FalconEye blue team ctf

Category : Threat Hunting

358 Players

4.5 (32)

Medium

What is the name of the compromised account?

Weight : 100 | Solved : 151

What is the name of the compromised machine?

Weight : 100 | Solved : 153

What tool did the attacker use to enumerate the environment?

Weight : 100 | Solved : 102

The attacker used Unquoted Service Path to escalate privileges. What is the name of the vulnerable service?

Weight : 100 | Solved : 89

What is the SHA256 of the executable that escalates the attacker privileges?

Weight : 100 | Solved : 72

When did the attacker download fun.exe? (24H-UTC)

Weight : 100 | Solved : 85

What is the command line used to launch the DCSync attack

Weight : 100 | Solved : 103

What is the original name of fun.exe?

Weight : 100 | Solved : 109

The attacker performed the Over-Pass-The-Hash technique. What is the AES256 hash of the account he attacked?

Weight : 100 | Solved : 91

Q10

What service did the attacker abuse to access the Client03 machine as Administrator?

Weight : 100 | Solved : 64

Q11

The Client03 machine spawned a new process when the attacker logged on remotely. What is the process name?

Weight : 100 | Solved : 56

Q12

The attacker compromises the it-support account. What was the logon type?

Weight : 100 | Solved : 75

Q13

What ticket name did the attacker generate to access the parent DC as Administrator?

Weight : 100 | Solved : 63

Scenario:

As a SOC analyst, you aim to investigate a security breach in an Active Directory network using Splunk SIEM (Security information and event management) solution to uncover the attacker's steps and techniques while creating a timeline of their activities. The investigation begins with network enumeration to identify potential vulnerabilities. Using a specialized privilege escalation tool, the attacker exploited an unquoted service path vulnerability in a specific process.

Once the attacker had elevated access, the attacker launched a DCsync attack to extract sensitive data from the Active Directory domain controller, compromising user accounts. The attacker employed evasion techniques to avoid detection and utilized pass-the-hash (pth) attack to gain unauthorized access to user accounts. Pivoting through the network, the attacker explored different systems and established persistence.

Throughout the investigation, tracking the attacker's activities and creating a comprehensive timeline is crucial. This will provide valuable insights into the attack and aid in identifying potential gaps in the network's security.

Instructions:

Virtualbox: Start the VM and access Splunk from the host machine via http://127.0.0.1:8009. No need to login to the machine
Credentials: vagrant/vagrant

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

98d05a866cd4f2f564e14382a6e88255f112c551
Password:

cyberdefenders.org
Size:

2.1 GB
Published:

May 19, 2023, 6 p.m.

First blood

banyrock

17 days ago

Last solve

hoangpt

today

Authors

FalconEye blue team ctf

Category : Threat Hunting

DCsync

Network Security

Pass The Hash

SIEM