_list":["post-7823","docs","type-docs","status-publish","has-post-thumbnail","hentry","doc_category-virtualbox-installation"],"year_month":"2026-04","word_count":2009,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Virtualbox Installation","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/virtualbox-installation\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7823"}],"version-history":[{"count":3,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7823\/revisions"}],"predecessor-version":[{"id":7855,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7823\/revisions\/7855"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media\/7585"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7823"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7823"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}