# ShadowRoast Lab

Q1) What's the malicious file name utilized by the attacker for initial access?

```splunk-spl
index="shadowroast" event.code=1 (winlog.event_data.Image="*cmd*" OR winlog.event_data.Image="*powershell*")
| table winlog.event_data.ParentImage, winlog.event_data.Image
```

<figure><img src="/files/u0pJ3E7l0zGwFWBBMlMT" alt=""><figcaption></figcaption></figure>

We can also get the answer using powershell.

```powershell
Get-WinEvent -FilterHashtable @{Path='C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx'; Id=1} 
| Where-Object {$_.Properties[4].Value -Like "*cmd*" -or $_.Properties[4].Value -like "*powershell*"} 
| ForEach-Object {[PSCustomObject]@{ Image = $_.Properties[4].Value; ParentImage = $_.Properties[20].Value}}
```

<figure><img src="/files/Jv4HrH8UMV0km8VFZ0iP" alt=""><figcaption></figcaption></figure>

We can solve this using TimelineExplorer.exe, but first, we need to convert the file to a CSV format.

```powershell
.\EvtxeCmd\EvtxECmd.exe -f 'C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Micro
soft-Windows-Sysmon%4Operational.evtx' 
--csv "C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC" --csvf event_log.csv
```

<figure><img src="/files/Ie1NOHWOl1aqiqCpmjEj" alt=""><figcaption></figcaption></figure>

Open the file in Timeline Explorer and apply a filter for Event ID 1.

<figure><img src="/files/anlrbyIjLVxwCg7qs5KI" alt=""><figcaption></figcaption></figure>

In the payload, I applied a filter for "cmd".

<figure><img src="/files/XXC8mOCkd61k09Fqs9le" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/pLtRCSYcz9JUYh4ELRrA" alt=""><figcaption></figcaption></figure>

Answer:  AdobeUpdater.exe

Q2) What's the registry run key name created by the attacker for maintaining persistence once gained foothold?

Based on the previous analysis, we have determined that the `ProcessId` for `AdobeUpdater.exe` is `4928`. Using this information, we can proceed to search for the associated registry keys.

```splunk-spl
index="shadowroast" event.code=13 winlog.event_data.ProcessId=4928
```

<figure><img src="/files/DUn17CHmPrZjFQaAwtQ6" alt=""><figcaption></figcaption></figure>

Let's solve this using Powershell.

```powershell
Get-WinEvent -FilterHashtable @{Path="C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx"; Id=13} 
| Where-Object {$_.Properties[4].Value -like '4928'} 
| ForEach-Object {[PSCustomObject]@{ EventId = $_.Properties[4].Value; Image = $_.Properties[5].Value; TargetObject = $_.Properties[6].Value}}
| Format-List
```

<figure><img src="/files/lMjKNbDhUkPi7RsFuctO" alt=""><figcaption></figcaption></figure>

Let’s utilize Timeline Explorer to analyze the data, then apply a filter for Event ID 1.

<figure><img src="/files/DdgYCGuGIcsNPu5DXRGA" alt=""><figcaption></figcaption></figure>

I applied a filter for Event ID 4928 in the payload.

<figure><img src="/files/0HFkY0ZBq72hUiABgWV1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/koW4zi36ArDiKueOrM0t" alt=""><figcaption></figcaption></figure>

Answer:  wyW5PZyF

Q3) What's the full path of the directory used by the attacker for storing his dropped tools?

```splunk-spl
index="shadowroast" event.code=11
| stats count by winlog.event_data.Image, winlog.event_data.TargetFilename
```

<figure><img src="/files/tBlWnwHnw1MbSzWd6Gi7" alt=""><figcaption></figcaption></figure>

Let's solve this using Powershell.

```powershell
Get-WinEvent -FilterHashtable @{Path="C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx"; Id=11} 
| Where-Object {$_.Properties[4].Value -like '*adobeUpdater.exe*'} 
| ForEach-Object {[PSCustomObject]@{ EventId = $_.Properties[4].Value; Image = $_.Properties[5].Value; TargetFilename = $_.Properties[6].Value}} 
| Format-List
```

<figure><img src="/files/WX8sLtR6uHEZiW6edIbe" alt=""><figcaption></figcaption></figure>

Let’s utilize Timeline Explorer to analyze the data, then apply a filter for Event ID 11.

<figure><img src="/files/MitHht2box3lLrqhpRTJ" alt=""><figcaption></figcaption></figure>

I applied a filter to the payload using **adobeUpdater.exe**.

<figure><img src="/files/LgVYMt8aNRkJDBf7m4es" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/iEN8SGa2tYksGuL6EHu8" alt=""><figcaption></figcaption></figure>

Answer:  C:\Users\Default\AppData\Local\Temp\\

Q4) What tool was used by the attacker for privilege escalation and credential harvesting?

```splunk-spl
index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table winlog.event_data.ParentImage, winlog.event_data.Image, winlog.event_data.OriginalFileName
```

<figure><img src="/files/zzALydQR9EfNrFJzbFQY" alt=""><figcaption></figcaption></figure>

We could also use Event Viewer, PowerShell, or Timeline Explorer to address this, but let's continue solving it with Splunk.

Answer:  Rubeus

Q5) Was the attacker's credential harvesting successful? If so, can you provide the compromised domain account username?

In the previous question, we identified another file, **mimikatz.exe**, which had been renamed to **DefragTool.exe**. This indicates potential malicious activity, as attackers commonly use Mimikatz for techniques like Pass-the-Hash, Pass-the-Ticket, and similar credential theft methods.

```powershell
index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table _time, winlog.event_data.ParentImage, winlog.event_data.Image, winlog.event_data.OriginalFileName, winlog.event_data.CommandLine
| sort _time
```

<figure><img src="/files/qCLTu9QstnFlqjNDhjP0" alt=""><figcaption></figcaption></figure>

The attacker initially performed an AS-REP Roasting attack to extract hashes, followed by the execution of Mimikatz.&#x20;

```splunk-spl
index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table _time, winlog.event_data.Image, winlog.event_data.OriginalFileName, winlog.event_data.CommandLine, winlog.event_data.ParentUser
| sort _time
```

<figure><img src="/files/fh6sq3FhGtA2GHrxeEVX" alt=""><figcaption></figcaption></figure>

Answer:  tcooper

Q6) What's the tool used by the attacker for registering a rogue Domain Controller to manipulate Active Directory data?

```splunk-spl
index="shadowroast" event.code=3 winlog.event_data.DestinationPort=389 OR winlog.event_data.DestinationPort=464 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image
```

<figure><img src="/files/RdVSOStmNzh89gnU7mca" alt=""><figcaption></figcaption></figure>

* **port 389 (LDAP)**&#x20;
* **port 464 (Kerberos)**

Tools like Mimikatz are often used for such purposes, and in this case, the attacker renamed it to **DefragTool.exe**.

Answer:  mimikatz

Q7) What's the first command used by the attacker for enabling RDP on remote machines for lateral movement?

```splunk-spl
index="shadowroast" event.code=1 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image, winlog.event_data.CommandLine, winlog.event_data.ParentCommandLine
```

<figure><img src="/files/Th9X8RmgbiGPP3tfRuQa" alt=""><figcaption></figcaption></figure>

This command is commonly used by administrators to enable Remote Desktop on Windows systems programmatically, such as in scripts or during initial system setup.

Answer:  reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG\_DWORD /d 0

Q8) What's the file name created by the attacker after compressing confidential files?

```splunk-spl
index="shadowroast" event.code=11 "winlog.event_data.User"="CORPNET\\tcooper" NOT winlog.event_data.Image="C:\\Windows\\Explorer.EXE"
| stats count by winlog.event_data.Image, winlog.event_data.TargetFilename
```

<figure><img src="/files/jua2JgAF25VmW75ITqUx" alt=""><figcaption></figcaption></figure>

Answer:  CrashDump.zip


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/shadowroast-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.