ShadowRoast Lab

Q1) What's the malicious file name utilized by the attacker for initial access?

index="shadowroast" event.code=1 (winlog.event_data.Image="*cmd*" OR winlog.event_data.Image="*powershell*")
| table winlog.event_data.ParentImage, winlog.event_data.Image

We can also get the answer using powershell.

Get-WinEvent -FilterHashtable @{Path='C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx'; Id=1} 
| Where-Object {$_.Properties[4].Value -Like "*cmd*" -or $_.Properties[4].Value -like "*powershell*"} 
| ForEach-Object {[PSCustomObject]@{ Image = $_.Properties[4].Value; ParentImage = $_.Properties[20].Value}}

We can solve this using TimelineExplorer.exe, but first, we need to convert the file to a CSV format.

.\EvtxeCmd\EvtxECmd.exe -f 'C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Micro
soft-Windows-Sysmon%4Operational.evtx' 
--csv "C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC" --csvf event_log.csv

Open the file in Timeline Explorer and apply a filter for Event ID 1.

In the payload, I applied a filter for "cmd".

Answer: AdobeUpdater.exe

Q2) What's the registry run key name created by the attacker for maintaining persistence once gained foothold?

Based on the previous analysis, we have determined that the ProcessId for AdobeUpdater.exe is 4928. Using this information, we can proceed to search for the associated registry keys.

index="shadowroast" event.code=13 winlog.event_data.ProcessId=4928

Let's solve this using Powershell.

Get-WinEvent -FilterHashtable @{Path="C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx"; Id=13} 
| Where-Object {$_.Properties[4].Value -like '4928'} 
| ForEach-Object {[PSCustomObject]@{ EventId = $_.Properties[4].Value; Image = $_.Properties[5].Value; TargetObject = $_.Properties[6].Value}}
| Format-List

Let’s utilize Timeline Explorer to analyze the data, then apply a filter for Event ID 1.

I applied a filter for Event ID 4928 in the payload.

Answer: wyW5PZyF

Q3) What's the full path of the directory used by the attacker for storing his dropped tools?

index="shadowroast" event.code=11
| stats count by winlog.event_data.Image, winlog.event_data.TargetFilename

Let's solve this using Powershell.

Get-WinEvent -FilterHashtable @{Path="C:\Users\Administrator\Desktop\Start here\Artifacts\Office-PC\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx"; Id=11} 
| Where-Object {$_.Properties[4].Value -like '*adobeUpdater.exe*'} 
| ForEach-Object {[PSCustomObject]@{ EventId = $_.Properties[4].Value; Image = $_.Properties[5].Value; TargetFilename = $_.Properties[6].Value}} 
| Format-List

Let’s utilize Timeline Explorer to analyze the data, then apply a filter for Event ID 11.

I applied a filter to the payload using adobeUpdater.exe.

Answer: C:\Users\Default\AppData\Local\Temp\

Q4) What tool was used by the attacker for privilege escalation and credential harvesting?

index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table winlog.event_data.ParentImage, winlog.event_data.Image, winlog.event_data.OriginalFileName

We could also use Event Viewer, PowerShell, or Timeline Explorer to address this, but let's continue solving it with Splunk.

Answer: Rubeus

Q5) Was the attacker's credential harvesting successful? If so, can you provide the compromised domain account username?

In the previous question, we identified another file, mimikatz.exe, which had been renamed to DefragTool.exe. This indicates potential malicious activity, as attackers commonly use Mimikatz for techniques like Pass-the-Hash, Pass-the-Ticket, and similar credential theft methods.

index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table _time, winlog.event_data.ParentImage, winlog.event_data.Image, winlog.event_data.OriginalFileName, winlog.event_data.CommandLine
| sort _time

The attacker initially performed an AS-REP Roasting attack to extract hashes, followed by the execution of Mimikatz. 

index="shadowroast" event.code=1 winlog.event_data.CurrentDirectory="C:\\Users\\Default\\AppData\\Local\\Temp*"
| table _time, winlog.event_data.Image, winlog.event_data.OriginalFileName, winlog.event_data.CommandLine, winlog.event_data.ParentUser
| sort _time

Answer: tcooper

Q6) What's the tool used by the attacker for registering a rogue Domain Controller to manipulate Active Directory data?

index="shadowroast" event.code=3 winlog.event_data.DestinationPort=389 OR winlog.event_data.DestinationPort=464 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image

  • port 389 (LDAP)

  • port 464 (Kerberos)

Tools like Mimikatz are often used for such purposes, and in this case, the attacker renamed it to DefragTool.exe.

Answer: mimikatz

Q7) What's the first command used by the attacker for enabling RDP on remote machines for lateral movement?

index="shadowroast" event.code=1 "winlog.event_data.User"="CORPNET\\tcooper"
| stats count by winlog.event_data.Image, winlog.event_data.CommandLine, winlog.event_data.ParentCommandLine

This command is commonly used by administrators to enable Remote Desktop on Windows systems programmatically, such as in scripts or during initial system setup.

Answer: reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Q8) What's the file name created by the attacker after compressing confidential files?

index="shadowroast" event.code=11 "winlog.event_data.User"="CORPNET\\tcooper" NOT winlog.event_data.Image="C:\\Windows\\Explorer.EXE"
| stats count by winlog.event_data.Image, winlog.event_data.TargetFilename

Answer: CrashDump.zip

PreviousREvil LabNextSolarDisruption Lab

Last updated