Scenario
As a cybersecurity analyst at SecureTech Industries, you’ve been alerted to unusual login attempts and unauthorized access within the company’s network. Initial indicators suggest a potential brute-force attack on user accounts. Your mission is to analyze the provided log data to trace the attack’s progression, determine the scope of the breach, and the attacker’s TTPs.
Let’s fire up the lab machine!!
Question 1: What is the attacker’s IP address?
We can obviously state that the attacker must have tried and failed to login to the system because the scenario states there was unusual login attempts. So I used event code 4625.
And we find the hostile ip address in the log.
Question 2: What country is the attack originating from?
A google search for the IP address will give us the attacker’s origin country.
Question 3: What’s the compromised account username used for initial access?
Compromised account means the attacker successfully logged into one. So that means we can use event code 4624 in our query along with the attackers IP address.
I tried with only eventid=4624 which yielded 320+ results. So I had to take help of hint. Then I added the IP address of the attacker. I also have noted the time of last login failure from the previous question which is 04:56 p.m. But it didn’t work.
So I moved to the next log. The answer is not ST-WIN02/michaelwilliams because that is the real user whose account has been compromise. So we must take the impersonated account. The successful logon time was 05:00 PM.
Question 4: What’s the name of the malicious file utilized by the attacker for persistence on ST-WIN02?
The question says a malicious file was created which hints us to use event code 11. I filtered the log this time particularly the TargetFilename to list out the malicious files. I took help of the hint which recommended me to check in the temp folder.
After a little searching, we get the answer. Here we must remember that the attacker used that file for persistence. In windows temp folders are used sometimes by attackers for maintaining persistence. So we can search accordingly.
Question 5: What is the complete path used by the attacker to store their tools?
Scrolling down a few logs, we will find the path where the attacker stored his tool.
Question 6: What’s the process ID of the tool responsible for dumping credentials on ST-WIN02?
Here the question says ‘dumping credentials’ which indicates lsass.exe. Sysmon Event 10 logs the interaction of password dumping tools like mimikatz with the lsass.exe to read the memory.
We see an event after initial compromise by the attacker at 05:27 PM.
Exploring the log further we get the process ID 3708
Question 7: What’s the second account username the attacker compromised and used for lateral movement?
For this question, I took help of the hint. We keep the event code 4624 for successful logon and this time we introduce a new filter which is logon type 10. Logon type 10 means a user logged in remotely using Remote protocols.
Again keeping in mind of the time, we know that the lateral movement must have taken place before actual compromise. I observed that before the initial compromise time of 04:56 PM of mwilliams account, there is a log and checking the details we get the account username required to answer the question.
Question 8: Can you provide the scheduled task created by the attacker for persistence on the domain controller?
At first, I tried with host=”ST-WIN02″ and event code= 106 but it yielded only one result which was wrong because the time of this event was way before the attacker started lateral movement.
So I tweaked the Splunk query and removed the hostname to get the result.
I kept observing the timeline and it was easy to find the answer.
Question 9: What type of encryption is used for Kerberos tickets in the environment?
Since the question mentions Kerberos ticket, we must use event code 4769. Event ID 4769 indicates that a user requested TGS ticket.
We get the encryption type in the logs. 0x17 means RC4-HMAC(from ChatGPT).
Question 10: Can you provide the full path of the output file in preparation for data exfiltration?
Data Exfiltration can take place in different ways. Some pro hackers use DNS exfiltration which can be unseen by firewalls. But in labs, most of the it is not so. So I filtered the query to look for zip, tar or archive files which is used by attackers to exfiltrate data.
I got a couple of events and one of them contains the answer.
Conclusion
The GoldenSpray Lab helped me gain hands-on experience in threat hunting and incident investigation using Splunk. I learned how to trace attacker activities such as persistence, credential access, lateral movement, and data exfiltration by correlating multiple log sources. This lab improved my blue team skills in log analysis, attack timeline reconstruction, and detecting suspicious behavior in a SIEM environment. I would recommend anyone reading this walkthrough to use the above steps and try to do the lab using ELK.
