Welcome back everyone. The following Sherlock is being completed in preparation for taking the HTB CDSA exam. I came across a medium blog post by the user, Hammazahmed. He provides some advice for learning and practicing skills before taking the exam. Specifically, he mentioned this Sherlock investigation, along with some others, BFT, Noted, RogueOne (Which I have completed, full writeup here), and Meerkat.
CrownJewel 2 is the final Sherlock in the Hack the Box Detecting Active Directory Attacks track. It's been rewarding tackling these labs and getting more exposure to the various tools of the trade when it comes to blue teaming in cyber.
We are down to the last two Sherlock labs to complete the track Detecting Active Directory Attacks. Let's start the next investigation and continue our learning.
On to the second part of the Campfire Sherlock from Hack the Box. Again, if you have not read my previous write-up on Campfire 1, go check it out. The aim is to complete all Sherlocks in the Detecting Active Directory Attacks track on HTB labs. Time to investigate!
Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
Hack the Box recently created some learning tracks for their Sherlock labs. I recently enrolled in the Detecting Active Directory track as I have already completed two of the Sherlocks included, Noxious and Reaper. Campfire 1 is the first in the series in this track and pairs up well with my article on Kerberoasting as this investigation deals with a Kerberoasting attack. Let's get started!
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation