Intrusion Detection With Splunk (Real-world Scenario)

Hey everyone! I have been stuck in this question for hours.

Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

I am confused because I have applied clr.dll as my filter and could not find any C# code. Please give me a baseline on how to get the exe file involved. Any leads would be greatly appreciated. Thanks!

1 Like

I am stuck here as well. I believe I have located the process that used c# I think but can’t figure out the answer.

We just have to follow the step to find if some C# code was used, after this we could easilly find a program which call to other subprocess to perform it’s injection.

To find this, focus on the “first” program with a specific name view all events related, find the Target Image and you will find it ! =)

Still stuck here

Also stuck on this one, this is my search query right now:

clr.dll
| stats count by TargetImage

There was more to it before I tried to broaden it, but none of the results give the correct answer. Any help would be brilliant.