Campfire 1 (HTB-Sherlock)
Hack the Box recently created some learning tracks for their Sherlock labs. I recently enrolled in the Detecting Active Directory track as I have already completed two of the Sherlocks included, Noxious and Reaper. Campfire 1 is the first in the series in this track and pairs up well with my article on Kerberoasting as this investigation deals with a Kerberoasting attack. Let's get started!
The Scenario
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation