FalconEye Blue Team Challenge

Category : Threat Hunting

4.5

Medium

Attention! "FalconEye" is no longer active and will not contribute to leaderboard points. However, you can still solve the lab and explore avaliable walkthroughs to gain valuable experience.

What is the name of the compromised account?

Weight : 100 | Solved : 654 | Average Solve Time: 10 minutes

What is the name of the compromised machine?

Weight : 100 | Solved : 655 | Average Solve Time: 8 minutes

What tool did the attacker use to enumerate the environment?

Weight : 100 | Solved : 549 | Average Solve Time: 43 minutes

The attacker used Unquoted Service Path to escalate privileges. What is the name of the vulnerable service?

Weight : 100 | Solved : 503 | Average Solve Time: 2 minutes

What is the SHA256 of the executable that escalates the attacker privileges?

Weight : 100 | Solved : 472 | Average Solve Time: 58 minutes

When did the attacker download fun.exe? (24H-UTC)

Weight : 100 | Solved : 491 | Average Solve Time: 20 minutes

What is the command line used to launch the DCSync attack

Weight : 100 | Solved : 494 | Average Solve Time: 1 minute

What is the original name of fun.exe?

Weight : 100 | Solved : 513 | Average Solve Time: 1 minute

The attacker performed the Over-Pass-The-Hash technique. What is the AES256 hash of the account he attacked?

Weight : 100 | Solved : 464 | Average Solve Time: 25 minutes

Q10

What service did the attacker abuse to access the Client03 machine as Administrator?

Weight : 100 | Solved : 438 | Average Solve Time: 2 minutes

Q11

The Client03 machine spawned a new process when the attacker logged on remotely. What is the process name?

Weight : 100 | Solved : 424 | Average Solve Time: 57 minutes

Q12

The attacker compromises the it-support account. What was the logon type?

Weight : 100 | Solved : 453 | Average Solve Time: 45 minutes

Q13

What ticket name did the attacker generate to access the parent DC as Administrator?

Weight : 100 | Solved : 433 | Average Solve Time: 5 minutes

Instructions:

Virtualbox: Start the VM and access Splunk from the host machine via http://127.0.0.1:8009. No need to login to the machine
Credentials: vagrant/vagrant

Scenario:

As a SOC analyst, you aim to investigate a security breach in an Active Directory network using Splunk SIEM (Security information and event management) solution to uncover the attacker's steps and techniques while creating a timeline of their activities. The investigation begins with network enumeration to identify potential vulnerabilities. Using a specialized privilege escalation tool, the attacker exploited an unquoted service path vulnerability in a specific process.

Once the attacker had elevated access, the attacker launched a DCsync attack to extract sensitive data from the Active Directory domain controller, compromising user accounts. The attacker employed evasion techniques to avoid detection and utilized pass-the-hash (pth) attack to gain unauthorized access to user accounts. Pivoting through the network, the attacker explored different systems and established persistence.

Throughout the investigation, tracking the attacker's activities and creating a comprehensive timeline is crucial. This will provide valuable insights into the attack and aid in identifying potential gaps in the network's security.

Stuck? Don't worry

We've got you covered! 🛠️ Head over to the community lab channel for guidance #falconeye channel

First blood

banyrock

204 days ago

Last solve

MSALEH

today

FalconEye Blue Team Challenge

Category : Threat Hunting

DCsync

Network Security

Pass The Hash

SIEM

Splunk

Stuck? Don't worry

First blood

Last solve

Blog

Media Kit

Store

Careers

FalconEye Blue Team Challenge

Category : Threat Hunting

DCsync

Network Security

Pass The Hash

SIEM

Splunk

Stuck? Don't worry

First blood

Last solve