banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

hackthebox sherlocks' TickTock Record

#DFIR#sherlocks86
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Gladys, a new employee at a company, receives an email from the IT department regarding remote access to her computer. However, the IT team is actually a group of hackers targeting the company. The document outlines several tasks related to investigating the security breach: 1. Identify the executable file used as a C2 agent. 2. Find the session ID for initial access through TeamViewer. 3. Determine the BitLocker password set by the attacker. 4. Discover the name used by the attacker. 5. Identify the IP address the C2 connected back to. 6. Check the category assigned by Windows Defender to the C2 binary. 7. Find the filename of the PowerShell script used to manipulate time. 8. Note the start time of the initial access connection. 9. Calculate the SHA1 and SHA2 sums of the malicious binary. 10. Count how many times the PowerShell script changed the machine's time. 11. Identify the SID of the victim user. The document provides specific log file paths and methods for retrieving the necessary information for each task.

Gladys is a new employee at the company. She received an email notifying her that the IT department would be performing some work on her personal computer. She was instructed to call the IT team, who would tell her how to allow them remote access. However, this IT team is actually a group of hackers attempting to attack Forela.

image

Task1 What is the name of the executable uploaded as a C2 agent?

Open the Microsoft-Windows-Sysmon%4Operational.evtx log file.

Microsoft-Windows-Sysmon operational.evtx is an event log file generated by Windows Sysmon (System Monitor), which records various activities and events on the system. Sysmon is part of the Sysinternals Suite and enhances Windows logging capabilities by providing detailed event monitoring to assist with security analysis and incident response.

Sysmon can monitor and log the following types of events:

  1. Process Creation: Monitors the creation of new processes, including command line arguments.
  2. Network Connections: Records information about outbound and inbound network connections.
  3. File Creation Time: Logs events related to file creation, modification, and deletion.
  4. Driver Loading: Monitors drivers loaded in the system.
  5. File Hash: Records the hash values of files for later analysis.
  6. Registry Operations: Monitors the creation, modification, and deletion of registry keys.
  7. Raw Event Logging: Records other significant system events.

image

Alternatively, check the MFT records, and you can see this file on the desktop.

image

Task2 What is the session ID at the time of initial access?

The attacker accessed remotely via TeamViewer software, check the TeamViewer logs.

The log path is as follows:

image

At the very beginning, you can see the session ID.

image

Task3 What is the password that the attacker tried to set for BitLocker on the C: drive?

Check the Windows PowerShell.evtx log.

image

Base64 decode to get the password.

image

Task4 What name did the attacker use?

Check the TeamViewer logs.

image

Task5 Which IP address did the C2 connect back to?

Check the Microsoft-Windows-Sysmon%4Operational.evtx log file.

image

52.56.142.81

Task6 What category did Windows Defender assign to the C2 binary?

Check the Windows Defender logs.

image

VirTool/Myrddin.D

Task7 What is the filename of the PowerShell script the attacker used to manipulate time?

Check the Microsoft-Windows-Sysmon%4Operational.evtx log file, filter for PS1 suffix.

image

You can see the script related to time.

image

Alternatively, analyze the MFT file, and you can also find the PS1 script on the desktop.

image

Invoke-TimeWizard.ps1

Task8 When did the initial access connection start?

image

2023/05/04 11:35:27

Task9 What is the sum of the SHA1 and SHA2 of the malicious binary file?

Analyze the log files under the Windows Defender directory.

image

Search for SHA1.

image

Task10 How many times did the PowerShell script change the time on the machine?

image

image

2371

Task11 What is the SID of the victim user?

Check the security logs to find out.

image

S-1-5-21-3720869868-2926106253-3446724670-1003

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.