Inside a Live Ransomware War Room: How We Dissected Blacksun Using Splunk in Front of Thousands

Listen to this Post

Featured Image

Introduction:

In a high-stakes, public demonstration, cybersecurity experts conducted a real-time investigation of the Blacksun ransomware attack using Splunk, a leading Security Information and Event Management (SIEM) platform. This session peeled back the curtain on the Digital Forensics and Incident Response (DFIR) process, showcasing the analytical pivots and log-driven detective work required to reconstruct an adversary’s attack path from initial compromise to data encryption.

Learning Objectives:

  • Understand the step-by-step methodology for investigating a ransomware incident using a SIEM.
  • Learn key Splunk Search Processing Language (SPL) commands to hunt for malicious activity.
  • Reconstruct an attacker’s timeline and identify critical security failures to prevent future breaches.

You Should Know:

1. Setting Up Your Forensic Environment with Splunk

Before hunting, you need the right tools. Splunk is a powerhouse for aggregating and searching machine data. For this lab, a simulated environment with ingested Windows Event Logs, Sysmon data, and firewall logs is essential.
Step‑by‑step guide explaining what this does and how to use it.
Download & Install Splunk: Get the free version from Splunk.com. Install on a Linux VM or Windows machine. The default port is 8000.
Ingest Sample Data: The investigation relies on pre-collected logs mimicking a compromised network. Use the `Splunk Add Data` function to upload sample log files (e.g., security_events.csv, sysmon.log).
Linux CLI for data import: `sudo /opt/splunk/bin/splunk add monitor /path/to/logfile.log`
Install Critical Apps: Install the `Splunk Common Information Model (CIM)` and `Splunk Threat Intelligence` apps for normalized data and IOC matching.

2. The Initial Foothold: Identifying the First Alert

Every investigation starts with a trigger—often an AV alert or a suspicious outbound connection. In Splunk, we search for anomalies.
Step‑by‑step guide explaining what this does and how to use it.
Search for Outbound Beaconing: Attackers often call home. A key SPL query looks for regular, suspicious external connections.

index=windows_events (dest_ip=10.10.10.50 OR dest_ip=192.168.1.100) | stats count by src_ip, dest_ip, dest_port | where count > 100

Correlate with Process Creation: Link the network event to a process. Use Sysmon Event ID 1 (Process creation).

index=sysmon EventID=1 CommandLine="powershell" OR CommandLine="cmd.exe" | table _time, host, User, CommandLine, ParentCommandLine

This helps find suspicious `cmd.exe` spawned by a benign parent like outlook.exe.

3. Lateral Movement and Privilege Escalation

Attackers move sideways and escalate privileges. We hunt for Pass-the-Hash, suspicious service creation, and registry modifications.
Step‑by‑step guide explaining what this does and how to use it.
Detect Pass-the-Hash (PtH): Look for multiple systems being accessed by the same user in a short time.

index=wineventlog EventCode=4624 LogonType=3 | stats dc(ComputerName) as SystemsAccessed by AccountName | where SystemsAccessed > 5

Find Malicious Service Installation: Attackers create services for persistence.

index=sysmon EventID=1 ParentImage="services.exe" Image=".exe" | table _time, host, Image, CommandLine

Windows Command for Service Enumeration (Post-Exploitation):

sc query state= all | find "SERVICE_NAME"

4. Data Exfiltration and C2 Communication

Before deploying ransomware, attackers often steal data. We look for large, unusual data transfers.
Step‑by‑step guide explaining what this does and how to use it.

Identify Large HTTP/FTP Uploads:

index=proxy action=allowed bytes_out>100000000 | stats sum(bytes_out) by src_ip, dest_ip, url

Detect DNS Tunneling: Anomalously long DNS queries or high volume from a single host.

index=dns query="" | eval query_len=len(query) | stats avg(query_len) as avg_len count by src_ip | where avg_len > 50 AND count > 1000

5. The Ransomware Detonation: File Encryption Activity

The final stage involves mass file modification. We search for indicators of ransomware execution.
Step‑by‑step guide explaining what this does and how to use it.

Mass File Renames/Deletions (Sysmon Event ID 11/23):

index=sysmon (EventID=11 OR EventID=23) TargetFilename=".encrypted" OR TargetFilename=".locked" | stats count by host, Image, TargetFilename

Volume Shadow Copy Deletion: Ransomware often disables backups via vssadmin.

index=sysmon EventID=1 CommandLine="vssadmin delete shadows" OR CommandLine="wbadmin delete catalog"

Windows Command to Check Shadow Copies (Forensic Recovery):

vssadmin list shadows

6. Building the Attack Timeline

A timeline turns isolated events into a narrative. Splunk’s `transaction` or `streamstats` commands are used.
Step‑by‑step guide explaining what this does and how to use it.
Correlate Events by Host and User: Create a master timeline of critical events for the compromised host.

index= (host=COMPROMISED_HOST) (EventID=1 OR EventID=3 OR EventID=4624 OR EventID=4688) | sort _time | table _time, host, EventID, AccountName, SourceAddress, CommandLine, DestinationPort

Visualize with Splunk’s Timeline Visualization to graphically represent the flow of the attack.

7. Mitigation and Hardening Steps Post-Investigation

The investigation reveals gaps. Key mitigations include:

Step‑by‑step guide explaining what this does and how to use it.
Implement Application Allowlisting: Use Windows AppLocker or similar.

PowerShell to create a simple AppLocker policy:

New-AppLockerPolicy -RuleType Publisher, Path -User Everyone -Execute -Xml > AppLocker_Policy.xml

Enable and Enhance Logging: Ensure Sysmon is deployed with a robust configuration (like SwiftOnSecurity’s config) and that all critical Windows events (4688 for process creation) are forwarded to the SIEM.
Segment the Network: Limit lateral movement by implementing micro-segmentation rules on internal firewalls.

What Undercode Say:

  • The Attacker’s Timeline is Your Blueprint: The most powerful outcome of a DFIR investigation is not just eradication, but the detailed reconstruction of the attack chain. This timeline is a direct map to your security control failures—whether in missing EDR alerts, poor network segmentation, or insufficient logging.
  • Splunk is a Force Multiplier, Not a Silver Bullet: The platform’s value is unlocked by the analyst’s hypothesis-driven hunting. The session demonstrated that knowing what to search for (like `vssadmin` deletions or `LogonType=3` anomalies) is more critical than the tool itself. Mastery of SPL and attacker TTPs is non-negotiable.

The live dissection underscores a shift in defensive training: moving from abstract theory to pressured, log-based problem-solving. This mirrors real-world SOC environments where context switching and rapid pivot are daily routines. The value of public, raw investigations demystifies DFIR and raises the collective skill floor of the community.

Prediction:

Ransomware attacks will continue to evolve in speed and automation, but the core investigative methodology of log aggregation, hypothesis testing, and timeline reconstruction will remain the defender’s bedrock. Future attacks will leverage AI to mimic normal behavior and exploit identity systems, making SIEM searches more complex. However, the principles showcased—deep knowledge of log sources, understanding the MITRE ATT&CK framework, and systematic correlation—will be even more critical. Defenders must invest in continuous, hands-on, scenario-based training to keep pace, transforming their SIEM from a mere alert dashboard into an interactive investigation platform.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Activity 7402721800671129602 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky