Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.
I need some help for that, what I have done filter the C2 IP, and Compromised Machine IP with some rulename, but none of the port is right
Maybe you can try a query SourceIp= to the server ip addresses
1 Like
First, I took the file rundll32.exe
and performed a stats count
by eventcode
. Then, I searched for an eventcode
associated with any connection, and the event ID 3 was the only one found in the list.
To resolve the issue, ensure that you have correctly configured the filter to find the port used by the C2 callback server to connect to the compromised machine. Verify that you are using the correct search criteria and the correct SPL query syntax. If necessary, double-check the source data and clarify information about the C2 callback server and the compromised machine.
To get answers to the last two questions I first went through the Windows Log and Finding Evil module and this splunk log module and summarized all the different ways one can query for network connections. That helped me a lot.
Then i used the command below (given in the module) as a start.
index=“main” sourcetype=“WinEventLog:Sysmon” EventCode=3 | stats count by _time, Image,
From there I added source IPs and destination IPs (when you look at the events it tells you the names for source and destination IPs. You can also add source and destination ports.
From the module you know that notepad.exe is malicious; also from previous questions you know that there is one more malicious executable. But you do not need that to answer the last two questions. Add notepad.exe to the query and you get the two C2 IPs. Now you have the C2 IPs, set it as source IP and then the query result gives you the destination IP for one of the two C2 IPs.
Hope this helps.
Once you have the destination IP given one of the C2 IPs as the source IP, then look at the alert and it gives you the destination port.