Intrusion Detection With Splunk (Real-world Scenario)

Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

I need some help for that, what I have done filter the C2 IP, and Compromised Machine IP with some rulename, but none of the port is right

Maybe you can try a query SourceIp= to the server ip addresses

1 Like

First, I took the file rundll32.exe and performed a stats count by eventcode . Then, I searched for an eventcode associated with any connection, and the event ID 3 was the only one found in the list.

To resolve the issue, ensure that you have correctly configured the filter to find the port used by the C2 callback server to connect to the compromised machine. Verify that you are using the correct search criteria and the correct SPL query syntax. If necessary, double-check the source data and clarify information about the C2 callback server and the compromised machine.

that helped thanks