Incident Response with Splunk 3: Investigating Windows & Powershell Anomalies

TIMESTAMPS
00:00 Intro
05:32 Bringing Tadi on & more greetings
10:26 Whose background looks nicer?
16:18 Thank you!
17:10 Why Splunk? (Depth & Breadth of Knowledge)
19:15 The Challenge
23:13 Orienting ourselves on the data
25:25 Backdoor user investigation
29:07 Registry modification activity
52:35 Investigating the impersonated user
54:05 Remote backdoor activity
58:59 Gemini, Bard & Copilot
01:00:59 Logins from backdoor user
01:30:40 I DIDN'T TRY ZERO
01:32:50 The compromised host
01:33:44 Powershell execution
01:48:50 Encoded PowerShell script
02:04:29 Outro …

amp backdoor challenge data incident incident response investigation knowledge modification nicer powershell registry response splunk timestamps windows