banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

hackthebox sherlocks Campfire-1 Record

#DFIR#sherlocks48
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
**Summary:** Alonzo discovered strange files on his computer and alerted the newly formed SOC team, suspecting a Kerberoasting attack. The investigation involves analyzing evidence, including security logs from the domain controller, PowerShell operation logs, and prefetch files from the affected workstation. 1. **Task 1:** Confirm the exact date and time of the Kerberoasting activity using event IDs 4768 and 4769. The relevant timestamp is May 21, 2024, at 03:18:09. 2. **Task 2:** Identify the targeted service name, which is MSSQLService, extracted from the logs. 3. **Task 3:** Determine the IP address of the affected workstation, which is 172.17.79.129. 4. **Task 4:** Identify the file used to enumerate Active Directory objects for potential Kerberoasting accounts, named powerview.ps1. 5. **Task 5:** The script was executed at May 21, 2024, at 03:16:32. 6. **Task 6:** The complete path of the tool used for the Kerberoasting attack is C:\Users\alonzo.spire\Downloads\Rubeus.exe. 7. **Task 7:** The tool was executed to dump credentials at May 21, 2024, at 03:18:08.

image

Scene Description
Alonzo discovered some strange files on his computer and notified the newly formed SOC team. After assessing the situation, it was believed that a Kerberoasting attack might have occurred on the network. Your task is to confirm these findings by analyzing the provided evidence. The information you have includes: 1. Security logs from the domain controller 2. PowerShell operation logs from the affected workstation 3. Prefetch files from the affected workstation

The attached content includes the domain controller's logs, PowerShell logs, and prefetch files.

image

Task 1 Analyze the domain controller security logs. Can you confirm the exact date and time of the Kerberoasting activity?

The event IDs for Kerberoasting are 4768 and 4769, where 4769 indicates a requested Kerberos ticket, and 4768 indicates a Kerberos TGS request.

The following image searches for 4769, with Ticket Encryption Type being 0x17, while the others are 0x12.

image

Note the time zone: 2024-05-21 03:18:09

Task 2 What is the name of the targeted service?

By using EvtxECmd to extract the evtx logs, and then filtering with jq for EventID 4769, as follows:

cat 20240814082222_EvtxECmd_Output.json | jq . -c | jq '. | select( .EventId==4769) | "\(.MapDescription) \(.TimeCreated) \(.PayloadData2)"'

It can be determined that there is a MSSQLService.

image

Task 3 It is very important to determine which workstation this activity occurred on. What is the IP address of this workstation?

cat 20240814082222_EvtxECmd_Output.json | jq . -c | jq '. | select( .EventId==4769) | "\(.MapDescription) \(.TimeCreated) \(.PayloadData2) \(.RemoteHost)"'

172.17.79.129

image

Task 4 Now that we have identified the workstation, to gain deeper insight into how this activity occurred on the device, we provide you with preliminary analysis including PowerShell logs and prefetch files. What is the name of the file used to enumerate Active Directory objects, which may have been used to discover accounts vulnerable to Kerberoasting attacks on the network?

powerview.ps1

Task 5 When was this script executed?

2024-05-21 03:16:32

image

Task 6 What is the full path of the tool used to execute the actual Kerberoasting attack?

Analyze the RUBEUS.EXE-5873E24B.pf file.

image

C:\Users\alonzo.spire\Downloads\Rubeus.exe

Task 7 When was the tool executed to dump the credentials?

Check the runtime of the RUBEUS.EXE-5873E24B.pf file.

2024-05-21 03:18:08

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.