FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. CyberDefenders

FalconEye Lab

PreviousVolatility Traces LabNextGitTheGate Lab

Last updated 6 months ago

Q1) What is the name of the compromised account?

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems. With this technique, the threat actor doesn’t need to decrypt the hash to obtain a plain text password.

index="folks" sourcetype="xmlwineventlog"  EventCode=4624 
| stats count by WorkstationName, TargetUserName, SubjectUserSid

System accounts (e.g., SYSTEM, ANONYMOUS LOGON) and NULL SIDs often generate noise in logs that are not relevant to the investigation.

index="folks" sourcetype="xmlwineventlog"  EventCode=4624 SubjectUserSid!="NT AUTHORITY\\SYSTEM" SubjectUserSid!="NULL SID"
| table _time, WorkstationName, TargetUserName, SubjectUserSid, LogonProcessName, LogonType

The discovery of the seclogo process with Logon Type 9 is a critical lead, as it strongly aligns with behavior observed in a Pass-the-Hash (PtH) attack or similar credential theft techniques.

  • Logon Type 9 indicates NewCredentials, which is used when a process is explicitly run with different credentials (runas).

  • This is commonly seen in attacks where credentials or hashes are reused, such as PtH, because the attacker invokes a process using stolen credentials.

Answer: Abdullah-work\HelpDesk

Q2) What is the name of the compromised machine?

index="folks" sourcetype="xmlwineventlog" EventCode=1 user=Helpdesk

Answer: Client02

Q3) What tool did the attacker use to enumerate the environment?

In Active Directory environments, tools like PowerView, BloodHound, PowerSploit, and SharpHound are often used for enumeration. These tools are frequently executed through PowerShell and can enumerate user accounts, group memberships, trusts, and other AD-related information.

index="folks" sourcetype="xmlwineventlog" EventCode=4104 host="CLIENT02" BloodHound
| table _time, ScriptBlockText

Answer: Bloodhound

Q4) The attacker used Unquoted Service Path to escalate privileges. What is the name of the vulnerable service?

The unquoted path vulnerability happens when a service's executable path contains spaces, but the path isn't enclosed in quotes.

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 Image="*.exe" CommandLine="*.exe"
| stats count by Image, CommandLine
| sort count

The service path C:\Program Files\Basic Monitoring\Automate-Basic-Monitoring.exe should have been quoted to prevent the path from being misinterpreted. The unquoted path C:\program.exe means that when the system tries to execute this path, it will look for the executable at C:\program.exe, which could be a malicious file created by the attacker.

The path should be properly quoted, like "C:\Program Files\Basic Monitoring", to avoid this vulnerability.

Answer: Automate-Basic-Monitoring.exe

Q5) What is the SHA256 of the executable that escalates the attacker privileges?

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 Image="C:\\program.exe"
| table Image, hashes

Answer: 8ACC5D98CFFE8FE7D85DE218971B18D49166922D079676729055939463555BD2

Q6) When did the attacker download fun.exe? (24H-UTC)

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=11 "*fun.exe*"
| table _time, file_path

Answer: 2023-05-10 05:08:57

Q7) What is the command line used to launch the DCSync attack

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*fun.exe*"
| table Image, CommandLine

Answer: "C:\Users\HelpDesk\fun.exe" "lsadump::dcsync /user:Abdullah-work\Administrator"

Q8) What is the original name of fun.exe?

Answer: Mimikatz.exe

Q9) The attacker performed the Over-Pass-The-Hash technique. What is the AES256 hash of the account he attacked?

The Over-Pass-The-Hash (OPTH) technique is typically used by attackers to request a TGT (Ticket-Granting Ticket) for a specific user account without needing the plaintext password, instead using an NTLM hash or AES256 hash of the target account's password. The AES256 hash of the attacked account is used in this attack.

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*"
| table _time, Image, CommandLine
| sort _time

The timestamp 2023-05-10 05:49:10 is the earliest among the recorded actions, indicating that the Mohammed account was likely the first victim.

Answer: facca59ab6497980cbb1f8e61c446bdbd8645166edd83dac0da2037ce954d379

Q10) What service did the attacker abuse to access the Client03 machine as Administrator?

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*"
| table _time, Image, CommandLine
| sort _time
  • s4u: This command in Mimikatz manipulates the Service-for-User (S4U) extensions in Kerberos. S4U allows a service to request tickets on behalf of a user for delegation.

  • /user:Client02$: Specifies the account for which the attacker is performing the S4U operation.

    • Client02$ refers to a computer account (indicated by the $), which is a standard naming convention in Active Directory.

  • /aes256:<key>: Provides the AES256 key (Kerberos encryption key) for the account. This key is typically extracted during prior compromise (e.g., DCSync).

  • /msdsspn:http/Client03: Indicates the Service Principal Name (SPN) for the service being targeted (http/Client03).

  • /impersonateuser:Administrator: Impersonates the specified user (Administrator) during the operation.

  • /ptt: Passes the Kerberos ticket directly into memory, enabling the attacker to authenticate as the impersonated user without leaving a credential trace.

Answer: http/Client03

Q11) The Client03 machine spawned a new process when the attacker logged on remotely. What is the process name?

index="folks" sourcetype="xmlwineventlog" host="client03" EventCode=1 earliest=1683697750 NOT "*splunk*"
| stats count by Image, CommandLine, ParentImage, ParentCommandLine

Answer: wsmprovhost.exe

Q12) The attacker compromises the it-support account. What was the logon type?

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*aes256*" "it-support"
| table _time, Image, CommandLine
| sort _time

Logon type 9 is used in situations where the attacker uses a pass-the-hash (PTH) or over-pass-the-hash (OPTH) technique to authenticate with new credentials while impersonating the targeted user.

Answer: 9

Q13) What ticket name did the attacker generate to access the parent DC as Administrator?

index="folks" sourcetype="xmlwineventlog" host=Client02 EventCode=1 "*ticket*"
| table _time, Image, CommandLine
| sort _time

Answer: trust-test2.kirbi

I converted the human date to Timestamp using

https://www.epochconverter.com/