# GoldenSpray Lab

Q1) What's the attacker IP?

```splunk-spl
event.action: Logon AND event.outcome: failure
```

<figure><img src="/files/O0l7bAZ8E5LGDarNXMQA" alt=""><figcaption></figcaption></figure>

```splunk-spl
event.action: Logon AND event.outcome: failure AND winlog.event_data.IpAddress: "77.91.78.115"
```

<figure><img src="/files/R1RtgDHfQvN9oMW9rrpI" alt=""><figcaption></figcaption></figure>

Too many failed login attempts in a small time frame.

Answer:  77.91.78.115

Q2) What country is the attack originating from?

<figure><img src="/files/O2CtayUYN0HnBznV3L99" alt=""><figcaption></figcaption></figure>

Answer:  Finland

Q3) What's the compromised account username used for initial access?

```splunk-spl
event.action: Logon AND  winlog.event_data.IpAddress: "77.91.78.115"
```

<figure><img src="/files/xplHbUAxGxAInjHWswUV" alt=""><figcaption></figcaption></figure>

Answer:  SECURETECH\mwilliams

Q4) What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02?

Now we know that the attacker used the mwilliams user to gain initial access.

```splunk-spl
event.code: 11 AND  "ST-WIN02" AND "mwilliams"
#OR
event.code: 1 AND  "ST-WIN02" AND "mwilliams"
```

<figure><img src="/files/pICpphOz2IPtoFy47dzL" alt=""><figcaption></figcaption></figure>

Answer: OfficeUpdater.exe

Q5) What's the full path used by the attacker for storing his tools?

<figure><img src="/files/qcY1zRSGR8NCuEwMbHn5" alt=""><figcaption></figcaption></figure>

Answer: C:\Users\Public\Backup\_Tools\\

Q6) What's the process ID of the tool responsible for dumping credentials on ST-WIN02?

```splunk-spl
event.code: 1 AND  "ST-WIN02"  AND "*mimikatz.exe"
```

<figure><img src="/files/cRvC93id1SUb3oDxy7pj" alt=""><figcaption></figcaption></figure>

Answer:  3708

Q7) What's the second account username the attacker compromised and used for lateral movement?

```splunk-spl
event.action: Logon AND  winlog.event_data.IpAddress: "77.91.78.115"
```

<figure><img src="/files/KLdNfkacoPnhFbdWQguA" alt=""><figcaption></figcaption></figure>

Answer:  SECURETECH\jsmith

Q8)

```splunk-spl
event.code: 1 AND  "*schtasks.exe"
```

<figure><img src="/files/JuFU4oLURLYnUjZ9zrdU" alt=""><figcaption></figcaption></figure>

Answer:  FilesCheck

Q9) What's the encryption type used in the environment Kerberos tickets?

Answer:  RC4-HMAC

Q10) Can you provide the full path of the output file in preparation for data exfiltration?

```splunk-spl
event.code: 11 AND winlog.event_data.Image: *powershell AND "jsmith"
```

<figure><img src="/files/Zp1GlSwkuLePPuL5KSQn" alt=""><figcaption></figcaption></figure>

Answer:  C:\Users\Public\Documents\Archive\_8673812.zip


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/goldenspray-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.