Scribd
Upload
1K views11 pages

APT29 Threat Hunting With Splunk Ep.1 InitialCompromise

The document outlines a threat hunting project focused on APT29, detailing the use of Splunk to identify indicators of compromise related to a malicious file execution. Key findings include the initial breach via a fake .scr file, the establishment of a connection to a C2 server at IP 172.31.37.207 on port 1234, and the importance of monitoring unusual file types and command executions. The project emphasizes the need for improved detection rules and user training to prevent such attacks in the future.

Uploaded by

amal98.alaskari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views11 pages

APT29 Threat Hunting With Splunk Ep.1 InitialCompromise

The document outlines a threat hunting project focused on APT29, detailing the use of Splunk to identify indicators of compromise related to a malicious file execution. Key findings include the initial breach via a fake .scr file, the establishment of a connection to a C2 server at IP 172.31.37.207 on port 1234, and the importance of monitoring unusual file types and command executions. The project emphasizes the need for improved detection rules and user training to prevent such attacks in the future.

Uploaded by

amal98.alaskari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

SOC project

APT29: Threat Hunting with Splunk:


APT29 Threat Hunting with Splunk: Ep.1 – Initial Compromise
1. Focus on the threat intelligence provided to develop good hypotheses for
your hunt.
2. Use Splunk search to hunt for indicators of compromise (IOCs)
pertaining to APT29 attack techniques.
3. An initial breach is caused by user execution of a malicious file. What is
the full path of this file?

To detect files using RTLO


https://symbl.cc/en/202E/
you need to copy and paste the actual RTLO character (U+202E)
directly into the search.  *pasthere*
index=* EventCode=1 Image=**

The file name is: cod.3aka3.scr


4. What is the IP address of the C2 server connected back to?

index=* host="BART-WS011" EventCode=3

Image = C:\Users\Administrator.BARTERTOWNGROUP\Desktop\
cod.3aka3.scr This is the malicious file you found earlier.
Time = 04/28/2021 05:16:01 PM  Happened just a few seconds after
the file was executed at 05:15:55 PM.
Destination IP = 172.31.37.207  This is the C2 server the malware
connected back to.
Port = 1234  This is a non-standard port, matching the behavior
described in T1571.
5. What is the uncommonly used destination port associated with this
connection?

6. What is the name of the computer compromised in this initial breach?


7. A CMD shell is spawned first after an initial connection is made. What is
the 'LogonID' of this event?
8. What is the full filepath of the process run next?
Look for events after 05:16:18 PM.
🎥 Video Presentation Script (Simplified)
1. Introduction to APT29 & Its TTPs (1-2 mins)
APT29, also called Cozy Bear, is a hacker group believed to be linked to
the Russian government. They are known for attacking big targets like
government offices and healthcare systems.
They use sneaky methods like phishing emails and custom malware.
According to the MITRE ATT&CK framework, APT29 uses TTPs like:
 Spearphishing Attachment (Initial Access)
 Command and Scripting Interpreter (Execution using PowerShell or
CMD)
 Data Exfiltration over C2 Channel

2. Threat Hunting Process (3-5 mins)


We used Splunk to look for signs of APT29 on a Windows system.
We started by searching for suspicious processes like:
 Files with a Right-to-Left Override (RTLO) trick (e.g., .scr pretending
to be a .pdf)
 Unusual network connections
 Commands run through CMD or PowerShell
Example Splunk Query:
ini
CopyEdit
index=* EventCode=1 Image="*cmd.exe" OR Image="*powershell.exe"
We looked at Sysmon logs, especially:
 EventCode 1: Process creation
 EventCode 3: Network connections
We followed the attack step-by-step using timestamps, user names, file
paths, and network IPs.

3. Findings & Analysis (2-4 mins)


From the logs, we saw that the attacker:
 Got in through a fake .scr file
 Launched a CMD shell, then PowerShell
 Connected to a remote IP on port 1234 (C2 server)
This shows APT29's common pattern: stealthy entry, command
execution, and network communication.
To stop such attacks, we can:
 Block unusual file types like .scr
 Monitor PowerShell usage
 Use tools like EDR to detect suspicious behavior early

4. Challenges & Lessons Learned (2-4 mins)


The hardest part was finding the exact right logs.
Some events looked normal but were part of the attack.
I learned how to:
 Follow an attacker’s steps using logs
 Use Splunk to spot red flags
 Understand real attacker behavior and not just theory
In real life, this helps us detect threats faster and protect critical systems
better.

📝 Reflection Report (Simple Outline)


Summary of Key Findings
 APT29 got into the system using a fake file (cod.3aka3.scr)
 They ran CMD and PowerShell
 Connected to a remote server on IP 172.31.37.207, port 1234

Your Thought Process


 I started by looking for strange process names and hidden characters
(RTLO)
 Then I checked which commands were run, and which IPs were contacted
 I followed the trail by matching process IDs and timestamps

Lessons Learned
 Threats can hide in plain sight (like .scr files pretending to be something
else)
 It’s important to understand the attack chain step-by-step
 Tools like Splunk make it easier to hunt threats if we know what to look
for

Future Considerations
 Add alerts for suspicious process chains (e.g., .scr → cmd.exe →
powershell.exe)
 Use MITRE ATT&CK mapping to set up better detection rules
 Improve user training to avoid opening suspicious files

You might also like