Our CEO's computer was compromised in a phishing attack. The attackers took care to clear the PowerShell logs, so we don't know what they executed. Can you help us?
Information
Challenge: Event Horizon
Category: Forensics
Difficulty: Easy
Files : ‘Event Horizon.zip’ 3.2 MB
– Logs 72 MB
– TraceFormat 4 KB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/'Event Horizon.zip'SHA256SUM: 33644954d4431194f492e7d8dd825e2e47de006080aba7b0d79c3e9a78d8f618
Walkthrough
1. Event Log Analysis
Although the description specifies PowerShell, we can simply parse all of the evtx files at once with this Python script.
import subprocess
import os
path = 'Logs/'
for filename in os.listdir(path):
f = os.path.join(path, filename)
if os.path.isfile(f):
output_name = filename + ".txt"
output_dir = "output/"
output_file = output_dir + output_name
with open(output_file, 'wb') as out:
parser = subprocess.Popen(["evtxtract", f], shell=False, stdout=out,
stderr=subprocess.PIPE)
out.close()
Next, we can check the PowerShell log file for the string ‘bypass’. This is often used in attacks so that PowerShell bypasses the standard security checks. Three commands are worth noting:
Which decodes to:
"Is Elevated: $(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')) - $(Get-Date)" | Out-File C:\UACBypassTest.txt -Append
Then, these three files being downloaded into the machine:
We can download them locally through curl:
curl -O https://gist.githubusercontent.com/phwRi7EUp/146c73e8d28eab5c8b546861e06226e7/raw/881106760796a219711035fba797bafe76f22368/SFRCezhMdTNfNzM0bV9GMHIzdjNSfSAg.ps1
curl -O https://gist.githubusercontent.com/blueteampathway/c5735d8a38a02e1cb903a53c6ba860e7/raw/e5caae5b0e2537a5891d71d127866733a367add4/gistfile1.txt
curl -O https://gist.githubusercontent.com/hiddenblueteamer/b1dab4113e5d0b2ed4dfa02d7853aef0/raw/ac9327b6603a911057fed868e725f7cf5a52bca4/SFRCezhMdTNfNzM0bV9GMHIzdjNSfSAg.ps1
#Only the first link contains a valid file
The first file is actually PowerSploit’s Invoke MimiKatz script. Looking over the rest of the logs nothing sparks much interest. So I go the easy way and grep for ‘HTB{‘:
Kind of feels like cheating, but there must have not been another way to find this flag!
Flag: HTB{8Lu3_734m_F0r3v3R}
TLDR
– Windows EventLogs are one of the best sources for DFIR.
– Evtxtract parses the log file into text format.
