Scenario

Lab Link: ShadowRoast

As a cybersecurity analyst at TechSecure Corp, you have been alerted to unusual activities within the company's Active Directory environment. Initial reports suggest unauthorized access and possible privilege escalation attempts.

Your task is to analyze the provided logs to uncover the attack's extent and identify the malicious actions taken by the attacker. Your investigation will be crucial in mitigating the threat and securing the network.

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

Ouput:

cim_modactions
history
main
shadowroast
summary

to get all the sources:

index=* | stats values(source)

Ouput:

C:\Logs\DC01.ndjson
C:\Logs\FileServer.ndjson
C:\Logs\Office-PC.ndjson

lets scan all hosts

index=* 
| stats count by host

Ouput:

Windows

lets get the field names:

index=* host=Windows 
| head 1
| fieldsummary

so we can write the right query

Output:

METADATA & AGENT
├── @metadata.beat
├── @metadata.type
├── @metadata.version
├── @timestamp
├── agent.ephemeral_id
├── agent.id
├── agent.name
├── agent.type
└── agent.version

DATE/TIME
├── date_hour
├── date_mday
├── date_minute
├── date_month
├── date_second
├── date_wday
├── date_year
└── date_zone

ECS & EVENT
├── ecs.version
├── event.action
├── event.code
├── event.created
├── event.kind
├── event.provider
└── eventtype

HOST INFORMATION
├── host
├── host.architecture
├── host.hostname
├── host.id
├── host.ip{}
├── host.mac{}
├── host.name
├── host.os.build
├── host.os.family
├── host.os.kernel
├── host.os.name
├── host.os.platform
├── host.os.type
└── host.os.version

SPLUNK METADATA
├── index
├── linecount
├── source
├── sourcetype
├── splunk_server
├── splunk_server_group
├── tag
└── tag::eventtype

LOG INFORMATION
├── log.file.path
├── log.level
├── message
├── punct
├── timeendpos
└── timestartpos

WINLOG CORE
├── winlog.activity_id
├── winlog.api
├── winlog.channel
├── winlog.computer_name
├── winlog.event_id
├── winlog.keywords{}
├── winlog.opcode
├── winlog.process.pid
├── winlog.process.thread.id
├── winlog.provider_guid
├── winlog.provider_name
├── winlog.record_id
├── winlog.task
└── winlog.version

WINLOG EVENT DATA
├── winlog.event_data.ActionName
├── winlog.event_data.AdapterName
├── winlog.event_data.AdapterSuffixName
├── winlog.event_data.Binary
├── winlog.event_data.CallTrace
├── winlog.event_data.Company
├── winlog.event_data.CreationUtcTime
├── winlog.event_data.Description
├── winlog.event_data.Details
├── winlog.event_data.DnsServerList
├── winlog.event_data.EnginePID
├── winlog.event_data.ErrorCode
├── winlog.event_data.EventType
├── winlog.event_data.FileVersion
├── winlog.event_data.GrantedAccess
├── winlog.event_data.Hashes
├── winlog.event_data.HostName
├── winlog.event_data.Image
├── winlog.event_data.ImageLoaded
├── winlog.event_data.InstanceId
├── winlog.event_data.Ipaddress
├── winlog.event_data.OriginalFileName
├── winlog.event_data.Path
├── winlog.event_data.Priority
├── winlog.event_data.ProcessGuid
├── winlog.event_data.ProcessID
├── winlog.event_data.ProcessId
├── winlog.event_data.Product
├── winlog.event_data.QueryName
├── winlog.event_data.QueryResults
├── winlog.event_data.QueryStatus
├── winlog.event_data.ResultCode
├── winlog.event_data.RuleName
├── winlog.event_data.Sent UpdateServer
├── winlog.event_data.Signature
├── winlog.event_data.SignatureStatus
├── winlog.event_data.Signed
├── winlog.event_data.SourceImage
├── winlog.event_data.SourceProcessGUID
├── winlog.event_data.SourceProcessId
├── winlog.event_data.SourceThreadId
├── winlog.event_data.SourceUser
├── winlog.event_data.TargetFilename
├── winlog.event_data.TargetImage
├── winlog.event_data.TargetObject
├── winlog.event_data.TargetProcessGUID
├── winlog.event_data.TargetProcessId
├── winlog.event_data.TargetUser
├── winlog.event_data.TaskInstanceId
├── winlog.event_data.TaskName
├── winlog.event_data.User
├── winlog.event_data.UserContext
├── winlog.event_data.UserName
├── winlog.event_data.UtcTime
├── winlog.event_data.param1
├── winlog.event_data.param2
├── winlog.event_data.param3
└── winlog.event_data.param4

WINLOG USER INFO
├── winlog.user.domain
├── winlog.user.identifier
├── winlog.user.name
└── winlog.user.type

WINLOG USER DATA
├── winlog.user_data.ClientMachine
├── winlog.user_data.ClientProcessId
├── winlog.user_data.Component
├── winlog.user_data.Id
├── winlog.user_data.Operation
├── winlog.user_data.PossibleCause
├── winlog.user_data.ResultCode
├── winlog.user_data.User
└── winlog.user_data.xml_name

lets get all the events code:

index=* host=Windows
| stats count by winlog.event_id

Output:

SYSMON EVENTS (Critical for Investigation)
  ID 1    │ 254    │ Process Creation
  ID 3    │ 2396   │ Network Connection
  ID 7    │ 180    │ Image/DLL Loaded
  ID 10   │ 81     │ Process Access
  ID 11   │ 927    │ File Create
  ID 12   │ 288    │ Registry Object Create/Delete
  ID 13   │ 2396   │ Registry Value Set
  ID 22   │ N/A    │ DNS Query

WINDOWS EVENTS (0-99)
  0  → 2       20 → 12      100 → 167
  1  → 254     21 → 2       101 → 2
  2  → 8       10 → 81      102 → 144
                            103 → 5

APPLICATION/SYSTEM EVENTS (1000-1999)
  1000 → 8      1109 → 1     1501 → 2
  1001 → 4      1129 → 6     1531 → 6
  1002 → 2      1136 → 4     1704 → 1
  1003 → 27     1149 → 2     1869 → 1
  1004 → 4      1200 → 4     1988 → 1
  1006 → 5      1202 → 4
  1008 → 2      1206 → 2
  1010 → 14     1210 → 2
  1025 → 5      1314 → 2
  1034 → 1      1394 → 2
  1037 → 2      1400 → 2
  1056 → 2      
  1066 → 6      
  1067 → 2      
  1076 → 4      
  1100 → 2      
  1101 → 6      

MISCELLANEOUS EVENTS (10000+, 100-999)
  10000 → 3     108 → 11     16394 → 9
  10001 → 3     109 → 2      16647 → 1
  10016 → 8     110 → 10     16648 → 1
  10100 → 3     114 → 31     16654 → 1
  10148 → 4     118 → 22     16962 → 6
  10154 → 4     119 → 71     16977 → 8
  12039 → 28    129 → 140    16983 → 6
  14531 → 2     132 → 4      20001 → 4
  14533 → 2     139 → 2      20003 → 3
  105 → 10      140 → 105    20521 → 2
  106 → 3       141 → 2      20523 → 4
  107 → 1       142 → 5      200 → 165
                143 → 2      201 → 140
                145 → 9      202 → 5
                153 → 7      208 → 4
                161 → 5      209 → 4
                172 → 6      2120 → 2
                16384 → 5    2121 → 2

Get the IP of the Host by Network Connection:

index=* event.code=3
| table host winlog.event_data.SourceIp
| dedup winlog.event_data.SourceIp

Output:

Windows 10.0.0.184
Windows ff02:0:0:0:0:0:0:fb
Windows 224.0.0.251
Windows 10.0.0.147
Windows fe80:0:0:0:5f0a:e1f3:a55:1279
Windows 223.247.47.74
Windows 0:0:0:0:0:0:0:1

Q1

What's the malicious file name utilized by the attacker for initial access?

Answer Format: ************.***

we need to search for PowerShell or CMD executed program for the initial access by the Image and CommandLine so we can see all the files that run by the CMD or PowerShell to get the Parent Image and using the The process creation event Event Code 1 we can get it

index=* winlog.event_id=1
| search winlog.event_data.Image="*\\cmd.exe" OR winlog.event_data.Image="*\\powershell.exe"
| table _time host winlog.event_data.Image winlog.event_data.CommandLine winlog.event_data.ParentImage winlog.event_data.ProcessId
| sort _time

Output:

2024-08-06 01:07:34.837 
Windows C:\Windows\SysWOW64\cmd.exe 
C:\Windows\system32\cmd.exe 
C:\Users\sanderson\Downloads\AdobeUpdater.exe

so we got the time and the initial access file name

Answer:

AdobeUpdater.exe

Q2

What's the registry run key name created by the attacker for maintaining persistence?

Answer Format: ********

• Sysmon Event ID 12 → Registry Object Create
• Sysmon Event ID 13 → Registry Value Set
• Sysmon Event ID 14 → Registry Object Rename

and usig the Target Object with "Run" we can get the registry

index=* (winlog.event_id=12 OR winlog.event_id=13 OR winlog.event_id=14)
| search winlog.event_data.TargetObject="*\\Run*" 
| table _time winlog.event_data.TargetObject winlog.event_data.Details winlog.event_data.Image
| sort _time

Output:

2024-08-06 01:05:58.546 HKU\S-1-5-21-1096375878-1107820087-318151060-1105\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wyW5PZyF    %%COMSPEC%% /b /c start /b /min powershell -nop -w hidden -c "sleep 0; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item 'HKCU:Software\EdI86bhr').GetValue('OQqd5sjJ'))))"    C:\Users\sanderson\Downloads\AdobeUpdater.exe

Answer:

wyW5PZyF

Q3

What's the full path of the directory used by the attacker for storing his dropped tools?

Answer Format: C:\...\...\...\...\...\

To solve this, we must look for:

• File creation events
• File write events
• Modules loaded
• Any unusual directory where multiple malicious files were stored

From your field list, the relevant fields are:

• winlog.event_id=11 → File Create (Sysmon)
• winlog.event_data.TargetFilename → Path of created file
• winlog.event_data.ImageLoaded (sometimes)
• winlog.event_id=1 + CommandLine may also reveal paths

We can solve it in many way and the most correct one is by filter the AdobeUpdater.exe and get the path, but we can also get the path by Event ID 11 (file creation events) and examining the created file names along with their corresponding images:

index=* winlog.event_id=11
| stats values(winlog.event_data.TargetFilename) as files count by winlog.event_data.Image

Output:

C:\Users\sanderson\Downloads\AdobeUpdater.exe   

C:\Users\Default\AppData\Local\Temp\BackupUtility.exe
C:\Users\Default\AppData\Local\Temp\DefragTool.exe
C:\Users\Default\AppData\Local\Temp\SystemDiagnostics.ps1

so after the executed the malware file, the malware dropped these files BackupUtility.exe, DefragTool.exe, SystemDiagnostics.ps1.

so the path is C:\Users\Default\AppData\Local\Temp\

Answer:

C:\Users\Default\AppData\Local\Temp\

Q4

What tool was used by the attacker for privilege escalation and credential harvesting?

Answer Format: ******

search through the dropped files we found earlier. We discovered three files were dropped in C:\Users\Default\AppData\Local\Temp\:

• BackupUtility.exe
• DefragTool.exe
• SystemDiagnostics.ps1

Let's investigate what these files actually do by looking at their execution and any related process activity by using Event id 1

index=* winlog.event_id=1
| search winlog.event_data.Image="*\\BackupUtility.exe" OR winlog.event_data.Image="*\\DefragTool.exe" OR winlog.event_data.CommandLine="*SystemDiagnostics.ps1*"
| table _time winlog.event_data.Image winlog.event_data.CommandLine winlog.event_data.ParentImage
| sort _time

_time   winlog.event_data.Image winlog.event_data.CommandLine   winlog.event_data.ParentImage
2024-08-06 01:10:45.053 C:\Users\Default\AppData\Local\Temp\BackupUtility.exe   "C:\Users\Default\AppData\Local\Temp\BackupUtility.exe" asreproast /format:hashcat  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2024-08-06 01:14:46.864 C:\Users\Default\AppData\Local\Temp\DefragTool.exe  "C:\Users\Default\AppData\Local\Temp\DefragTool.exe"    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2024-08-06 01:15:18.616 C:\Users\Default\AppData\Local\Temp\DefragTool.exe  "C:\Users\Default\AppData\Local\Temp\DefragTool.exe"    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

we got this:

"C:\Users\Default\AppData\Local\Temp\BackupUtility.exe" asreproast /format:hashcat

But where is the tool name? The asreproast command is a Rubeus command used for AS-REP Roasting attacks (a credential harvesting technique that targets accounts with Kerberos pre-authentication disabled).

BackupUtility.exe is actually Rubeus renamed to avoid detection.

The /format:hashcat parameter exports the hashes in a format that can be cracked with Hashcat.

Answer:

Rubeus

Q5

Was the attacker's credential harvesting successful? If so, can you provide the compromised domain account username?

Answer Format: *******

Let's look for the actual output or any accounts that were discovered. Try searching for specific Event IDs related to Kerberos authentication failures or AS-REP requests

Event ID 4768 (Kerberos TGT request) or 4625 (failed logon) would have shown this account being targeted

index=* (winlog.event_id=4768 OR winlog.event_id=4625)
| table _time winlog.event_id winlog.event_data.TargetUserName winlog.user_data.User message
| sort _time

Answer:

tcooper

Q6

What's the tool used by the attacker for registering a rogue Domain Controller to manipulate Active Directory data?

Answer Format: ********

index=* winlog.event_id=3 winlog.event_data.Image="*DefragTool.exe"
| table _time winlog.event_data.Image winlog.event_data.DestinationIp winlog.event_data.DestinationPort winlog.event_data.DestinationHostname
| sort _time

Output:

┌─────────────────────────────┐
│  DefragTool.exe             │
│  (10.0.0.184)               │
└──────────┬──────────────────┘
           │
           │ [01:14:55]
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           │
           │ [01:14:56]
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           │
           │ [01:15:23]
           ├──────► 10.0.0.184:56958
           ├──────► 10.0.0.184:56958
           ├──────► 10.0.0.147:49666 (RPC)
           ├──────► 10.0.0.147:135 (RPC Endpoint)
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           ├──────► 10.0.0.147:389 (LDAP)
           └──────► 10.0.0.147:389 (LDAP)
                    │
                    ▼
           ┌─────────────────┐
           │   DC01          │
           │  (10.0.0.147)   │
           └─────────────────┘

DefragTool.exe is connecting to port 389 (LDAP) and other AD-related ports. Port 389 is used for LDAP, which is how tools interact with Active Directory

Let's search for loaded DLLs or modules by DefragTool.exe to identify the tool:

index=* winlog.event_id=7 winlog.event_data.Image="*DefragTool.exe"
| table _time winlog.event_data.ImageLoaded winlog.event_data.Signed winlog.event_data.Description
| sort _time

_time   winlog.event_data.ImageLoaded   winlog.event_data.Signed    winlog.event_data.Description
2024-08-06 01:14:47.095 C:\Users\Default\AppData\Local\Temp\DefragTool.exe  true    mimikatz for Windows
2024-08-06 01:15:18.618 C:\Users\Default\AppData\Local\Temp\DefragTool.exe  true    mimikatz for Windows

DefragTool.exe is actually mimikatz renamed for evasion. The tool was used with the DCShadow module to:

1. Connect to the Domain Controller via LDAP (port 389)
2. Use RPC (ports 135, 49666) to register as a temporary rogue Domain Controller
3. Inject malicious changes into Active Directory

Answer:

mimikatz

Q7

What's the first command used by the attacker for enabling RDP on remote machines for lateral movement?

Answer Format: *** *** "****\******\*****************\*******\******** ******" /* /* ****************** /* ***_***** /* *

we need to find the command used to enable RDP on remote machines. The answer format suggests a registry command.

Let's search for commands that modify RDP-related registry keys or Windows services:

index=* winlog.event_id=1
| search winlog.event_data.CommandLine="*reg add*" OR winlog.event_data.CommandLine="*TerminalServices*" OR winlog.event_data.CommandLine="*fDenyTSConnections*" OR winlog.event_data.CommandLine="*Remote Desktop*"
| table _time winlog.event_data.Image winlog.event_data.CommandLine
| sort _time

Now we have the command. Let me format it according to the answer format pattern:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Q8

What's the file name created by the attacker after compressing confidential files?

Answer Format: *********.***

we need to find the compressed file created by the attacker containing confidential data. Let's search for file creation events related to archive files (zip, rar, 7z) why? Common exfiltration patterns Attackers typically compress stolen data before exfiltration

index=* winlog.event_id=11
| search winlog.event_data.TargetFilename="*.zip" OR winlog.event_data.TargetFilename="*.rar" OR winlog.event_data.TargetFilename="*.7z" OR winlog.event_data.TargetFilename="*.tar"
| table _time winlog.event_data.Image winlog.event_data.TargetFilename
| sort _time

Output:

2024-08-06 01:21:04.278 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe   C:\Users\Default\AppData\Local\Temp\CrashDump.zip

Answer:

CrashDump.zip