dashboard
WEEK_4 · DAY_23 · 1 HOUR
Malware Investigation
From Sysmon alert to root cause and IOCs
Learning Objectives
- ›Triage a suspicious PowerShell alert
- ›Decode base64 and analyze command line
- ›Pivot to network connections and file writes
- ›Produce IOCs and a containment recommendation
Module 1 — Investigation Workflow
1) Read the notable. 2) Validate (is it real?). 3) Scope (how many hosts/users?). 4) Pivot to other data sources. 5) Build the timeline. 6) Produce IOCs. 7) Recommend containment.
Module 2 — Power Pivots
Sysmon EventCode=1 (process) → 3 (network) → 11 (file) — same Computer, near _time.
Decode base64, hex, gzip via | eval … base64decode().
Module 3 — Output Artifacts
Timeline · IOC list (hashes, IPs, domains) · ATT&CK mapping · containment recommendation · detection improvement.
SPL Queries
Decode and pivot
index=sysmon EventCode=1 Computer=FIN-WS-050 CommandLine="*-enc*" | eval encoded = mvindex(split(CommandLine, "-enc "), 1) | eval decoded = base64decode(encoded) | table _time User Image decoded
// Decode -EncodedCommand to see what PowerShell actually ran.
Lab 23 — Walk a Malware Alert
- Open Splunk ES → Incident Review → N-2042 (Suspicious PowerShell EncodedCommand).
- Decode the base64 in the SPL.
- Pivot to Sysmon network connections from same host (EventCode=3).
- List IOCs (hashes, IPs, domains).
- Recommend EDR isolation.
Key Takeaways
- ✓Always decode the encoded command
- ✓Pivot from process → network → file
- ✓Output IOCs + ATT&CK + containment, every time