Overview

This exercise focused on detecting signs of targeted APT activity, .NET malware, and common adversary TTPs using Splunk. The hunt follows a hypothesis-driven approach, beginning with broad environmental reconnaissance and narrowing down through IOC-based and behavioral queries, ultimately mapping all findings to the Cyber Kill Chain.

Task 1: Initial Threat Hunt Using TTPs and IOCs

Objective: Conduct a threat hunt using TTPs and IOCs from the threat intelligence report, focusing on unauthorized access, initial compromise, exploits, and anomalous behavior.

Techniques: Log analysis, network traffic analysis, authentication review, exploit detection, anomalous behavior identification.

Methodology

  1. Reviewed the environment using generic queries to understand available indexes, sourcetypes, and telemetry coverage
  2. Queried traffic across all indexes for unusual authentication behavior, delivery methods, common framework ports, DNS queries, web traffic, and command execution
  3. Discovered unusual internal SMB traffic on port 445 in the Zeek IDS index, flagged by abnormal connection History flags
  4. Reviewed Zeek IDS documentation for connection history flags and cross-referenced with known SMB exploits
  5. Identified a potential RCE exploit consistent with CVE-2022-26809 behavior

References:

  • Corelight blog on CVE-2022-26809
  • Zeek documentation: conn.html, smb.html

Finding: Suspicious SMB Session

Host 192.168.10.107 (WS-0001) established a connection with 192.168.10.200 (DC01) over port 445 that persisted for nearly an hour.

index=zeek id.orig_h="192.168.10.107" service="smb,gssapi,krb"
| sort +_time
| stats count by _time id.orig_h id.orig_p orig_ip_bytes orig_pkts id.resp_h id.resp_p resp_ip_bytes resp_pkts service conn_state history

Task 2: Investigate Unusual SMB Traffic

Objective: Investigate the suspicious SMB traffic and map users to hostnames.

Findings

  • Unusual SMB File_Open actions were observed between two hosts targeting sensitive policy directories
  • Raw log review in the winsysmon index revealed user marry was logged into the origin host 192.168.10.107 (WS-0001)
index=zeek source="/nsm/zeek/logs/current/smb*" "192.168.10.107" action="SMB*"
| sort +_time
| table _time source id.orig_h id.orig_p action name path id.resp_h id.resp_p service conn_state history

Task 3: User Authentication Baseline

Objective: Identify the origin user’s authentication behavior and establish historical trends.

Finding

A timechart visualization revealed that the user marry had no reported authentications prior to 2020-03-31. This raises concern for either:

  • Unauthorized user account creation
  • Compromise of a dormant/unused account

Task 4: IOC-Based Hunt for threat actor Techniques

Objective: Query for known known threat actor IOCs across the environment.

Finding: Cobalt Strike Stager Execution

A malicious Cobalt Strike stager file CV.vbs was identified matching a known known threat actor IOC hash.

Type Value Description
MD5 FD31D71EDA87C3251F2BA5B4BECC0DD0 CV.vbs - Cobalt Strike stager 
index=winsysmon "291a17814d5dbb5bce5b186334cde4b1"
  OR "80b022b39d91527f6ae5b4834d7c8173"
  OR "fd31d71eda87c3251f2ba5b4becc0dd0"
  OR "c517f48bf95a4f3ecba2046d12e62c88"
  OR "5972597b729a7d2853a3b37444e58e01"
  OR "e0ca85c0d264b84d977df0c48fd383cc"

Expanded Finding: Stager Delivery and Persistence

  • CV.vbs was downloaded using Microsoft Edge Browser
  • Execution of the .vbs file created a scheduled task named Microsoft Teams Updater
  • The scheduled task was configured to execute C:\users\public\svchost.exe daily at 10:00 AM

Note: Placing svchost.exe in C:\users\public\ is a classic adversary technique – the legitimate svchost.exe resides in C:\Windows\System32\. This is process name masquerading (T1036.005).

index=winsysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  "*.vbe" OR "*.doc" OR "*.vbs"
| table _time Computer ParentProcessId action signature file_name file_path SHA256 MD5 ParentImage
| sort +_time

Task 5: Expanded Command Line Analysis

Objective: Conduct a broader hunt using wildcard queries on command-line history for WS-0001.

index=winsysmon "WS-0001*" AND "*cmd.exe"
| stats count by _time ParentImage user ParentProcessId cmdline signature ParentCommandLine MD5 Computer action
| sort +_time

Note: The threat actor’s activity deviated from a linear Cyber Kill Chain progression, with stages overlapping and recurring out of order. This is common in real-world intrusions.

Cyber Kill Chain Mapping

The following timeline maps all discovered activity to the Cyber Kill Chain framework.

1. Reconnaissance

User marry executed basic host discovery commands:

ipconfig
whoami

2. Weaponization

Firewall manipulation to enable remote access:

netsh advfirewall firewall delete rule name=all
netsh advfirewall firewall add rule name="AutoKMS" dir=in action=allow enable=yes program="AutoKMS.exe" remoteport=1688
  • All existing firewall rules were deleted
  • A new rule AutoKMS was created enabling remote connections on port 1688
  • An attempted SAM database write was observed from 10.3.0.1:1688
  • All firewall rules were deleted again after the operation
index=winsysmon "*cmd.exe*" AND "*AutoKMS.exe*"
| table _time user Computer User ParentImage ParentCommandLine CommandLine

3. Delivery

Task Scheduler was leveraged for payload delivery:

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule > C:\Program Files\Microsoft Office\Office15\msoia.exe" scan upload

4. Exploitation

Multiple exploitation techniques were observed:

  • Splunk Forwarder Agent modification – commands to alter the forwarder configuration and forward Active Directory logs to an attacker-controlled destination
  • Group Policy modification – modified GptTmpl.inf using Secedit, affecting all domain-joined machines
[domain].prod\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
  • Accessed Registry.pol for additional Group Policy tampering

5. Installation

Multiple persistence and enumeration mechanisms were deployed:

  • Scheduled tasks using dsregcmd.exe for potential Azure AD join operations
  • Privilege escalation via runas.exe to execute mmc.exe with elevated permissions
  • Batch script execution through WmiPrvSE.exe running updater.bat
  • Active Directory enumeration using SharpHound:
C:\Windows\system32\cmd.exe /C SharpHound.exe -c All

Note: SharpHound with -c All collects all AD data including group memberships, sessions, ACLs, trusts, and more. This is a strong indicator of BloodHound-based attack path mapping.

6. Command & Control

Encoded PowerShell for Credential Harvesting

Multiple encoded PowerShell commands were executed searching for password strings in files:

findstr /s /i /m "pass"
cat \\[domain]\sysvol\[domain].prod\script\server-logonsetup.txt

Detection query for encoded PowerShell execution:

index=* EventCode=1
| eval cmdline=replace(cmdline, "-[Ee][Nn][Cc][Oo][Dd][Ii][Nn][Gg]", "__encoding")
| search Image="*\\powershell.exe"
  (cmdline="* -enc*" OR cmdline="* -en *" OR cmdline="* -e *" OR cmdline="* -ec *")
| table _time Computer User ParentImage ParentCommandLine CommandLine

C2 Beaconing and Lateral Movement

  • svchost.exe running from the non-standard path C:\users\public\ executed a ping to srv-azure-sync01 as a C2 connectivity check
  • Meterpreter-style communication was observed on port 5985 (WinRM)
  • Encoded PowerShell commands downloaded additional payloads from localhost staging ports (http://127.0.0.1:45246/ and :47056/)
  • PowerShell script block logging captured activity during connections with srv-azure-sync01
index=zeek id.resp_p="5985" OR id.orig_p="5985"
| stats count by _time id.orig_h id.orig_p orig_ip_bytes orig_pkts id.resp_h id.resp_p resp_ip_bytes resp_pkts

Indicators of Compromise

Compromised / Suspicious User Accounts

Account Context
marry Origin user on WS-0001, no auth history prior to incident
ADSync Azure AD synchronization account
Administrator Domain admin activity observed
MSOL_d4c7770e5597 Microsoft Online connector account
SRV-AZURE-SYNC0$ Machine account for Azure sync server

Network IOCs

Type Value Description
Internal IP 192.168.10.100 User VM
Internal IP 192.168.10.107 WS-0001 (compromised workstation)
Internal IP 192.168.10.108 SRV-AZURE-SYNC0 (Azure sync server)
Internal IP 192.168.10.200 DC01 (Domain Controller)
Internal IP 192.168.10.220 DNS Server
External IP 100.10.168[.]192 Suspicious external IP
External IP 239.255.255[.]250 Multicast address (used in traffic)
External IP 224.0.0[.]253 Multicast address (used in traffic)

File IOCs

Type Value Description
MD5 FD31D71EDA87C3251F2BA5B4BECC0DD0 CV.vbs - Cobalt Strike stager
Filename CV.vbs Initial stager delivered via browser
Filename svchost.exe Masqueraded binary in C:\users\public\
Filename updater.bat Batch script executed via WmiPrvSE
Filename SharpHound.exe AD enumeration tool
Filename AutoKMS.exe Firewall rule target binary

Key Takeaways

  1. Baseline authentication data matters – the lack of prior authentication history for user marry was a critical early indicator of account compromise or unauthorized creation.
  2. Zeek connection history flags are valuable for identifying anomalous SMB sessions that may indicate exploitation or lateral movement.
  3. Process path validation is essential – legitimate Windows binaries like svchost.exe should never run from C:\users\public\.
  4. Encoded PowerShell detection requires regex-based normalization of command-line arguments to catch obfuscation variations.
  5. Adversaries rarely follow the Kill Chain linearly – stages overlap and repeat, so hunting should not assume a sequential progression.
  6. Scheduled task persistence using familiar names like “Microsoft Teams Updater” is a common social engineering technique to avoid suspicion during manual review.