Packet cyclone Writeup

Solved by : thewhiteh4t

• We are given Windows EVTX files and sigma rules for detecting exfiltration using rclone
• To scan these EVTX files we can use chainsaw which supports sigma rules

chainsaw hunt -s sigma_rules -m sigma-event-logs-all.yml Logs

• Two detection are shown

• First one contains credentials of mega.nz

• Second contains file paths

• Here are the correct answers based on information given in these two detection :