In this lab walkthrough, we investigate a suspected brute-force attack and subsequent unauthorized access within the network of SecureTech Industries. The incident began with alerts about unusual login attempts, raising concerns about potential credential-based attacks targeting the organization’s Windows infrastructure. As a cybersecurity analyst, your role is to methodically analyze log data from Elastic SIEM, trace the attacker’s activities, identify compromised accounts, and uncover the techniques, tactics, and procedures (TTPs) employed throughout the attack lifecycle.
The attack demonstrates a multi-stage intrusion, starting with brute-force attempts to gain initial access, followed by credential dumping using tools like Mimikatz, lateral movement through compromised accounts, and persistence mechanisms leveraging scheduled tasks. By dissecting key Windows event logs—such as Event ID 4625 for failed logins, Event ID 4624 for successful authentications, and Event ID 4769 for Kerberos ticket requests—you will uncover how the attacker infiltrated the network, maintained access, and escalated privileges.
Throughout this walkthrough, we’ll leverage Elastic SIEM for threat hunting, focusing on detecting anomalies in login patterns, identifying malicious files and processes, and analyzing attacker behavior. We will cover key Windows security artifacts and explore common attack techniques, including the abuse of Kerberos tickets, PowerShell execution, and scheduled task creation for persistence. By the end of this guide, you will have a comprehensive understanding of how to investigate, detect, and mitigate similar attacks within an enterprise environment.