# GoldenSpray Lab Q1) What's the attacker IP? ```splunk-spl event.action: Logon AND event.outcome: failure ```

```splunk-spl event.action: Logon AND event.outcome: failure AND winlog.event_data.IpAddress: "77.91.78.115" ```

Too many failed login attempts in a small time frame. Answer: 77.91.78.115 Q2) What country is the attack originating from?

Answer: Finland Q3) What's the compromised account username used for initial access? ```splunk-spl event.action: Logon AND winlog.event_data.IpAddress: "77.91.78.115" ```

Answer: SECURETECH\mwilliams Q4) What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02? Now we know that the attacker used the mwilliams user to gain initial access. ```splunk-spl event.code: 11 AND "ST-WIN02" AND "mwilliams" #OR event.code: 1 AND "ST-WIN02" AND "mwilliams" ```

Answer: OfficeUpdater.exe Q5) What's the full path used by the attacker for storing his tools?

Answer: C:\Users\Public\Backup\_Tools\\ Q6) What's the process ID of the tool responsible for dumping credentials on ST-WIN02? ```splunk-spl event.code: 1 AND "ST-WIN02" AND "*mimikatz.exe" ```

Answer: 3708 Q7) What's the second account username the attacker compromised and used for lateral movement? ```splunk-spl event.action: Logon AND winlog.event_data.IpAddress: "77.91.78.115" ```

Answer: SECURETECH\jsmith Q8) ```splunk-spl event.code: 1 AND "*schtasks.exe" ```

Answer: FilesCheck Q9) What's the encryption type used in the environment Kerberos tickets? Answer: RC4-HMAC Q10) Can you provide the full path of the output file in preparation for data exfiltration? ```splunk-spl event.code: 11 AND winlog.event_data.Image: *powershell AND "jsmith" ```

Answer: C:\Users\Public\Documents\Archive\_8673812.zip