Splunk Threat Hunting became much more than learning search queries during this investigation. What started as a simple exercise in log analysis quickly evolved into a full SOC Investigation involving phishing, malware delivery, persistence, command and control infrastructure, ransomware activity, threat intelligence enrichment, and MITRE ATT&CK mapping.

I recently completed the Splunk 2 room in TryHackMe. Although the room estimated a completion time of 45 minutes, the investigation took me nearly four hours across two days. Looking back, I am glad it did.

The extra time was not spent learning Splunk commands. It was spent learning how to think like a SOC analyst.

Rather than searching for answers directly, I had to follow evidence, pivot between artifacts, investigate logs, validate findings using external intelligence sources, and gradually reconstruct the attacker’s actions.

This article documents the entire investigation from the perspective of a security analyst responding to a potential compromise.

Initial Objective

The investigation centered around identifying the activities of a fictional adversary known as the Taedonggang APT.

The primary objectives included:

• Investigating suspicious user activity
• Tracking phishing campaigns
• Identifying malicious attachments
• Analyzing malware execution
• Discovering persistence mechanisms
• Investigating command and control infrastructure
• Mapping attacker behavior to MITRE ATT&CK

The primary tool used throughout the investigation was Splunk.

Phase 1: Investigating User Activity

One of the first tasks involved investigating Amber Turing's activity.

Instead of receiving direct indicators, I had to identify:

• Amber's workstation IP address
• Websites she visited
• Email communications
• Competitor interactions

Using Splunk Threat Hunting techniques, I pivoted from user activity logs into HTTP traffic.

After narrowing events using source types and examining available fields, I discovered that Amber had visited:

www.berkbeer.com

Further analysis revealed:

/images/cxxxerk.png

This image contained executive contact information.

From there, I followed email communications and identified:

• Mxxtin Berk
• mberk@berxxxxer.com
• Additional employee contacts
• File attachments
• Amber's personal email usage

This was the first point where the investigation felt less like a lab and more like a real SOC Investigation.

Phase 2: Detecting Web Attacks

The next stage focused on identifying web attacks against Brewertalk.

Using Log Analysis techniques, I investigated:

45.xx.65.x11

The IP address performing suspicious activity against the target.

By pivoting into the URI path field, I identified:

/mexxer.php

Further examination of form data exposed abuse of the SQL function:

updatexml

This demonstrated an attempted SQL injection attack against the application.

One lesson I learned here was the importance of examining available fields rather than manually reviewing thousands of events.

The answer was not hidden inside the raw logs.

It was hidden inside the metadata.

Phase 3: Investigating an XSS Attack

Another objective involved tracking an XSS attack targeting a user named Kevin.

Initially, I expected to spend time searching for script tags and payloads.

Instead, I focused on HTTP activity and available cookie fields.

This approach quickly revealed:

1502408189

The stolen session cookie value.

Further investigation uncovered a malicious account created using a homograph attack:

kIagerfield

The uppercase "I" was intentionally used to resemble a lowercase "l".

This demonstrated how attackers can abuse visual similarities to create deceptive accounts.

Phase 4: Malware Delivery Through Removable Media

One of the most interesting investigations involved Mallory's MacBook.

I identified encrypted files including:

Frothly_marketing_xxxxxxxx_Q317.xxxxx.crypt

and

GoT.SxxE02

The investigation then shifted toward malware delivery.

By pivoting around USB events and performing time correlation analysis, I identified a removable device linked to:

Alcor Micro Corp.

Following the timeline further revealed a suspicious file:

Important_HR_INFO_for_mkraeusen

At first, the file appeared harmless.

However, additional events contained:

• MD5 hash
• SHA1 hash
• SHA256 hash

These indicators became the foundation for the next stage of the investigation.

Phase 5: Threat Intelligence Enrichment

Using the malware hash, I pivoted into VirusTotal.

This proved to be one of the most valuable parts of the investigation.

The analysis revealed:

Malware Language

Perl

First Seen

2017-01-17

Malware Family Indicators

The sample displayed characteristics associated with:

• FruityFly
• Backdoor behavior
• Command and control communications

This stage reinforced the importance of combining Log Analysis with external threat intelligence.

Splunk showed me the artifact.

Threat intelligence explained what the artifact actually was.

Phase 6: Command and Control Infrastructure

Continuing the investigation, I examined the malware's network communications.

The malware contacted two dynamic DNS domains:

eidk.duckdns.org

and

eidk.hopto.org

These domains represented command and control infrastructure used by the attacker.

This phase highlighted how attackers often rely on dynamic DNS providers to maintain resilient infrastructure.

Phase 7: Phishing and PowerShell Empire

The final phase focused on the Taedonggang APT campaign.

Through Splunk Threat Hunting activities, I identified:

Malicious Attachment

invoice.zip

Password

912345678

SSL Issuer

C = US

Further analysis connected the campaign to PowerShell Empire activity.

Metadata embedded within the malicious document identified:

Ryan Kovar

The document itself referenced:

CyberEastEgg

Finally, persistence analysis revealed scheduled tasks repeatedly beaconing to:

process.php

This completed the attack chain from initial access through persistence.

Challenges Faced During the Investigation

The biggest challenge was not writing SPL queries.

The challenge was understanding what evidence to investigate next.

Several moments required trial and error:

• Finding Amber's workstation IP
• Identifying the SQL injection path
• Locating malware hashes
• Understanding USB vendor IDs
• Discovering command and control domains

Many answers were ultimately found by examining fields rather than searching raw logs.

This was one of the most important lessons from the room.

MITRE ATT&CK Techniques Observed

Throughout the investigation, several ATT&CK techniques were identified:

Initial Access

• Spearphishing Attachment

Execution

• PowerShell
• Command and Scripting Interpreter

Persistence

• Scheduled Tasks

Discovery

• System Information Discovery

Collection

• Data Staged

Exfiltration

• Exfiltration Over Alternative Protocol

Command and Control

• Application Layer Protocol
• Encrypted Channel

SOC Analyst Incident Report

Executive Summary

Investigation identified a coordinated intrusion campaign associated with the Taedonggang APT. The threat actor utilized spearphishing attachments, PowerShell Empire, scheduled task persistence, and dynamic DNS infrastructure to establish and maintain access within the environment.

Key Findings

• Malicious attachment: invoice.zip
• Password-protected archive used for delivery
• PowerShell Empire execution observed
• Dynamic DNS infrastructure identified
• Scheduled task persistence detected
• Malware written partially in Perl
• Evidence of command and control communications
• Ransomware activity observed on victim systems

Indicators of Compromise

Domains

• eidk.duckdns.org
• eidk.hopto.org

Files

• invoice.zip
• Important_HR_INFO_for_mkraeusen
• winsys32.dll

Persistence

• process.php

Recommended Actions

1. Block identified C2 domains.
2. Remove malicious scheduled tasks.
3. Isolate infected endpoints.
4. Reset affected user credentials.
5. Review email filtering controls.
6. Conduct organization-wide IOC sweep.
7. Enhance monitoring for PowerShell Empire indicators.

Final Thoughts

This Splunk Threat Hunting investigation taught me far more than SPL syntax.

It taught me how to conduct a SOC Investigation by following evidence from one artifact to another.

The room combined log analysis, malware analysis, threat intelligence, phishing investigations, persistence hunting, and command-and-control tracking into a single realistic incident.

Most importantly, it reinforced a lesson that applies to every analyst:

The goal is not to memorize queries.

The goal is to ask the right questions and follow the evidence wherever it leads.

Have you seen this most popular post: Real WordPress Security Incident & Credential Compromise Case Study? It's a hectic day of work experience as a WordPress developer. Yeah, an attacker got in!

Visit my everyday Cyber Playground