Objective 3

We're seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.

The hints suggested using BlueChipCLI.

I was necessary to run Powershell as an Administrator and execute the command Set-ExecutionPolicy RemoteSigned before I could run

.\DeepBlue.ps1 .\Security.evtx

The best output filter was | ConvertTo-Csv. This ensured that I got all of the output.

The first thing to note is the list of usernames that attempts were made against:

Target Usernames: ygoldentrifle esparklesleigh hevergreen Administrator sgreenbells cjinglebuns tcandybaubles bbrandyleaves bevergreen lstripyleaves gchocolatewine wopenslae ltrufflefig supatree mstripysleigh pbrandyberry civysparkles sscarletpie ftwinklestockings cstripyfluff gcandyfluff smullingfluff hcandysnaps mbrandybells twinterfig civypears ygreenpie ftinseltoes smary ttinselbubbles dsparkleleaves

There were then successful logs made by: pminstix DC1$ supatree

As 'supatree' exists in both lists, it can be assumed that 'supatree's account was compromised.


The Answer is “supatree”