WEEK_4 · DAY_23 · LAB

Lab 23 — Walk a Malware Alert

From Sysmon alert to root cause and IOCs

LAB PROGRESS0/5 steps · 0%

Lab Objectives

›Triage a suspicious PowerShell alert
›Decode base64 and analyze command line
›Pivot to network connections and file writes
›Produce IOCs and a containment recommendation

Lab Instructions

1
Open Splunk ES → Incident Review → N-2042 (Suspicious PowerShell EncodedCommand).
2
Decode the base64 in the SPL.
3
Pivot to Sysmon network connections from same host (EventCode=3).
4
List IOCs (hashes, IPs, domains).
5
Recommend EDR isolation.

SPL for this Lab

Decode and pivot open in Splunk

index=sysmon EventCode=1 Computer=FIN-WS-050
  CommandLine="*-enc*"
| eval encoded = mvindex(split(CommandLine, "-enc "), 1)
| eval decoded = base64decode(encoded)
| table _time User Image decoded

// Decode -EncodedCommand to see what PowerShell actually ran.

← LAB 22

Lab 22 — Author a Use Case

LAB 24 →

Lab 24 — Phishing Investigation