FalconEye Lab
Q1) What is the name of the compromised account?
A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems. With this technique, the threat actor doesn’t need to decrypt the hash to obtain a plain text password.
index="folks" sourcetype="xmlwineventlog" EventCode=4624
| stats count by WorkstationName, TargetUserName, SubjectUserSid
System accounts (e.g., SYSTEM, ANONYMOUS LOGON) and NULL SIDs often generate noise in logs that are not relevant to the investigation.
index="folks" sourcetype="xmlwineventlog" EventCode=4624 SubjectUserSid!="NT AUTHORITY\\SYSTEM" SubjectUserSid!="NULL SID"
| table _time, WorkstationName, TargetUserName, SubjectUserSid, LogonProcessName, LogonType
The discovery of the seclogo process with Logon Type 9 is a critical lead, as it strongly aligns with behavior observed in a Pass-the-Hash (PtH) attack or similar credential theft techniques.
Logon Type 9 indicates NewCredentials, which is used when a process is explicitly run with different credentials (
runas).This is commonly seen in attacks where credentials or hashes are reused, such as PtH, because the attacker invokes a process using stolen credentials.
Answer: Abdullah-work\HelpDesk
Q2) What is the name of the compromised machine?
index="folks" sourcetype="xmlwineventlog" EventCode=1 user=Helpdesk
Answer: Client02
Q3) What tool did the attacker use to enumerate the environment?
In Active Directory environments, tools like PowerView, BloodHound, PowerSploit, and SharpHound are often used for enumeration. These tools are frequently executed through PowerShell and can enumerate user accounts, group memberships, trusts, and other AD-related information.
index="folks" sourcetype="xmlwineventlog" EventCode=4104 host="CLIENT02" BloodHound
| table _time, ScriptBlockText
Answer: Bloodhound
Q4) The attacker used Unquoted Service Path to escalate privileges. What is the name of the vulnerable service?
The unquoted path vulnerability happens when a service's executable path contains spaces, but the path isn't enclosed in quotes.
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 Image="*.exe" CommandLine="*.exe"
| stats count by Image, CommandLine
| sort count
The service path C:\Program Files\Basic Monitoring\Automate-Basic-Monitoring.exe should have been quoted to prevent the path from being misinterpreted. The unquoted path C:\program.exe means that when the system tries to execute this path, it will look for the executable at C:\program.exe, which could be a malicious file created by the attacker.
The path should be properly quoted, like "C:\Program Files\Basic Monitoring", to avoid this vulnerability.
Answer: Automate-Basic-Monitoring.exe
Q5) What is the SHA256 of the executable that escalates the attacker privileges?
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 Image="C:\\program.exe"
| table Image, hashes
Answer: 8ACC5D98CFFE8FE7D85DE218971B18D49166922D079676729055939463555BD2
Q6) When did the attacker download fun.exe? (24H-UTC)
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=11 "*fun.exe*"
| table _time, file_path
Answer: 2023-05-10 05:08:57
Q7) What is the command line used to launch the DCSync attack
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*fun.exe*"
| table Image, CommandLine
Answer: "C:\Users\HelpDesk\fun.exe" "lsadump::dcsync /user:Abdullah-work\Administrator"
Q8) What is the original name of fun.exe?
Answer: Mimikatz.exe
Q9) The attacker performed the Over-Pass-The-Hash technique. What is the AES256 hash of the account he attacked?
The Over-Pass-The-Hash (OPTH) technique is typically used by attackers to request a TGT (Ticket-Granting Ticket) for a specific user account without needing the plaintext password, instead using an NTLM hash or AES256 hash of the target account's password. The AES256 hash of the attacked account is used in this attack.
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*"
| table _time, Image, CommandLine
| sort _time
The timestamp 2023-05-10 05:49:10 is the earliest among the recorded actions, indicating that the Mohammed account was likely the first victim.
Answer: facca59ab6497980cbb1f8e61c446bdbd8645166edd83dac0da2037ce954d379
Q10) What service did the attacker abuse to access the Client03 machine as Administrator?
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*"
| table _time, Image, CommandLine
| sort _time
s4u: This command in Mimikatz manipulates the Service-for-User (S4U) extensions in Kerberos. S4U allows a service to request tickets on behalf of a user for delegation./user:Client02$: Specifies the account for which the attacker is performing the S4U operation.Client02$refers to a computer account (indicated by the$), which is a standard naming convention in Active Directory.
/aes256:<key>: Provides the AES256 key (Kerberos encryption key) for the account. This key is typically extracted during prior compromise (e.g., DCSync)./msdsspn:http/Client03: Indicates the Service Principal Name (SPN) for the service being targeted (http/Client03)./impersonateuser:Administrator: Impersonates the specified user (Administrator) during the operation./ptt: Passes the Kerberos ticket directly into memory, enabling the attacker to authenticate as the impersonated user without leaving a credential trace.
Answer: http/Client03
Q11) The Client03 machine spawned a new process when the attacker logged on remotely. What is the process name?
I converted the human date to Timestamp using https://www.epochconverter.com/
index="folks" sourcetype="xmlwineventlog" host="client03" EventCode=1 earliest=1683697750 NOT "*splunk*"
| stats count by Image, CommandLine, ParentImage, ParentCommandLine
Answer: wsmprovhost.exe
Q12) The attacker compromises the it-support account. What was the logon type?
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*" "it-support"
| table _time, Image, CommandLine
| sort _time
Logon type 9 is used in situations where the attacker uses a pass-the-hash (PTH) or over-pass-the-hash (OPTH) technique to authenticate with new credentials while impersonating the targeted user.
Answer: 9
Q13) What ticket name did the attacker generate to access the parent DC as Administrator?
index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*ticket*"
| table _time, Image, CommandLine
| sort _time
Answer: trust-test2.kirbi
Last updated