Logjammer

When did user cyberjunkie successfully log into his computer? (UTC)

27/03/2023 14:37:09

There are two Event IDs for login: 4624 (successful logon) and 4648 (logon attempted using explicit credentials) ![[Pasted image 20240117155123.png]]

The user tampered with firewall settings on the system. Analyze the firewall event logs to find out the Name of the firewall rule added?

Metasploit C2 Bypass

The last log when I filtered by firewall event logs (the most recent) was a suspicious rule called Metasploit C2 Bypass.

What’s the direction of the firewall rule?

Outbound

The user changed audit policy of the computer. What’s the Subcategory of this changed policy?

Other Object Access Events

![[Pasted image 20240117143852.png]]

Audit policy: determines which type of information about the system can be found in the Security log. This is Event ID 4719.

To find the subcategory, I searched up the Subcategory Guid.

![[Pasted image 20240117144407.png]]

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d

The user “cyberjunkie” created a scheduled task. Whats the name of this task?

HTB-AUTOMATION

Event ID: 4698

A scheduled task was created
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698

What’s the full path of the file which was scheduled for the task?

C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1 ![[Pasted image 20240117145509.png]] (Note to self – output had double \ (\), probably for formatting)

What are the arguments of the command?

-A cyberjunkie@hackthebox.eu ![[Pasted image 20240117145537.png]]

The antivirus running on the system identified a threat and performed actions on it. Which tool was identified as malware by antivirus?

SharpHound

![[Pasted image 20240117150901.png]]

Event ID 1117: Action performed https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

What’s the full path of the malware which raised the alert?

C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip

Put payload from log in JSON formatter ![[Pasted image 20240117151116.png]]

What action was taken by the antivirus?

Quarantine ![[Pasted image 20240117151324.png]]

The user used Powershell to execute commands. What command was executed by the user?

Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1

![[Pasted image 20240117151612.png]]

We suspect the user deleted some event logs. Which Event log file was cleared?

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Can find event log clear in Security log 1100, 1102 or in System 104

When did user cyberjunkie successfully log into his computer? (UTC)#

The user tampered with firewall settings on the system. Analyze the firewall event logs to find out the Name of the firewall rule added?#

What’s the direction of the firewall rule?#

The user changed audit policy of the computer. What’s the Subcategory of this changed policy?#

The user “cyberjunkie” created a scheduled task. Whats the name of this task?#

What’s the full path of the file which was scheduled for the task?#

What are the arguments of the command?#

The antivirus running on the system identified a threat and performed actions on it. Which tool was identified as malware by antivirus?#

What’s the full path of the malware which raised the alert?#

What action was taken by the antivirus?#

The user used Powershell to execute commands. What command was executed by the user?#

We suspect the user deleted some event logs. Which Event log file was cleared?#