APT29 Threat Hunting With Splunk Ep.1 InitialCompromise
APT29 Threat Hunting With Splunk Ep.1 InitialCompromise
Image = C:\Users\Administrator.BARTERTOWNGROUP\Desktop\
cod.3aka3.scr This is the malicious file you found earlier.
Time = 04/28/2021 05:16:01 PM Happened just a few seconds after
the file was executed at 05:15:55 PM.
Destination IP = 172.31.37.207 This is the C2 server the malware
connected back to.
Port = 1234 This is a non-standard port, matching the behavior
described in T1571.
5. What is the uncommonly used destination port associated with this
connection?
Lessons Learned
Threats can hide in plain sight (like .scr files pretending to be something
else)
It’s important to understand the attack chain step-by-step
Tools like Splunk make it easier to hunt threats if we know what to look
for
Future Considerations
Add alerts for suspicious process chains (e.g., .scr → cmd.exe →
powershell.exe)
Use MITRE ATT&CK mapping to set up better detection rules
Improve user training to avoid opening suspicious files