Open the file in Timeline Explorer and apply a filter for Event ID 1.
In the payload, I applied a filter for "cmd".
Answer: AdobeUpdater.exe
Q2) What's the registry run key name created by the attacker for maintaining persistence once gained foothold?
Based on the previous analysis, we have determined that the ProcessId for AdobeUpdater.exe is 4928. Using this information, we can proceed to search for the associated registry keys.
We could also use Event Viewer, PowerShell, or Timeline Explorer to address this, but let's continue solving it with Splunk.
Answer: Rubeus
Q5) Was the attacker's credential harvesting successful? If so, can you provide the compromised domain account username?
In the previous question, we identified another file, mimikatz.exe, which had been renamed to DefragTool.exe. This indicates potential malicious activity, as attackers commonly use Mimikatz for techniques like Pass-the-Hash, Pass-the-Ticket, and similar credential theft methods.
Q6) What's the tool used by the attacker for registering a rogue Domain Controller to manipulate Active Directory data?
index="shadowroast" event.code=3 winlog.event_data.DestinationPort=389 OR winlog.event_data.DestinationPort=464 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image
port 389 (LDAP)
port 464 (Kerberos)
Tools like Mimikatz are often used for such purposes, and in this case, the attacker renamed it to DefragTool.exe.
Answer: mimikatz
Q7) What's the first command used by the attacker for enabling RDP on remote machines for lateral movement?
index="shadowroast" event.code=1 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image, winlog.event_data.CommandLine, winlog.event_data.ParentCommandLine
This command is commonly used by administrators to enable Remote Desktop on Windows systems programmatically, such as in scripts or during initial system setup.
