Module 4: Skill Assessment
The queries on this page are from the skill assessment practical exercises. I consolidated them here the same way as the main module notes, so they are easier to reference later.
Back to the main module notes: Module 4: Understanding Log Sources & Investigating with Splunk
Assessment Navigation
Key Takeaway
Walkthrough
Related
Key Takeaway
Splunk skill assessments are less about memorizing SPL syntax and more about asking the next right question. Remote thread creation pointed at the injector, parent-child pivots built a shortlist, and counting distinct EventCodes showed which child process actually kept working after the spawn.
That same pattern from the main module still applied here: start with a targeted Sysmon event, pivot on the process you care about, and use breadth of activity to separate the real infection from one-shot child processes.
Assessment Notes
The skill assessment boiled down to two questions: which process created remote threads in rundll32.exe, and which process actually started the infection.
Tracking a Process Injection Through Splunk
This was the scenario where the pivot workflow from the main notes actually had to earn its keep.
The walkthrough
I started where the injection would show up: EventCode 8, CreateRemoteThread, with rundll32.exe as the target. That came back straight away. randomfile.exe, running out of a user’s Downloads folder, was the thing creating threads inside rundll32. First question answered.
For the infection origin I pivoted onto randomfile.exe itself, both what it spawned and what spawned it. Its own parent turned out to be the Windows file explorer, so the user had just double-clicked it. Below it sat three children: rundll32.exe, cmd.exe, and WerFault.exe. At this point any of the three could’ve been the answer.
To settle it, I asked a simpler question of each one: how much did it actually do? Counting distinct EventCodes per process, rundll32.exe lit up across eight different event types (network connections, DLL loads, file creates, registry writes, named pipes, deletes). cmd.exe and WerFault.exe showed a single EventCode each. They ran once and exited. rundll32 was the one that stuck around and carried out the whole attack, so that’s the infection process.
The searches
Same story as above, but with the exact SPL I used at each pivot.
Finding what injected into rundll32
-
The Pivot: Start at EventCode 8 with
rundll32.exeas the injection target. -
The Query:
index=* EventCode=8 TargetImage="*\\rundll32.exe"
| stats count by ComputerName, SourceImage, TargetImage, User
| sort - count
- The Discovery:
SourceImageis your injector. Clean and direct. EventCode 8 only fires when one process creates a thread in another, so there’s not much noise to wade through.
Pivoting on the injector to see the whole tree
-
The Pivot: From
randomfile.exe, pull both parent and child process activity to map the execution tree. -
The Query:
index=* Image="*\\randomfile.exe" OR ParentImage="*\\randomfile.exe"
| stats count by EventCode, Image, ParentImage, CommandLine
- The Discovery: This shows both directions at once: what launched randomfile, and everything it launched in turn. The catch is that it surfaces several plausible-looking children, so it gets you a shortlist, not the answer.
Settling which child is the real infection
-
The Pivot: Compare child processes by how many distinct EventCodes each one generated after spawn.
-
The Query:
index=* (Image="*\\rundll32.exe" OR SourceImage="*\\rundll32.exe" OR ParentImage="*\\rundll32.exe")
| stats dc(EventCode) as unique_events, values(EventCode) as EventCodes by Image
| sort - unique_events
- The Discovery: The infection process is the one with breadth. A high distinct EventCode count means it kept working after it spawned. Anything showing just EventCode 1 fired once and died, which rules out the innocent bystanders like the error reporter and the shell wrapper.
References
[HTB Academy] Certified Defensive Security Analyst (CDSA) - Module 4: Understanding Log Sources & Investigating with Splunk Skill Assessment. https://academy.hackthebox.com/
[spl-threat-hunting-library] Splunk SPL threat-hunting queries from CDSA Module 4. https://github.com/kismatkunwar89/spl-threat-hunting-library