Kerberoasting: Service Ticket to Domain Admin

An alert was triggered on corp-wks-001 involving an unusual sequence of system calls. Analyze the process hierarchy beginning at 2025-05-10T13:29:00Z to determine which interpreter was spawned as a child process of the command-line interface.

An alert was triggered on 2025-05-11T01:59:58.466Z involving an unusual child process spawned under python.exe. Review the endpoint telemetry to determine the exact filename of the script executed from the command line.

After a suspicious file was executed on the corporate workstation, the system initiated an outbound connection to an internal server. Review the endpoint details around 2025-05-10T13:30:03.830Z to find the target domain name.

An alert indicates that anita.garcia executed a third-party CLI tool that spawned several child processes in rapid succession. You must reconstruct the execution timeline to determine the specific process responsible for the final stage of this unknown attack vector.

After the execution of a suspicious script on corp-wks-001 at 2025-05-14T23:55:05.457Z, network logs indicate a connection to an unknown external host. Analyze the SIEM event messages to determine where the data was being sent.

An alert triggered for unusual outbound traffic originating from a common productivity application on user john.miller's workstation. Analyze the network logs to determine which specific remote server address was being contacted during this event.

An alert was triggered for an unauthorized binary, chatgpt-integrated-cli.exe, executing on corp-wks-142. Investigation is required to determine the specific network port this application used to communicate with an external endpoint during the incident.

Our monitoring system flagged an unusual login session for user sarah.chen on corp-wks-001. Analyze the SIEM event messages to determine which specific process was executed immediately following the initial command-line activity.