banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

hackthebox sherlocks Logjammer Record

#sherlocks#DFIR37
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
You have been given a task as a junior DFIR consultant at Forela-Security to analyze Windows event logs related to a user named Cyberjunkie. 1. **Login Time**: Cyberjunkie first logged in on 27/03/2023 at 14:37:09 UTC. 2. **Firewall Rule Change**: The new firewall rule added is named "Metasploit C2 Bypass." 3. **Traffic Direction**: The firewall rule defines outbound traffic. 4. **Audit Policy Change**: The adjustment falls under "Other Object Access Events." 5. **Scheduled Task Name**: The task created by Cyberjunkie is called "HTB-AUTOMATION." 6. **File Path for Task**: The file used for the task is located at `C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1`. 7. **Command Parameters**: The parameters include `-A [email protected]`. 8. **Malicious Tool Detected**: The antivirus identified the SharpHound file as malicious. 9. **Malware Path**: The full path of the malware triggering the alert is `C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip`. 10. **Antivirus Action**: The antivirus quarantined the detected file. 11. **Executed PowerShell Command**: The command executed was `Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1`. 12. **Cleared Event Log**: The system log for "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" was cleared.

image

[!hint]+ Scenario
You have been given an opportunity to work as a junior Digital Forensics and Incident Response (DFIR) consultant at a large consulting firm. However, they have provided a technical assessment task that you need to complete. Forela-Security Consulting wants to test your mastery of Windows event log analysis. We suspect that the Cyberjunkie user logged into his computer and may have performed malicious actions. Please analyze the provided event logs and report the results back to us.

Tools: event log explorer

Task1 When did cyberjunkie successfully log into the computer for the first time? (UTC time)

The event ID for the login is: 4624, filter this ID.

image

event log explorer log analysis

image

27/03/2023 22:37:09, with a time zone, needs to subtract 8 (UTC+8), which is 27/03/2023 14:37:09.

Task2 The user unauthorizedly modified the firewall configuration in the system. By reviewing the firewall event logs, we can determine what the name of the newly added firewall rule is.

Open the firewall logs to see.

Metasploit C2 Bypass

image

Task3 How is the traffic direction defined for the firewall rule?

Filter 2004 only.

image

image

Outbound

Task4 The user adjusted the audit policy of the computer. What subcategory does this adjustment belong to?

image

Filter 4719, which is Other Object Access Events.

Task5 cyberjunkie created a scheduled task. What is the name of this task?

The event ID for creating a task in security events is 4698.

image

HTB-AUTOMATION

Task6 What is the full path of the file that was scheduled for the task?

Same as above.

C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1

image

Task7 What parameters are included in the command?

Same as above.

-A [email protected]

Task8 The antivirus software in the system detected potential threats and took corresponding actions. Which tool was identified as malicious by the antivirus software?

The Windows Defender detection log, open to view the detection records, event ID is 1117.

You can find the SharpHound file.

image

Task9 What is the full path of the malware that triggered the alert?

Same as above.

C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip

Task10 What actions did the antivirus software take?

Same as above.

Quarantine

image

Task11 The user executed commands via PowerShell. What specific command was executed?

PowerShell log, the event ID for executing the command is 4104.

Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1

image

Task12 We suspect that the user deleted certain event logs. Which event log file was cleared?

Check the system logs.

image

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.