Hi all, I was able to get the answer for Hunt 3, but I still don’t understand the steps taken to get it.
I started by running the event.code:4648 and process.name:powershell.exe for the filter and from the result I was able to understand that the powershell was run on the bob account in the WS001.eagle.local endpoint to login remotely to access the administrator accout on the DC1.eagle.local. I’ve tried investigating the activity of bob on all recorded events on WS001.eagle.local but couldn’t find anything.
I was able to get it by running the event.code:4104 and powershell.file.script_block_text:*, and just entering the svc-sql1 since that’s the only user name I haven’t tried yet.
If anyone could explain their steps and reasoning on how they were able to get it that would be helpful.