Evaluate Attack Outcome#

Terminal Hint: Bushy Evergreen - Escape Ed


We're seeing attacks against the Elf U domain!
Using the event log data, identify the user account that the attacker compromised using a password spray attack.
Bushy Evergreen is hanging out in the train station and may be able to help you out.




Start by cloning or downloading the DeepBlueCLI Git repository. During a password spray attack the attacker tries the same password across a number of different accounts. When the security event log contains a high number of logon failures in combination with a succesful logon for the same account the attack was likely successful. Run DeepBlue.ps1 against the provided log file.

 .\DeepBlue.ps1 ..\Security.evtx | Sort-Object -Property Date | Format-List

DeepBlueCLI Output 1

DeepBlueCLI finds evidence of the password spray attack and provides a list of 31 targeted usernames but the output is a little hard to digest. Run DeepBlue.ps1 again, this time formatting the output as a table to make things a little easier to read.

.\DeepBlue.ps1 ..\Security.evtx | Format-Table Message,Results

DeepBlueCLI Output 2

Out of the three accounts that had successful logons supatree is the only one that's also showing up in the list of 31 entries with a high number of failed logon attempts. It looks like Shinny Upatree's account is the one that was compromised.


Account: supatree