AF-3DFB-EV · Windows Olay Günlüğü

Lateral Movement Hunt

DOWNLOADABLE Windows Security event log (export). A workstation was compromised. Correlate to find the attacker, the account entered via pass-the-hash, and the backdoor account created. 'Most failed-logon IP' leads you to the SOC scanner (decoy).

Scenario

An exported Windows Security event log (4624 successful logon, 4625 failed, 4672 special privileges, 4720 account creation). A SOC vulnerability scanner (10.0.0.240) produces dozens of 4625 but never a success; the naive 'most failed source' analysis points to this scanner = decoy. The real attacker, after a few failures, succeeds with LogonType=3 (network) + AuthPackage=NTLM against a service account; that is the pass-the-hash signature. It then gains privileges via 4672 and creates a backdoor account via 4720. Skill: not volume, but correlating the NTLM network-logon success + privilege + account-creation chain.

Anti-forensics techniques

Noise/decoy: SOC scanner (most 4625, zero success)
Pass-the-hash (NTLM, LogonType=3 network logon)
Persistence: backdoor account creation (4720/4732)

Provided artifacts

Windows Security event log (TSV export)

Sample questions

q1: What is the attacker's true source IP? (pass-the-hash success)
q2: Which service account was compromised in the lateral movement?
q3: What backdoor account did the attacker create? (4720)
trap1: Do NOT report the SOC scanner's IP (most 4625) as the attacker.

Soundness trap

The SOC scanner 10.0.0.240 produces the most failed logons but never succeeds; reporting it as the attacker is heavily penalized. The real attacker is the only source that succeeds via an NTLM network logon.

Scoring

Event correlation accuracy (PtH chain) + scanner-decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.