Welcome back everyone. The following Sherlock is being completed in preparation for taking the HTB CDSA exam. I came across a medium blog post by the user, Hammazahmed. He provides some advice for learning and practicing skills before taking the exam. Specifically, he mentioned this Sherlock investigation, along with some others, BFT, Noted, RogueOne (Which I have completed, full writeup here), and Meerkat.
CrownJewel 2 is the final Sherlock in the Hack the Box Detecting Active Directory Attacks track. It's been rewarding tackling these labs and getting more exposure to the various tools of the trade when it comes to blue teaming in cyber.
We are down to the last two Sherlock labs to complete the track Detecting Active Directory Attacks. Let's start the next investigation and continue our learning.
On to the second part of the Campfire Sherlock from Hack the Box. Again, if you have not read my previous write-up on Campfire 1, go check it out. The aim is to complete all Sherlocks in the Detecting Active Directory Attacks track on HTB labs. Time to investigate!
Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
Hack the Box recently created some learning tracks for their Sherlock labs. I recently enrolled in the Detecting Active Directory track as I have already completed two of the Sherlocks included, Noxious and Reaper. Campfire 1 is the first in the series in this track and pairs up well with my article on Kerberoasting as this investigation deals with a Kerberoasting attack. Let's get started!
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation
Hey all, it's been a while since my last Sherlock post but rest assured I am still out here studying and learning.🤓 Now let's dive into another investigation.
Janice from accounting is beside herself! She was contacted by the SOC to tell her that her work credentials were found on the dark web by the threat intel team. We managed to recover some files from her machine and sent them to the our REM analyst.
I recently completed the Hack The Box module: Intro to Network Traffic Analysis. I have to say I really enjoyed this module as we dived into the Analysis process. The whole module gave me the feeling of being a private investigator/detective, digging through tons of information to look for anomalies or patterns that indicate compromise or a security event. Lets dig into what I learned over the course of the module and how it can be applied in practice.
Hello Everyone! 👋
Today we will be learning about Kerberoasting, an attack that targets Kerberos. I decided to write an article about this topic as I am actively learning about the attack as a part of the Hack the Box CDSA certification.
To first understand what Kerberoasting is, we need to dive into Kerberos, what is is, what it offers, and how it works to gain better insight into how Kerberoasting are carried out, and why threat actors persistently choose this method to gain access to AD environments.
It's that time again, lets dig into another investigation, this time it looks like we will be digging into memory forensics. 🕵️♂️🤓🔎
Okay, lets get back into it! Time for another Sherlock investigation.🕵️♂️
The IDS device alerted us to a possible rogue device in the internal Active Directory network. The Intrusion Detection System also indicated signs of LLMNR traffic, which is unusual. It is suspected that an LLMNR poisoning attack occurred. The LLMNR traffic was directed towards Forela-WKstn002, which has the IP address 172.17.79.136. A limited packet capture from the surrounding time is provided to you, our Network Forensics expert. Since this occurred in the Active Directory VLAN, it is suggested that we perform network threat hunting with the Active Directory attack vector in mind, specifically focusing on LLMNR poisoning.
Okay so in the zip file for the Sherlock we have a single .pcap file which means we will be flexing our Wireshark/TCPdump skills in this investigation.