Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the process that created remote threads in rundll32.exe. Answer format: _.exe
Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the process that started the infection. Answer format: _.exe
I have completed the first question but have been struggling with the second one for days:
My thought process:
We are starting off from some unknown .exe and ends to (answer to the 1st skills assesment question) which is responsible for creating RemoteCodeThread in rundll32.exe
My thought processes was to find all the event IDs related to rundll32.exe and the process answer for the 1st question.
I am not sure if I am even on the right track. Any help would be appreciated!