Question

Modify and employ the provided Sysmon Event 22-based Splunk search on all ingested data (All time) to identify all share names whose location was spoofed by 10.10.0.221. Enter the missing share name from the following list as your answer. myshare, myfileshar3, _

index=main EventCode=22 QueryResults=*10.10.0.221*
| table _time, Computer, user, Image, QueryName, QueryResults

PreviousDetecting Responder-like Attacks NextDetecting Kerberoasting/AS-REProasting

Last updated 2 months ago