π Case Study: Investigating with Splunk
πΉ Overview
In this case study, I analyzed Windows + Sysmon logs in Splunk to uncover adversary techniques such as backdoor account creation, registry persistence, process execution, and obfuscated PowerShell activity.
Skills demonstrated:
- Querying logs with index searches & Event IDs
- Identifying backdoor accounts and persistence mechanisms
- Detecting malicious PowerShell and C2 callbacks
- Investigating anomalous user behavior and impersonation
- Decoding Base64-encoded payloads
π Key Activities & Findings
1. Total Events in Index
- Queried logs with:
index="main" - Adjusted time range β All Time
- Found 12,256 total events ingested.
2. Backdoor User Creation
- Event ID 4720 β new user account creation.
- Search:
index="main" EventID=4720 - Found attacker-created account: A1berto
- Substitution trick: βLβ replaced with β1β to mimic Alberto.
3. Registry Key Modification
- Event ID 13 β registry modification.
- Refined with username:
index="main" EventID=13 A1berto - Persistence established at:
HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto
4. Impersonated User
- Analyzed user activity across logs.
- Adversary attempted to impersonate legitimate user: Alberto.
5. Remote Command Execution
- Event ID 1 β process creation events.
- Identified WMIC command used for remote user creation:
βC:\windows\System32\Wbem\WMIC.exeβ /node:WORKSTATION6 process call create βnet user /add A1berto paw0rd1β
6. Backdoor Logons
- Event ID 3 β network connections.
- Filter:
User="A1berto" - Result: 0 successful logons by the backdoor account.
7. Infected Host with PowerShell
- Search:
index="main" powershell - Identified compromised host: James.browne
8. Malicious PowerShell Execution
- Event ID 4103 β PowerShell command logging.
- Found 79 malicious PowerShell execution events.
9. Web Request from Encoded Script
- Extracted encoded Base64 PowerShell payload.
- Decoded to reveal attacker C2 infrastructure:
hxxp[://]10[.]10[.]10[.]5/news[.]php
β Conclusion
This case study simulated a real-world intrusion chain, including:
- Persistence (backdoor account + registry key modification)
- Evasion (username masquerading)
- Execution (remote WMIC + PowerShell abuse)
- Command & Control (Base64-obfuscated HTTP request to attacker server)
By correlating Splunk searches, Event IDs, and log fields, I was able to reconstruct the adversaryβs actions step by step.
This strengthened my skills in:
- SIEM-driven investigations
- Adversary emulation & detection engineering
- Practical log forensics in Windows environments
π Navigation
- Back to SIEM Home