Going Splunking - Round Two: Splunk VS Caldera
Taji Abdullah
Now that I have both Splunk and Caldera set up and running on my home lab, its time to get adversarial! Im going to be running an autonomous red-team engagement from Caldera and seeing what I can find in Splunk. Training myself how to detect threats, as noted by the Caldera documentation:
This is the original Caldera use-case. You can use the framework to build a specific threat (adversary) profile and launch it in a network to see where you may be susceptible. This is good for testing defenses and training blue teams on how to detect threats.
Ill be following along the documentation here for the red team side of things.
The Red Team Attacks
The first step is to deploy an agent. Ill be using the Sandcat agent.
This agent will be deployed on a Windows virtual machine. Caldera provides the PowerShell script to run:
Next Ill be running the provided script in Windows PowerShell running as administrator:
This triggered Microsoft Defender so I had to change some settings:
After a few attempts, I was now able to get the agent running:
and could also confirm from Caldera:
Now its time to choose the adversary profile, Im going with the Discovery adversary. We can see a list of its abilities from the Adversaries page in Caldera:
The Discovery adversary maps to the Discovery tactic in the MITRE ATT&CK matrix.
Next we will run an operation. Navigating to the Operations page in Caldera and hitting the “New Operation” button presents us with some fields we need to add info to:
I named the operation and selected the Discovery adversary, also setting the group to red:
Once I hit the start button, I could see the operation was created:
scroll down, and I could see that the abilities of the adversary were currently in progress:
Once all the abilities ran, the adversarial operation was complete. Now time to get the blue team perspective.
The Blue Team Defends
Starting from what is already known, 7 adversarial abilities successfully ran, so there should be at least 7 logs in splunk to find. Setting the time range for today I began my search:
index="win_10_logs" User="WINDOZE10\\Screw Muggz" IntegrityLevel=HighUsing the index set for the logs from my Windows 10 VM, the user name of the user account and IntegrityLevel set to high, this whittled the logs down to a manageable 16 events to start off with.
The 7 adversarial abilities that successfully ran are shown below along with one that failed:
Log Analysis
This sections covers how I found the logs in Splunk to the corresponding adversarial abilities ran in Caldera in the order shown in the above screenshot.
Identify Active User
I scrolled through the logs looking at the CommandLine output, and this line indicates a Powershell command asking for the user name:
CommandLine: powershell.exe -ExecutionPolicy Bypass -C $env:usernameThe first adversarial ability has been found.
Identify Local Users
MITRE ATT&CK Technique: T1087.001
This was the log immediately above the last one in Splunk.
The command that drew my attention:
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "Get-WmiObject -Class Win32_UserAccount"I pasted this line into ChatGpt to ask for an summary and I was given this information:
That PowerShell one-liner:
Runs PowerShell with execution restrictions bypassed.
Queries WMI for the
Win32_UserAccountclass.Returns one object per user account (local or domain) with properties like name, domain, SID, and status.
In short: it lists all user accounts on the machine (and any domain accounts visible via WMI).
So the second adversarial ability has been found.
Find User Processes
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "$owners = @{};gwmi win32_process |%% {$owners[$_.handle] = $_.getowner().user};$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};foreach($p in $ps) { if($p.Owner -eq \"Screw` Muggz\") { $p; }}"The search I ran, and Caldera running the adversary abilities back to back has all the interesting logs stacked on top of each other. I can see that the command in this log was looking for processes. To further understand the Powershell command, I again fed it to ChatGpt to summerize:
This PowerShell command:
Finds all running processes.
Matches each process to its owner (user account).
Filters and displays only the processes owned by the user
Screw Muggz.
Key Purpose:
Identify all processes currently running under the user account "Screw Muggz".
View Admin Shares
The line of immediate interest:
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "Get-SmbShare | ConvertTo-Json"This PowerShell command:
Retrieves all SMB (Windows file) shares on the local system using
Get-SmbShare.Converts the results to JSON format using
ConvertTo-Json.
Key Purpose:
Export a list of all shared folders on the system in JSON format, useful for logging, auditing, or integration with other tools.
Discover Domain Controller
This is the log for the adversary ability that failed:
The powershell command:
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "nltest /dsgetdc:$env:USERDOMAIN"Summary of the Command
This PowerShell command:
Runs
nltest /dsgetdc:<domain>to find a domain controller for the current user’s domain.Uses
$env:USERDOMAINto automatically insert the domain name from the environment.
Key Purpose:
Identify the domain controller (DC) for the domain the current user is logged into, useful for troubleshooting or verifying domain connectivity.
I found another log that corresponds to the same adversarial ability:
CommandLine: "C:\Windows\system32\nltest.exe" /dsgetdc:WINDOZE10Summary of the Command
This command:
- Uses
nltest.exeto query for a domain controller (DC) for the domain namedWINDOZE10.
Key Purpose:
Checks if a domain controller for the domain
WINDOZE10is reachable, and retrieves its information if found — useful for Active Directory troubleshooting.Discover Antivirus Programs
MITRE ATT&CK Technique: T1518.001
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value"Summary of the Command
This PowerShell command:
Runs a WMIC query against the WMI namespace
root\SecurityCenter2.Retrieves detailed information about installed antivirus products from the
AntiVirusProductclass.Outputs the results in a key=value format.
Key Purpose:
Lists antivirus products registered with Windows Security Center, including their name, status, and file paths — useful for inventory or security checks.
This adversarial ability also had multiple corresponding logs, here is the other:
CommandLine: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /valueSummary of the Command
This command:
Uses WMIC (Windows Management Instrumentation Command-line) to query the
AntiVirusProductclass in theroot\SecurityCenter2namespace.Outputs details in a key=value format for all registered antivirus products.
Key Purpose:
Displays detailed information about antivirus software installed on the system, as recognized by Windows Security Center — useful for audits and security validation.
Permission Groups Discovery
MITRE ATT&CK Technique: T1069.001
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "gpresult /R"Summary of the Command
This PowerShell command:
- Runs the
gpresult /Rcommand to generate a summary of applied Group Policy settings for the current user and computer.
Key Purpose:
Shows which Group Policy Objects (GPOs) have been applied to the system and user — useful for troubleshooting policy issues in Active Directory environments.
"C:\Windows\system32\gpresult.exe" /RSummary of the Command
This command:
- Executes the
gpresult.exeutility (without any switches), which displays a brief summary of the Resultant Set of Policy for the current user and computer.
Key Purpose:
Quickly view which Group Policy Objects have been applied without generating a detailed report.
- Runs the
Identify Firewalls
MITRE ATT&CK Technique: T1518.001
CommandLine: powershell.exe -ExecutionPolicy Bypass -C "$NameSpace = Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select Name | Out-String -Stream | Select-String \"SecurityCenter\";$SecurityCenter = $NameSpace | Select-Object -First 1;Get-WmiObject -Namespace \"root\$SecurityCenter\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;"Summary of the Command
This PowerShell one-liner:
Discovers the correct WMI namespace (either
SecurityCenterorSecurityCenter2).Queries the AntiVirusProduct class within that namespace to retrieve each registered antivirus product’s key properties (name, GUID, executable paths, state, timestamp).
Formats the output as a readable list.
Key Purpose:
List detailed information about all antivirus products registered with Windows Security Center in a clean, human-readable format.
Conclusion
I ran through this lab several times prior to documenting it, this is how I was able to refine my search. During documenting the blue team side of things I was able to find more logs than I did on previous tries. I also decided to map the adversarial abilities back to the MITRE ATT&CK matrtix.
What did I learn?
Attacks could have multiple logs, so finding one might not be the end of the story.
Commands from the attacks were run in Powershell, as well as on the Command Line using native Windows utilities, this is what caused multiple logs.
Running attacks from Caldera is a fun and interesting exercise to help sharpen and expand my skill set.
Whats Next?
I plan to continue to run more exercises from Caldera to get better at using Splunk. There is a lot more adversarial abilities to learn from.
I will generate alerts from the commands documented in this article and trigger them by running through this lab again.
Subscribe to my newsletter
Read articles from Taji Abdullah directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by