logjammer
 | Released | 2023-11-13 |
| Retired | 2024-05-16 | |
| Author | CyberJunkie |
Scenario
Task 01
Question: When did user cyberjunkie successfully log into his computer? (UTC)
The available event logs can be scanned using hayabusa. This provides a quick overview of potentially malicious activities. In addition to outputting as a json-timeline, the options -w (or --no-wizard) for default configuration without prompts and -U for UTC timestamps are used.
hayabusa.exe json-timeline -w -U -d . -o hayabusa.json
As a result, a large JSON file is generated that consolidates all relevant events based on the applied rules. A login generates a Windows event with the ID 4624 in the Security log. Searching for these events reveals the targeted user.
{
"Timestamp": "2023-03-27 14:37:09.879 +00:00",
"RuleTitle": "Logon (Interactive) *Creds in memory*",
"Level": "info",
"Computer": "DESKTOP-887GK2L",
"Channel": "Sec",
"EventID": 4624,
"RecordID": 13058,
"Details": {
"Type": "2 - INTERACTIVE",
"TgtUser": "CyberJunkie",
"SrcComp": "DESKTOP-887GK2L",
"SrcIP": "127.0.0.1",
"LID": "0x25f28"
}
}
Answer: 27/03/2023 14:37:09
Task 02
Question: The user tampered with firewall settings on the system. Analyze the firewall event logs to find out the Name of the firewall rule added?
In addition to the Security Event Log used in Task 01, the collection also includes the Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log with 929 events. This log contains entries related to firewall activities. When a rule is added, it is recorded with Event ID 2004 in this log. This allows the suspicious new rule to be identified:
{
"Timestamp": "2023-03-27 14:44:43.415 +00:00",
"RuleTitle": "Uncommon New Firewall Rule Added In Windows Firewall Exception List",
"Level": "med",
"Computer": "DESKTOP-887GK2L",
"Channel": "Firewall",
"EventID": 2004,
"RecordID": 1120,
"Details": {
"RuleName": "Metasploit C2 Bypass",
"App": "",
"ModifyingApp": "C:\\Windows\\System32\\mmc.exe",
"User": "S-1-5-21-3393683511-3463148672-371912004-1001",
"Svc": "",
"Protocol": 6,
"LocalAddr": "*",
"LocalPort": "*",
"RemoteAddr": "*",
"RemotePort": 4444,
"Action": 3
}
}
Answer: Metasploit C2 Bypass
Task 03
Question: Whats the direction of the firewall rule?
The presence of RemotePort: 4444 in the result of the search from Task 02 indicates an outbound rule. For clear identification, EvtxECmd can be used to convert all available events into JSON format, rather than relying solely on the analysis results from hayabusa.
EvtxECmd.exe -d . --json .
Afterward, all events appear in the same format as they do in the Microsoft Windows Event Viewer. The event in question can be quickly matched using the known RecordId, and the required information is located in PayloadData3.
{
"PayloadData1": ": Metasploit C2 Bypass",
"PayloadData2": "",
"PayloadData3": "Direction: Outbound",
"PayloadData4": "Action: Allow",
"PayloadData5": "Protocol: TCP",
"RemoteHost": "*: 4444",
"MapDescription": "A rule has been added to the Windows Defender Firewall exception list",
"Provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
"EventId": 2004,
"EventRecordId": "1120",
"TimeCreated": "2023-03-27T14:44:43.4157021+00:00",
"RecordNumber": 929
}
Answer: Outbound
Task 04
Question: The user changed audit policy of the computer. Whats the Subcategory of this changed policy?
Changes to the Audit Policy are recorded in the Security Log with Event ID 4719. These events can be retrieved using the Get-WinEvent cmdlet to identify the specific subcategory being modified:
Get-WinEvent -Path .\Security.evtx | Where-Object { $_.id -eq 4719 } | Format-List
TimeCreated : 27/03/2023 16:50:03
ProviderName : Microsoft-Windows-Security-Auditing
Id : 4719
Message : System audit policy was changed.
Subject:
Security ID: S-1-5-18
Account Name: DESKTOP-887GK2L$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Audit Policy Change:
Category: Object Access
Subcategory: Other Object Access Events
Subcategory GUID: {0cce9227-69ae-11d9-bed3-505054503030}
Changes: Success Added
Answer: Other Object Access Events
Task 05
Question: The user “cyberjunkie” created a scheduled task. Whats the name of this task?
New scheduled tasks are also recorded in the Security Event Log with Event ID 4698. The same cmdlet used in Task 04 can be utilized to retrieve the task definition. The name of the task can be found within the RegistrationInfo block:
<RegistrationInfo>
<Date>2023-03-27T07:51:21.4599985</Date>
<Author>DESKTOP-887GK2L\CyberJunkie</Author>
<Description>practice</Description>
<URI>\HTB-AUTOMATION</URI>
</RegistrationInfo>
Answer: HTB-AUTOMATION
Task 06
Question: Whats the full path of the file which was scheduled for the task?
Thanks to the XML definition of the task from the previous output, the required path can be extracted from the Actions block.
<Actions Context="Author">
<Exec>
<Command>C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1</Command>
<Arguments>-A cyberjunkie@hackthebox.eu</Arguments>
</Exec>
</Actions>
Answer: C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1
Task 07
Question: What are the arguments of the command?
In the same block as the answer for Task 06, there is also a list of the arguments.
Answer: -A cyberjunkie@hackthebox.eu
Task 08
Question: The antivirus running on the system identified a threat and performed actions on it. Which tool was identified as malware by antivirus?
In the Windows Defender-Operational.evtx log, all malware detections are recorded under EventID 1116. In this case, there were 139 detections, so further filtering is necessary to answer the question.
Get-WinEvent -Path '.\Windows Defender-Operational.evtx' | Where-Object { $_.id -eq 1116 } `
| Select-Object @{Name="Threat Name"; Expression={$_.Properties[7].Value }} `
| Group-Object -Property "Threat Name" | Select-Object Name, Count
Name Count
---- -----
HackTool:MSIL/SharpHound!MSR 1
HackTool:PowerShell/SharpHound.B 1
Trojan:Win64/Meterpreter.B 137
Get-WinEventreads the event log from the specified-Pathand allows searching for eventsWhere-Objectfilters only the events with EventId-eq 1116Select-Objectaccesses the seventh data point of the event, theThreat NameGroup-Objectgroups the identical entriesSelect-Objectoutputs only theNameandCount
Answer: SharpHound
Task 09
Question: Whats the full path of the malware which raised the alert?
The event identified in Task 08 for detecting SharpHound by Defender has the RecordId 440. For a detailed output of the information related to this event, the XML format can also be used:
(Get-WinEvent -Path '.\Windows Defender-Operational.evtx' | Where-Object { $_.RecordId -eq 440 }).ToXml()
Teil dieses XML Dokuments ist auch der Path Block:
<Data Name='Path'>
containerfile:_C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip;
file:_C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip->SharpHound.ps1;
webfile:_C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/385323486/70d776cc-8f83-44d5-b226-2dccc4f7c1e3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230327%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230327T144228Z&X-Amz-Expires=300&X-Amz-Signature=f969ef5ca3eec150dc1e23623434adc1e4a444ba026423c32edf5e85d881a771&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=385323486&response-content-disposition=attachment%3B%20filename%3DSharpHound-v1.1.0.zip&response-content-type=application%2Foctet-stream|pid:3532,ProcessStart:133244017530289775
</Data>
Answer: C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip
Task 10
Question: What action was taken by the antivirus?
In addition to the previously used Event 1116, Defender also logs the actions taken with EventID 1117 in the same log. To find the action corresponding to the event identified in Task 09, the <Data Name='Detection ID'>{0EBC4BEA-5532-4EFB-8A34-64F91CC8702E}</Data> can be used. The related event for the action has the RecordId 443:
<Data Name='Action ID'>2</Data>
<Data Name='Action Name'>Quarantine</Data>
Answer: Quarantine
Task 11
Question: The user used Powershell to execute commands. What command was executed by the user?
Executed PowerShell commands are, depending on the configuration, also recorded in the Powershell-Operational event log under EventID 4104. In the hayabusa overview, these events and their contents are captured thanks to the PwSh Scriptblock rule.
{
"Timestamp": "2023-03-27 14:58:33.364 +00:00",
"RuleTitle": "PwSh Scriptblock",
"Level": "info",
"Computer": "DESKTOP-887GK2L",
"Channel": "PwSh",
"EventID": 4104,
"RecordID": 571,
"Details": {
"ScriptBlock": "Get-FileHash -Algorithm md5 .\\Desktop\\Automation-HTB.ps1"
},
"ExtraFieldInfo": {
"MessageNumber": 1,
"MessageTotal": 1,
"Path": "",
"ScriptBlockId": "b4fcf72f-abdc-4a84-923f-8e06a758000b"
}
}
Answer: Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1
Task 12
Question: We suspect the user deleted some event logs. Which Event log file was cleared?
In the Microsoft-Windows-Eventlog recorded in the System.evtx file, the clearing of an event log is logged with EventID 104.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}' />
<EventID>104</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2023-03-27T15:01:56.5158362Z' />
<EventRecordID>2186</EventRecordID>
<Correlation />
<Execution ProcessID='1332' ThreadID='5332' />
<Channel>System</Channel>
<Computer>DESKTOP-887GK2L</Computer>
<Security UserID='S-1-5-21-3393683511-3463148672-371912004-1001' />
</System>
<UserData>
<LogFileCleared xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'>
<SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
</UserData>
</Event>
Answer: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall