ShadowRoast Walkthrough

As a cybersecurity analyst at TechSecure Corp, you’re alerted to unusual activity within the company’s Active Directory environment. Initial reports indicate possible unauthorized access and privilege escalation attempts. Your mission is to analyze the provided logs to determine the extent of the attack, identify malicious actions, and secure the network.

Investigation Scope

This investigation focuses on identifying unauthorized access patterns, privilege escalations, and any lateral movement across the network. You have two primary data sources: triage event logs from three affected machines and a Splunk instance with the same logs for flexible querying. Your goal is to pinpoint the attacker’s activities and assess the scope of the compromise using either direct log analysis or analysis with Splunk queries,

Lab Tools

• Splunk: A powerful platform for searching and analyzing large volumes of logs, enabling efficient filtering and correlation of security events.
• EZ Tools: Facilitates streamlined triage of logs, simplifying key evidence extraction.
• Event Log Explorer: Supports detailed parsing and review of Windows event logs to identify signs of suspicious behavior.
• KAPE: A forensic triage tool for targeted collection and analysis of system artifacts.
• Event Viewer: Essential for directly examining event logs on Windows systems, providing insight into system and security events.
• CyberChef: A versatile data processing tool, useful for decoding, analyzing, and manipulating data.

Cheat sheets that can help in our investigation:

• Unlock Your Full Learning Experience with BlueYard Labs

  Sign up to track your progress, unlock exclusive labs, and showcase
  your achievements—begin your journey now! Join for Free