Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Reaper – Hack The Box Sherlock
Impersonation
Scenario
Our SIEM alerted us to a suspicious logon event which needs to be looked at immediately . The alert details were that the IP Address and the Source Workstation name were a mismatch .You are provided a network capture and event logs from the surrounding time around the incident timeframe. Corelate the given evidence and report back to your SOC Manager.
Task 1 – What is the IP Address for Forela-Wkstn001
- Using the pcap, the first couple of logs we find a response from Forela-Wkstn001 having the source IP 172.17.79.129
Task 2 – What is the IP Address for Forela-Wkstn002?
- Going through the pcap entries, we find Forela-Wkstn002’s workstation to be 172.17.79.136
Task 3 – What is the username of the account whose hash was stolen by attacker?
- Filtering on ntlm entries in the pcap using ntlmssp, we find directly a request for the user arthur.kyle
Task 4 – What is the IP Address of Unknown Device used by the attacker to intercept credentials?
- Using the same filter as question 3, we find the IP 172.17.79.136 requesting a session setup for the same user arthur.kyle
Task 5 – What was the fileshare navigated by the victim user account?
- Filtering on SMB entries using the filter tcp.port==445, we find that that the attacker connected to the share \\DC01\Trip
Task 6 – What is the source port used to logon to target workstation using the compromised account?
- Sasme Event as task 7, we get the source port is 40252
Task 7 – What is the Logon ID for the malicious session?
- In security.evtx log file, we find a connection for the compromised user using the session ID 0x64A799, in a 4624 Event ID:
Task 8 – The detection was based on the mismatch of hostname and the assigned IP Address.What is the workstation name and the source IP Address from which the malicious logon occur?
- Using the same Event, the answer is FORELA-WKSTN002, 172.17.79.135
Task 9 – At what UTC time did the the malicious logon happen?
- Using the same log, we convert the time to UTC, we find t what UTC time did the the malicious logon happen?
Task 10 – What is the share Name accessed as part of the authentication process by the malicious tool used by the attacker?
- Searching in the evtx security logs, we find a 5140 Network share object was accessed event generated
- The share name is hence \\*\IPC$
