Sherlock Scenario
You are a blue team analyst tasked with investigating a suspected breach in an Active Directory environment named Main.local. The network includes a Domain Controller (DC01 and two client machines (Client02 and Client03). A user on Client03 received a phishing email, leading to a series of attacks that compromised the domain. Your job is to analyze the provided Windows Event Logs and Sysmon logs from Client02, Client03, and DC01 to reconstruct the attack chain, identify the attacker’s actions, and uncover critical artifacts such as credentials, hashes, and persistence mechanisms.
Task 1. What is the name of the malicious phishing attachment downloaded by the user on Client02?
We download the file provided for analysis and extract it using WinRAR.
As shown, the dataset contains logs from two clients and one server.
Based on the first question, we will focus on the Logs-Client02 data. Since we are looking for attachments, we apply filters such as .doc and .zip during the search.
As observed, the victim downloaded the attachment using a Microsoft Office application.
Answer: Profits.docm
Task 2. What is the IP address from which the malicious attachment was downloaded?
To proceed, we need to perform a search using this file name.
As observed, the IP address is 192.168.204.152.
Task 3. After the victim opened the file the malware initiated a network connections to a remote IP address. What is the IP address and the port number?
For this, we will apply a filter for the “Network Connection Detected” event ID (Event ID 3).
Upon reviewing the logs, I encountered an event similar to the one shown above. It involves a non-standard port and the use of a Microsoft Office application (winword.exe).
Answer: 192.168.204.152:4444
Task 4: What is the name of the second-stage payload uploaded to Client02?
By applying a filter for Downloads, we can see that, in addition to the previously identified Profits.docm file, there is also a file named UpdatePolicy.exe in the Downloads folder. This file is associated with the IP address 192.168.204.152.
Answer: UpdatePolicy.exe
Task 5: What port was used for the reverse shell connection from the second-stage payload on Client02?
As observed, the port used is 1337.
Task 6: The attacker subsequently downloaded a tool to enumerate the Active Directory environment. What is the name of this tool?
Upon searching the Downloads folder again, we can see a PowerShell script named PowerView.ps1. This is a well-known tool frequently used by attackers.
Task 7: What is the username of the targeted service account?
After enumerating the AD environment, attackers typically perform a Kerberoasting attack targeting service accounts. To identify these accounts, Domain Controller logs are particularly useful.
In the Logs-DC file, which contains Domain Controller logs, we open the security logs and apply a filter for Event ID 4769. Reviewing the logs, we can see that the Service Name is sqlsvc.
Answer: sqlsvc
Task 8: After acquiring the account credentials, the attacker was able to crack the ticket. When did the attacker first use them to log in?(UTC)
For this, I applied filters on DC-01’s Security logs for Event IDs 4624 and 4625. Then, using the Find filter, I searched for the sqlsvc Service Name.
As shown below, we encountered both Login Failure and Login Success logs. Focusing on the Login Failure log, we can see that the attacker is attempting to log in via a Kali machine.
Answer: 2025-05-25 04:03:47 (UTC)
Task:9 What is the executable associated with the first service created by a Sysinternals tool on the target system following the attacker's initial login attempt?
To answer this, I applied a filter for Event ID 11 (File Create) in Client03’s Sysmon events.
The key point is to focus on events that occurred immediately after 2025-05-25 04:03:47, which is the timestamp of the attacker’s initial login attempt.
Answer: VgYTbFEK.exe
Task 10: On Client03, what was the file name of the executable used to dump cleartext credentials from memory?
To solve this task, I accessed the Sysmon logs on the Client-03 computer and searched through the dump files.
As observed, the executable in the Downloads folder is named netdiag.exe. Mimikatz is masquerading under this name, and in some logs, the Masquerading Technique Name can also be seen.
Task 11: What is the username of the account whose cleartext password was found on Client03?
For this, I applied a filter for Event ID 1 in Client03’s Sysmon logs. When the attacker ran the command runas /user:Main\lucas cmd, Windows prompted for a password. The attacker, however, injected code into runas’s memory via PowerShell.
In general, runas.exe allows you to run a program under a different user account—such as an administrator—without changing the current user.
The attacker executes exactly that action at this point.
By filtering for Event ID 4624, we can see that the attacker successfully logged in using the lucas username.
Task 12: After obtaining the cleartext password of this account, the attacker carried out a domain-level credential extraction attack. At what time did the compromised account perform this attack on the domain? (UTC)
After obtaining the cleartext password of the lucas account, the attacker performed a domain-level credential extraction (DCSync). During this attack, the attacker impersonates a Domain Controller and requests password hashes for all other users (e.g., KRBTGT).
To detect this, I applied a filter for Event ID 4662 in DC01’s Security logs. As observed, a large number of events were recorded at 08:26:36.
Answer: 2025-05-25 04:26:36
Task 13: At what time did the attacker initially authenticate using the administrator account? (UTC)
For this, we filter Event ID 4624 in DC01’s Security logs and look for the first login of the Administrator account after 2025-05-25 04:26:36.
Task 14: What is the name of the service created by the attacker on DC01 for persistence?
As observed here, the attacker uses the sc.exe create command to create a service named WindowsUpdateSvc.
Task 15: What is the name of the scheduled task created by the attacker on DC01 for persistence?
For this, if we search using schtasks.exe or Event IDs 4698/4699, we will encounter two events as shown. The screenshot below shows the search result for Event ID 4698.
We can see that the task was later deleted on 05/25/2025 08:38:53 AM.
Answer: windowsupdatecheck
Task 16: What is the registry key name created by the attacker on DC01 for persistence?
For this, I applied a filter for Event ID 13 in DC01’s Sysmon logs and reviewed the entries. There, we encountered an unusual value as shown. Event ID 13 in Sysmon logs indicates a Registry value set.
Answer: xcvafctr
Thanks for reading!!!🪄
Top comments (0)