https://mikehorn-git.github.io/tags/ntds/ Recent content in Ntds on Mike.Horn Hugo en Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-1/ Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-1/ <h1 id="q1-attackers-can-abuse-the-vssadmin-utility-to-create-volume-shadow-snapshots-and-then-extract-sensitive-files-like-ntdsdit-to-bypass-security-mechanisms-identify-the-time-when-the-volume-shadow-copy-service-entered-a-running-state">Q1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.</h1> <p>Open the <strong>SYSTEM.evtx</strong> log and search for <strong>Event ID 7036</strong>.</p> <p>Look for events indicating the <strong>Volume Shadow Copy</strong> service entering a running state:</p> <p><img alt="7036" loading="lazy" src="../../writeups/htb/sherlocks/crownjewel-1/2024-09-21T11_58_52,679703907+02_00.png"></p> <blockquote> <p>🕒 Convert the timestamp to <strong>UTC</strong>.</p> </blockquote> <hr> <h1 id="q2-when-a-volume-shadow-snapshot-is-created-the-volume-shadow-copy-service-validates-the-privileges-using-the-machine-account-and-enumerates-user-groups-find-the-user-groups-it-enumerates-the-subject-account-name-and-also-identify-the-process-idin-decimal-of-the-volume-shadow-copy-service-process">Q2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process</h1> <p>Search for <strong>Event ID <a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799">4799</a></strong> and filter for:</p> https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-2/ Sun, 22 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/crownjewel-2/ <h1 id="q1-when-utilizing-ntdsutilexe-to-dump-ntds-on-disk-it-simultaneously-employs-the-microsoft-shadow-copy-service-what-is-the-most-recent-timestamp-at-which-this-service-entered-the-running-state-signifying-the-possible-initiation-of-the-ntds-dumping-process">Q1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?</h1> <p>Open the <strong>SYSTEM.evtx</strong> log and search for <strong>Event ID 7036</strong>.</p> <p>Use a search (Ctrl+F) for <strong>Volume Shadow Copy</strong> service events.</p> <p>Identify the most recent entry where the service entered the running state and note the timestamp from the:</p>