GoldenSpray Lab
Last updated
Last updated
Q1) What's the attacker IP?
Too many failed login attempts in a small time frame.
Answer: 77.91.78.115
Q2) What country is the attack originating from?
Answer: Finland
Q3) What's the compromised account username used for initial access?
Answer: SECURETECH\mwilliams
Q4) What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02?
Now we know that the attacker used the mwilliams user to gain initial access.
Answer: OfficeUpdater.exe
Q5) What's the full path used by the attacker for storing his tools?
Answer: C:\Users\Public\Backup_Tools\
Q6) What's the process ID of the tool responsible for dumping credentials on ST-WIN02?
Answer: 3708
Q7) What's the second account username the attacker compromised and used for lateral movement?
Answer: SECURETECH\jsmith
Q8)
Answer: FilesCheck
Q9) What's the encryption type used in the environment Kerberos tickets?
Answer: RC4-HMAC
Q10) Can you provide the full path of the output file in preparation for data exfiltration?
Answer: C:\Users\Public\Documents\Archive_8673812.zip