Scenario

Our SIEM alerted us to a suspicious logon event which needs to be looked at immediately . The alert details were that the IP Address and the Source Workstation name were a mismatch .You are provided a network capture and event logs from the surrounding time around the incident timeframe. Corelate the given evidence and report back to your SOC Manager.

https://app.hackthebox.com/sherlocks/749

Screenshot 2025-08-27 160736.png

we are provided with security event logs and pcap file

1- What is the IP Address for Forela-Wkstn001?

172.17.79.129

Screenshot 2025-08-27 162544.png

Screenshot 2025-08-27 162553.png

Resolved network names were enabled in the capture, so the host’s NetBIOS/Name resolution shows Forela-Wkstn001 mapped to 172.17.79.129 in the first pcap.

2- What is the IP Address for Forela-Wkstn002?

172.17.79.136

Screenshot 2025-08-27 162914.png

Screenshot 2025-08-27 162919.png

NBNS (NetBIOS Name Service) refresh packets reveal hosts re-registering their NetBIOS name. Filtering the capture for nbns shows 172.17.79.136 sending a NetBIOS Name Refresh for Forela-Wkstn002, confirming the mapping. filter with nbns or udp.port == 137

3- What is the username of the account whose hash was stolen by attacker?

arthur.kyle