Module 4: Skill Assessment

The queries on this page are from the skill assessment practical exercises. I consolidated them here the same way as the main module notes, so they are easier to reference later.

Back to the main module notes: Module 4: Understanding Log Sources & Investigating with Splunk

Assessment Navigation

Key Takeaway

Walkthrough

Related

Key Takeaway

Splunk skill assessments are less about memorizing SPL syntax and more about asking the next right question. Remote thread creation pointed at the injector, parent-child pivots built a shortlist, and counting distinct EventCodes showed which child process actually kept working after the spawn.

That same pattern from the main module still applied here: start with a targeted Sysmon event, pivot on the process you care about, and use breadth of activity to separate the real infection from one-shot child processes.

Assessment Notes

The skill assessment boiled down to two questions: which process created remote threads in rundll32.exe, and which process actually started the infection.

Tracking a Process Injection Through Splunk

This was the scenario where the pivot workflow from the main notes actually had to earn its keep.

The walkthrough

I started where the injection would show up: EventCode 8, CreateRemoteThread, with rundll32.exe as the target. That came back straight away. randomfile.exe, running out of a user’s Downloads folder, was the thing creating threads inside rundll32. First question answered.

For the infection origin I pivoted onto randomfile.exe itself, both what it spawned and what spawned it. Its own parent turned out to be the Windows file explorer, so the user had just double-clicked it. Below it sat three children: rundll32.exe, cmd.exe, and WerFault.exe. At this point any of the three could’ve been the answer.

To settle it, I asked a simpler question of each one: how much did it actually do? Counting distinct EventCodes per process, rundll32.exe lit up across eight different event types (network connections, DLL loads, file creates, registry writes, named pipes, deletes). cmd.exe and WerFault.exe showed a single EventCode each. They ran once and exited. rundll32 was the one that stuck around and carried out the whole attack, so that’s the infection process.

The searches

Same story as above, but with the exact SPL I used at each pivot.

Finding what injected into rundll32

index=* EventCode=8 TargetImage="*\\rundll32.exe"
| stats count by ComputerName, SourceImage, TargetImage, User
| sort - count

Pivoting on the injector to see the whole tree

index=* Image="*\\randomfile.exe" OR ParentImage="*\\randomfile.exe"
| stats count by EventCode, Image, ParentImage, CommandLine

Settling which child is the real infection

index=* (Image="*\\rundll32.exe" OR SourceImage="*\\rundll32.exe" OR ParentImage="*\\rundll32.exe")
| stats dc(EventCode) as unique_events, values(EventCode) as EventCodes by Image
| sort - unique_events

References

[HTB Academy] Certified Defensive Security Analyst (CDSA) - Module 4: Understanding Log Sources & Investigating with Splunk Skill Assessment. https://academy.hackthebox.com/

[spl-threat-hunting-library] Splunk SPL threat-hunting queries from CDSA Module 4. https://github.com/kismatkunwar89/spl-threat-hunting-library