Sherlocks on Mike.Horn

nuts

Fri, 18 Oct 2024 00:00:00 +0200

Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)

Review the PowerShell history file:

ConsoleHost_history.txt

Look for commands related to NuGet package installation.

Identify the full command used to install the package.

Q2: Identify the URL from which the package was downloaded ?

Examine the web browsing history on the system.

Locate the URL used to download the NuGet package.

heartbreaker-continuum

Mon, 23 Sep 2024 00:00:00 +0200

Q1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

Identify the SHA256 hash of the suspicious binary file.

File Name: Superstar_MemberCard.tiff.exe SHA256: 12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3

Q2: When was the binary file originally created, according to its metadata (UTC)?

Upload the file hash to VirusTotal to retrieve metadata information.

Locate the first seen / creation timestamp and convert it to UTC.

Q3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

Use a tool such as readpe to inspect the binary structure.

campfire-1

Sun, 22 Sep 2024 00:00:00 +0200

Q1: Analyzing Domain Controller Security Logs

Can you confirm the date and time when the Kerberoasting activity occurred?

Open Event Viewer on the Windows VM and search for Event ID 4769.

🕒 Remember to convert your local time to UTC.

Q2: Targeted Service Name

What is the Service Name that was targeted?

Check the “Service Information” section of the same event:

Q3: Workstation Identification

Identify the Workstation IP Address from which the activity originated.

campfire-2

Sun, 22 Sep 2024 00:00:00 +0200

Q1: When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

Open Event Viewer on the Windows VM and search for Event ID 4768.

Look for anomalies in the logs — specifically events where:

Pre-Authentication Type: 0

This indicates that the account does not require Kerberos pre-authentication, making it vulnerable to AS-REP Roasting.

🕒 Remember to convert the timestamp to UTC when documenting your findings.

crownjewel-1

Sun, 22 Sep 2024 00:00:00 +0200

Q1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.

Open the SYSTEM.evtx log and search for Event ID 7036.

Look for events indicating the Volume Shadow Copy service entering a running state:

🕒 Convert the timestamp to UTC.

Q2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process

Search for Event ID 4799 and filter for:

crownjewel-2

Sun, 22 Sep 2024 00:00:00 +0200

Q1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?

Open the SYSTEM.evtx log and search for Event ID 7036.

Use a search (Ctrl+F) for Volume Shadow Copy service events.

Identify the most recent entry where the service entered the running state and note the timestamp from the:

reaper

Sat, 21 Sep 2024 00:00:00 +0200

Q1: IP Address of Forela-Wkstn001

What is the IP address of Forela-Wkstn001?

🔎 See Q2 for the analysis steps.

Q2: IP Address of Forela-Wkstn002

What is the IP address of Forela-Wkstn002?

Note: NetworkMiner requires .pcap format. Convert the file if needed:

tshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap

Open the capture in NetworkMiner to get an overview of network activity. Both workstation IP addresses can be identified here: