banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

hackthebox sherlocks Campfire-1 Record

#DFIR#sherlocks48
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Alonzo discovered strange files on his computer and alerted the newly formed SOC team, suspecting a Kerberoasting attack. The investigation involved analyzing security logs from the domain controller, PowerShell operation logs from the affected workstation, and prefetch files. 1. **Task 1**: The exact date and time of the Kerberoasting activity were confirmed using event IDs 4768 and 4769, with the relevant timestamp being 2024-05-21 03:18:09. 2. **Task 2**: The targeted service identified was MSSQLService. 3. **Task 3**: The IP address of the affected workstation was found to be 172.17.79.129. 4. **Task 4**: The file used to enumerate Active Directory objects and potentially discover accounts for Kerberoasting was named `powerview.ps1`. 5. **Task 5**: This script was executed at 2024-05-21 03:16:32. 6. **Task 6**: The full path of the tool used for the actual Kerberoasting attack was `C:\Users\alonzo.spire\Downloads\Rubeus.exe`. 7. **Task 7**: The tool was executed to dump credentials at 2024-05-21 03:18:08.

image

Scene Description
Alonzo discovered some strange files on his computer and notified the newly formed SOC team. After assessing the situation, it was believed that a Kerberoasting attack might have occurred in the network. Your task is to confirm these findings by analyzing the provided evidence. The information you have includes: 1. Security logs from the domain controller 2. PowerShell operation logs from the affected workstation 3. Prefetch files from the affected workstation

The attached content includes the domain controller's logs, PowerShell logs, and prefetch files.

image

Task1 Analyze the security logs of the domain controller. Can you confirm the exact date and time of the Kerberoasting activity?

The event IDs for Kerberoasting are 4768 and 4769, where 4769 indicates a requested Kerberos ticket, and 4768 indicates a Kerberos TGS request.

The following image searches for 4769, with Ticket Encryption Type as 0x17, while others are 0x12.

image

Note the time zone: 2024-05-21 03:18:09

Task2 What is the name of the targeted service?

By using EvtxECmd to extract the evtx logs, and then filtering with jq for EventID 4769, as follows:

cat 20240814082222_EvtxECmd_Output.json | jq . -c | jq '. | select( .EventId==4769) | "\(.MapDescription) \(.TimeCreated) \(.PayloadData2)"'

It can be determined that there is a service called MSSQLService.

image

Task3 It is very important to determine which workstation this activity occurred on. What is the IP address of this workstation?

cat 20240814082222_EvtxECmd_Output.json | jq . -c | jq '. | select( .EventId==4769) | "\(.MapDescription) \(.TimeCreated) \(.PayloadData2) \(.RemoteHost)"'

172.17.79.129

image

Task4 Now that we have identified the workstation, to gain a deeper understanding of how this activity occurred on the device, we provide you with preliminary analysis including PowerShell logs and prefetch files. What is the name of the file used to enumerate Active Directory objects and possibly discover accounts in the network that could be targeted for Kerberoasting attacks?

powerview.ps1

Task5 When was this script executed?

2024-05-21 03:16:32

image

Task6 What is the full path of the tool used to perform the actual Kerberoasting attack?

Analyze the RUBEUS.EXE-5873E24B.pf file.

image

C:\Users\alonzo.spire\Downloads\Rubeus.exe

Task7 When was the tool executed to dump the credentials?

Check the runtime of the RUBEUS.EXE-5873E24B.pf file.

2024-05-21 03:18:08

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.