Welcome back everyone. The following Sherlock is being completed in preparation for taking the HTB CDSA exam. I came across a medium blog post by the user, Hammazahmed. He provides some advice for learning and practicing skills before taking the exam. Specifically, he mentioned this Sherlock investigation, along with some others, BFT, Noted, RogueOne (Which I have completed, full writeup here), and Meerkat.
CrownJewel 2 is the final Sherlock in the Hack the Box Detecting Active Directory Attacks track. It's been rewarding tackling these labs and getting more exposure to the various tools of the trade when it comes to blue teaming in cyber.
We are down to the last two Sherlock labs to complete the track Detecting Active Directory Attacks. Let's start the next investigation and continue our learning.
On to the second part of the Campfire Sherlock from Hack the Box. Again, if you have not read my previous write-up on Campfire 1, go check it out. The aim is to complete all Sherlocks in the Detecting Active Directory Attacks track on HTB labs. Time to investigate!
Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
Hack the Box recently created some learning tracks for their Sherlock labs. I recently enrolled in the Detecting Active Directory track as I have already completed two of the Sherlocks included, Noxious and Reaper. Campfire 1 is the first in the series in this track and pairs up well with my article on Kerberoasting as this investigation deals with a Kerberoasting attack. Let's get started!
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation
Hey all, it's been a while since my last Sherlock post but rest assured I am still out here studying and learning.🤓 Now let's dive into another investigation.
Janice from accounting is beside herself! She was contacted by the SOC to tell her that her work credentials were found on the dark web by the threat intel team. We managed to recover some files from her machine and sent them to the our REM analyst.
It's that time again, lets dig into another investigation, this time it looks like we will be digging into memory forensics. 🕵️♂️🤓🔎
Okay, lets get back into it! Time for another Sherlock investigation.🕵️♂️
The IDS device alerted us to a possible rogue device in the internal Active Directory network. The Intrusion Detection System also indicated signs of LLMNR traffic, which is unusual. It is suspected that an LLMNR poisoning attack occurred. The LLMNR traffic was directed towards Forela-WKstn002, which has the IP address 172.17.79.136. A limited packet capture from the surrounding time is provided to you, our Network Forensics expert. Since this occurred in the Active Directory VLAN, it is suggested that we perform network threat hunting with the Active Directory attack vector in mind, specifically focusing on LLMNR poisoning.
Okay so in the zip file for the Sherlock we have a single .pcap file which means we will be flexing our Wireshark/TCPdump skills in this investigation.
Okay so I just discovered Hack The Box Sherlocks, they are Blue Team focused labs that test your SOC Analyst skills. Useful for sharping and displaying knowledge and skills. There looks to be a lot of them which is great, so I decided to jump right in and take a stab at the first lab, a retired lab called Reaper.