GoldenSpray Lab

Q1) What's the attacker IP?

event.action: Logon AND event.outcome: failure

event.action: Logon AND event.outcome: failure AND winlog.event_data.IpAddress: "77.91.78.115"

Too many failed login attempts in a small time frame.

Answer: 77.91.78.115

Q2) What country is the attack originating from?

Answer: Finland

Q3) What's the compromised account username used for initial access?

event.action: Logon AND  winlog.event_data.IpAddress: "77.91.78.115"

Answer: SECURETECH\mwilliams

Q4) What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02?

Now we know that the attacker used the mwilliams user to gain initial access.

event.code: 11 AND  "ST-WIN02" AND "mwilliams"
#OR
event.code: 1 AND  "ST-WIN02" AND "mwilliams"

Answer: OfficeUpdater.exe

Q5) What's the full path used by the attacker for storing his tools?

Answer: C:\Users\Public\Backup_Tools\

Q6) What's the process ID of the tool responsible for dumping credentials on ST-WIN02?

event.code: 1 AND  "ST-WIN02"  AND "*mimikatz.exe"

Answer: 3708

Q7) What's the second account username the attacker compromised and used for lateral movement?

event.action: Logon AND  winlog.event_data.IpAddress: "77.91.78.115"

Answer: SECURETECH\jsmith

Q8)

event.code: 1 AND  "*schtasks.exe"

Answer: FilesCheck

Q9) What's the encryption type used in the environment Kerberos tickets?

Answer: RC4-HMAC

Q10) Can you provide the full path of the output file in preparation for data exfiltration?

event.code: 11 AND winlog.event_data.Image: *powershell AND "jsmith"

Answer: C:\Users\Public\Documents\Archive_8673812.zip