banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

hackthebox sherlocks Logjammer Record

image

[!hint]+ Scenario
You have been given an opportunity to work as a junior Digital Forensics and Incident Response (DFIR) consultant at a large consulting firm. However, they have assigned you a technical assessment task that you need to complete. Forela-Security Consulting wants to test your mastery of Windows event log analysis. We suspect that the user Cyberjunkie logged into his computer and may have performed malicious actions. Please analyze the provided event logs and report the results to us.

Tools: event log explorer

Task1 When did cyberjunkie successfully log into the computer for the first time? (UTC time)

The event ID for the login is: 4624, filter this id

image

event log explorer log analysis

image

27/03/2023 22:37:09, with a time zone, needs to subtract 8 (East 8 Zone), which is 27/03/2023 14:37:09

Task2 The user unauthorizedly modified the firewall configuration in the system. By reviewing the firewall event logs, we can determine what the name of the newly added firewall rule is.

Open the firewall logs to see

Metasploit C2 Bypass

image

Task3 How is the traffic direction defined for the firewall rule?

Filter 2004 only

image

image

Outbound

Task4 The user adjusted the audit policy of the computer. What subcategory does this adjustment belong to?

image

Filter 4719, which is Other Object Access Events

Task5 Cyberjunkie created a scheduled task. What is the name of this task?

The event ID for creating a task in security events is 4698

image

HTB-AUTOMATION

Task6 What is the full path of the file that was scheduled for the task?

Same as above

C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1

image

Task7 What parameters does the command include?

Same as above

-A [email protected]

Task8 The antivirus software in the system detected potential threats and took corresponding measures. Which tool was identified as malicious by the antivirus software?

The Windows Defender detection log, open to view the detection records, event ID is 1117

You can find the SharpHound file

image

Task9 What is the full path of the malware that triggered the alert?

Same as above

C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip

Task10 What measures did the antivirus software take?

Same as above

Quarantine

image

Task11 The user executed commands via PowerShell. What specific command was executed?

PowerShell logs, the event ID for the executed command is 4104

Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1

image

Task12 We suspect that the user deleted certain event logs. Which event log file was cleared?

Check the system logs

image

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.