banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

TickTock Record of HackTheBox Sherlocks

Gladys is a new employee at the company. She received an email notifying her that the IT department would be performing some work on her personal computer. She was instructed to call the IT team, who would tell her how to allow them remote access. However, this IT team is actually a group of hackers trying to attack Forela.

image

Task1 What is the name of the executable uploaded as a C2 agent?

Open the Microsoft-Windows-Sysmon%4Operational.evtx log file.

Microsoft-Windows-Sysmon operational.evtx is an event log file generated by Windows Sysmon (System Monitor), which records various activities and events of the system. Sysmon is part of the Sysinternals Suite, designed to enhance Windows logging capabilities and provide detailed event monitoring to assist in security analysis and incident response.

Sysmon can monitor and log the following types of events:

  1. Process Creation: Monitors the creation of new processes, including command line arguments.
  2. Network Connections: Records information about outbound and inbound network connections.
  3. File Creation Time: Logs events related to file creation, modification, and deletion.
  4. Driver Loading: Monitors drivers loaded into the system.
  5. File Hash: Records the hash values of files for later analysis.
  6. Registry Operations: Monitors the creation, modification, and deletion of registry entries.
  7. Raw Event Logging: Records other significant system events.

image

Alternatively, check the MFT records, and you can see this file on the desktop.

image

Task2 What is the session ID at the time of initial access?

The attacker accessed remotely via TeamViewer software, check the TeamViewer logs.

The log path is as follows:

image

At the very beginning, you can see the session ID.

image

Task3 What is the password that the attacker tried to set for Bitlocker on the C: drive?

Check the Windows PowerShell.evtx log.

image

Base64 decode to get the password.

image

Task4 What is the name used by the attacker?

Check the TeamViewer logs.

image

Task5 Which IP address does the C2 connect back to?

Check the Microsoft-Windows-Sysmon%4Operational.evtx log file.

image

52.56.142.81

Task6 What category did Windows Defender assign to the C2 binary?

Check the Windows Defender logs.

image

VirTool/Myrddin.D

Task7 What is the filename of the PowerShell script used by the attacker to manipulate time?

Check the Microsoft-Windows-Sysmon%4Operational.evtx log file, filter for PS1 suffix.

image

You can see the script related to time.

image

Alternatively, analyze the MFT file, and you can also find the PS1 script on the desktop.

image

Invoke-TimeWizard.ps1

Task8 When did the initial access connection start?

image

2023/05/04 11:35:27

Task9 What are the SHA1 and SHA2 sums of the malicious binary?

Analyze the log files in the Windows Defender directory.

image

Search for SHA1.

image

Task10 How many times did the PowerShell script change the time on the machine?

image

image

2371

Task11 What is the SID of the victim user?

Check the security logs to find out.

image

S-1-5-21-3720869868-2926106253-3446724670-1003

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.