Scenario

Lab Link: GoldenSpray

As a cybersecurity analyst at SecureTech Industries, you've been alerted to unusual login attempts and unauthorized access within the company's network. Initial indicators suggest a potential brute-force attack on user accounts. Your mission is to analyze the provided log data to trace the attack's progression, determine the scope of the breach, and the attacker's TTPs.

Reconnaissance

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

Ouput:

cim_modactions
goldenspray
history
main
summary

to get all the sources:

index=* | stats values(source)

Ouput:

ST-DC01.ndjson
ST-FS01.ndjson
ST-WIN01.ndjson
ST-WIN02.ndjson

lets scan all hosts

index=* 
| stats count by host

Ouput:

ST-DC01  
ST-FS01  
ST-WIN01     
ST-WIN02

Get the IP for each Host:

index=* event.code=3
| table host winlog.event_data.SourceIp
| dedup winlog.event_data.SourceIp

Output:

ST-WIN01    ff02:0:0:0:0:0:0:fb
ST-WIN01    224.0.0.251
ST-FS01     0:0:0:0:0:0:0:1
ST-FS01     77.91.78.115
ST-DC01     fe80:0:0:0:c30e:8f9d:6135:72d6
ST-DC01     192.168.24.16
ST-WIN02    192.168.24.251

Starting

Q1

What is the attacker's IP address?

Answer Format: **.**.**.***

Most brute‑force attacks trigger Event ID 4625 (failed logon) In Sysmon/Splunk NDJSON, this appears as event.code = 4625 or winlog.event_id = 4625 depending on normalization. Or you can just use the Event Code 3 Sysmon Network Connection

index=* event.code=3
| table winlog.event_data.SourceIp
| dedup winlog.event_data.SourceIp

Output:

ff02:0:0:0:0:0:0:fb
224.0.0.251
0:0:0:0:0:0:0:1
77.91.78.115
fe80:0:0:0:c30e:8f9d:6135:72d6
192.168.24.16
192.168.24.251

so the attacker get access to the FS01 FS01 is the host being attacked, not the attacker.

Event Code 3 shows network connections to the host that generated the log.
So when FS01 logs:

winlog.event_data.SourceIp = 77.91.78.115

77.91.78.115 connected to FS01. The other IPs you saw in the list are either:

• internal LAN addresses
• loopback
• multicast
• link‑local IPv6 The only external, public IP is: 77.91.78.115

Answer:

77.91.78.115

Q2

What country is the attack originating from?

Answer Format: *******

its public IP so you can use whatismyipaddress

Answer:

Finland

Q3

What's the compromised account username used for initial access?

Answer Format: **********\*********

To get the compromised account used for initial access, you must look for the first successful logon after many failures from the attacker IP 77.91.78.115.

How to read it:

• 4625 = failed logon
• 4624 = successful logon
• The first 4624 for this IP is the compromised account.

index=* (event.code=4624 OR event.code=4625) winlog.event_data.IpAddress="77.91.78.115"
| table _time event.code winlog.event_data.TargetUserName winlog.event_data.TargetDomainName winlog.event_data.IpAddress
| sort _time

Output:

2024-09-09 16:29:05.476 4625    user    FAKE    77.91.78.115
2024-09-09 16:55:16.867 4625    SECURETECH\\mwilliams   .   77.91.78.115
2024-09-09 16:55:16.889 4625    SECURETECH\\ejohnson    .   77.91.78.115
2024-09-09 16:55:16.910 4625    SECURETECH\\Administrator   .   77.91.78.115
2024-09-09 16:55:16.931 4625    SECURETECH\\admin   .   77.91.78.115
2024-09-09 16:55:16.954 4625    SECURETECH\\emilyjohnson    .   77.91.78.115
2024-09-09 16:55:16.974 4625    SECURETECH\\michaelwilliams .   77.91.78.115
2024-09-09 16:55:16.996 4625    SECURETECH\\admin1  .   77.91.78.115
2024-09-09 16:55:17.021 4625    SECURETECH\\backup  .   77.91.78.115
2024-09-09 16:56:05.559 4625    mwilliams   .   77.91.78.115
2024-09-09 16:56:05.582 4625    ejohnson    .   77.91.78.115
2024-09-09 16:56:05.605 4625    Administrator   .   77.91.78.115
2024-09-09 16:56:05.627 4625    admin   .   77.91.78.115
2024-09-09 16:56:05.649 4625    emilyjohnson    .   77.91.78.115
2024-09-09 16:56:05.672 4624    michaelwilliams ST-WIN02    77.91.78.115
2024-09-09 16:56:05.714 4625    admin1  .   77.91.78.115
2024-09-09 16:56:05.743 4625    backup  .   77.91.78.115
2024-09-09 17:00:21.705 4624    mwilliams   SECURETECH  77.91.78.115
2024-09-09 17:00:23.575 4624    mwilliams   SECURETECH  77.91.78.115
2024-09-09 17:00:23.575 4624    mwilliams   SECURETECH  77.91.78.115
2024-09-09 17:34:15.827 4624    jsmith  SECURETECH  77.91.78.115
2024-09-09 17:34:17.775 4624    jsmith  SECURETECH  77.91.78.115
2024-09-09 17:34:17.775 4624    jsmith  SECURETECH  77.91.78.115
2024-09-09 17:50:13.581 4624    jsmith  SECURETECH  77.91.78.115
2024-09-09 17:50:15.863 4624    jsmith  SECURETECH  77.91.78.115
2024-09-09 17:50:15.863 4624    jsmith  SECURETECH  77.91.78.115

The first 4624 is:

2024-09-09 16:56:05.672   4624   michaelwilliams   ST-WIN02   77.91.78.115

But this is the hostname logon, not the domain account.

The first domain successful logon is:

2024-09-09 17:00:21.705   4624   mwilliams   SECURETECH   77.91.78.115

Which matches your earlier brute‑force attempts:

2024-09-09 16:55:16.867   4625   SECURETECH\mwilliams

So the compromised account used for initial access is SECURETECH\mwilliams and the time 2024-09-09 16:55:16.867

Answer:

SECURETECH\mwilliams

Q4

What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02?

Answer Format: *************.***

To find the malicious persistence file on ST‑WIN02, you need to look for persistence-related events (registry Run keys, services created, scheduled tasks, startup folder writes) originating from the attacker IP or compromised account.

The persistence on Windows commonly appears under:

• Event ID 11 (Sysmon) → File creation
• Event ID 13 (Sysmon) → Registry modification
• Event ID 4698 → Scheduled task created
• Event ID 7045 → New service installed

Since the question explicitly says “malicious file utilized for persistence”, the answer is usually found in Sysmon Event ID 11 (file created) on ST‑WIN02 around the timeframe of compromise (~17:00). ;)

index=* host="ST-WIN02" event.code=11 winlog.event_data.User="SECURETECH\\mwilliams"
| table _time winlog.event_data.TargetFilename
| sort _time

Output:

2024-09-09 14:33:42.994 C:\Users\mwilliams\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-skydrive-desktop_8_0.png
2024-09-09 17:10:25.318 C:\Users\mwilliams\AppData\Local\Temp\__PSScriptPolicyTest_ckkryhzt.n5e.ps1
2024-09-09 17:12:14.553 C:\Windows\Temp\OfficeUpdater.exe
2024-09-09 17:12:16.235 C:\Users\mwilliams\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
2024-09-09 17:13:02.739 C:\Users\mwilliams\AppData\Local\Temp\__PSScriptPolicyTest_rrdp4mxs.fjo.ps1
2024-09-09 17:16:13.766 C:\Users\mwilliams\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
2024-09-09 17:21:52.851 C:\Users\mwilliams\AppData\Local\Temp\__PSScriptPolicyTest_duohilus.tzf.ps1
2024-09-09 17:22:57.209 C:\Users\Public\Backup_Tools.zip
2024-09-09 17:23:00.197 C:\Users\mwilliams\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
2024-09-09 17:23:06.887 C:\Users\Public\Backup_Tools
2024-09-09 17:23:06.931 C:\Users\Public\Backup_Tools\PowerView.ps1
2024-09-09 17:23:07.173 C:\Users\Public\Backup_Tools\PsExec.exe
2024-09-09 17:23:07.184 C:\Users\Public\Backup_Tools\mimikatz.exe
2024-09-09 17:23:26.336 C:\Users\mwilliams\AppData\Local\Temp\__PSScriptPolicyTest_tdeh0il4.y52.ps1
2024-09-09 18:39:54.381 E:\Triage\ST-WIN02\C\Windows\System32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx

The only persistence‑like executable in your results is:

C:\Windows\Temp\OfficeUpdater.exe

Everything else is:

• PNG cache
• PowerShell policy test temp files
• PowerShell profile data
• Zip extraction (PowerView, PsExec, mimikatz) – tools, not persistence
• Event logs The malicious persistence file is the one dropped in a Windows system directory and named to look legitimate.

Answer:

OfficeUpdater.exe

Q5

What is the complete path used by the attacker to store their tools?

Answer Format: C:\*****\******\******_*****\

From Q4 event list, the only persistence‑related directory created on ST‑WIN02 is: From previous event.code=11 results:

C:\Users\Public\Backup_Tools\
C:\Users\Public\Backup_Tools\PowerView.ps1
C:\Users\Public\Backup_Tools\PsExec.exe
C:\Users\Public\Backup_Tools\mimikatz.exe

Answer:

C:\Users\Public\Backup_Tools\

Q6

What's the process ID of the tool responsible for dumping credentials on ST-WIN02?

Answer Format: ****

We know the attacker used mimikatz.exe for credential dumping because of what the logs show and how credential‑dumping normally appears in Windows event data.

From previous event.code=11 results:

C:\Users\Public\Backup_Tools\
C:\Users\Public\Backup_Tools\PowerView.ps1
C:\Users\Public\Backup_Tools\PsExec.exe
C:\Users\Public\Backup_Tools\mimikatz.exe

index=* host="ST-WIN02" event.code=1 winlog.event_data.Image="*mimikatz.exe" winlog.event_data.User="SECURETECH\\mwilliams"
| table _time winlog.event_data.ProcessId winlog.event_data.Image

so:

2024-09-09 17:39:11.233 528  C:\Users\Public\Backup_Tools\mimikatz.exe
2024-09-09 17:27:34.067 3708    C:\Users\Public\Backup_Tools\mimikatz.exe

Answer:

3708

Q7

What's the second account username the attacker compromised and used for lateral movement?

Answer Format: **********\******

To identify the second compromised account used for lateral movement, you must look for:

• Successful logons (event.code=4624)
• From the attacker’s IP: 77.91.78.115
• After the attacker already compromised the first account (SECURETECH\mwilliams)

This is exactly how lateral movement appears in Windows logs.

so the Query:

index=* event.code=4624 winlog.event_data.IpAddress="77.91.78.115"
| table _time winlog.event_data.TargetDomainName winlog.event_data.TargetUserName winlog.event_data.IpAddress
| sort _time

Output:

2024-09-09 16:56:05.672 ST-WIN02    michaelwilliams 77.91.78.115
2024-09-09 17:00:21.705 SECURETECH  mwilliams       77.91.78.115
2024-09-09 17:00:23.575 SECURETECH  mwilliams       77.91.78.115
2024-09-09 17:00:23.575 SECURETECH  mwilliams       77.91.78.115
2024-09-09 17:34:15.827 SECURETECH  jsmith          77.91.78.115
2024-09-09 17:34:17.775 SECURETECH  jsmith          77.91.78.115
2024-09-09 17:34:17.775 SECURETECH  jsmith          77.91.78.115
2024-09-09 17:50:13.581 SECURETECH  jsmith          77.91.78.115
2024-09-09 17:50:15.863 SECURETECH  jsmith          77.91.78.115
2024-09-09 17:50:15.863 SECURETECH  jsmith          77.91.78.115

Answer:

SECURETECH\jsmith

Q8

Can you provide the scheduled task created by the attacker for persistence on the domain controller?

Answer Format: **********

we are looking for the scheduled task name the attacker created on the domain controller for persistence. Search for Sysmon event.code=1 (process creation) or Windows event.code=4698 (scheduled task created) on the DC host:

index=* host="ST-DC01" (event.code=4698 OR EventCode=4698 OR event.code=1) 
| search "schtasks" OR "register" OR "task" 
| table _time winlog.event_data.TaskName winlog.event_data.CommandLine
| sort _time

Output:

2024-09-09 17:34:22.225     "C:\Windows\System32\fsquirt.exe" -Register
2024-09-09 17:38:44.390     schtasks  /create /tn "FilesCheck" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\\Windows\\Temp\\FileCleaner.exe" /sc hourly /ru SYSTEM

Answer:

FilesCheck

Q9

What type of encryption is used for Kerberos tickets in the environment?

Answer Format: ***-****

we must check the Kerberos service ticket events: Event ID 4769 – A Kerberos service ticket was requested

Query:

index=* event.code=4768
| table _time winlog.event_data.TicketEncryptionType
| dedup winlog.event_data.TicketEncryptionType

Output:

2024-09-09 16:21:12.301 0xffffffff
2024-09-09 15:44:07.162 0x17

To interpret this value, we consult Microsoft’s official documentation on Kerberos ticket encryption types. According to the documentation, 0x17 corresponds to RC4-HMAC, which is the default encryption method for operating systems prior to Windows Server 2008 and Windows Vista.

RC4-HMAC

Q10

Can you provide the full path of the output file in preparation for data exfiltration?

Answer Format: C:\*****\******\*********\*******_*******.***

index=* host="ST-FS01" (event.code=11 OR event.code=15 OR event.code=4663)
| search "*.zip" OR "*.7z" OR "*.rar" OR "*backup*" OR "*data*" OR "*exfil*"
| table _time winlog.event_data.TargetFilename
| sort _time
| dedup _time winlog.event_data.TargetFilename

    C:\Users\Public\Documents\Archive_8673812.zip