Pre5 Forensics (CyberHackathon 23 Online Qualifiers)

CyberJunnkie
4 min readNov 11, 2023

--

We are provided with event logs and registry hives as artifacts

I started with using evtxecmd for parsing event logs and REcmd for registry. This will create provide us the data in timeline format.

Lets Start analysing

Question 1: What was the name of the script that ran on the machine?

To find the script name lets open the csv containing event logs timeline. The first event shows a powershell script

To further confirm lets view powershell operational event logs in event viewer.

We can further confirm this by viewing recent docs registry artifact result

Also note down the timestamp when the script was executed as this may help us further in the investigation.

Answer : Freemoney.ps1

Question 2: Which service was used to connect the machine to other devices? [Note: Captial Letters]

To see this lets view other surrounding events from when script was executed.

We see that an RDP connection was made to a server with address 192.168.1.4. To further prove this theory we can analyse Terminal Server Client registry key from user’s NTUSER.dat hive to see whether this server was connected to.

The location of this key is
NTUSER.DAT\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT

We see that the host 192.168.1.4 was connected using the username Work.

Ans RDP

Question 3: What IP address did the machine try to connect to?

As we already established this in previous question

Answer 192.168.1.4

Question 4: We think the script hidden a command to be executed later. Can you find that command? [Note: Keep Spaces]

This question was the one with which everyone struggled. Our Team T3M4n6 was the first team to solve this question and this challenge. Unfortunately rest of the teams also completed this a bit after and shared the flags to other teams, But we still remained on top.

Anyways lets start analysis of this. Lets open registry timeline.

This was the point and context we had so far. The question was which command was hidden by the script, meaning we have to find persistence mechanism installed by the script. SO logicly it would have occured after the execution of the script. Lets scroll and see the events.

This specific event catched my eye

What this specific event means is that regedit was used to edit the above registry key. This is definitely suspicious because if we see a key being edited some time after a malicious script being executed on the system, it definitely is a red flag.

Then I visited that registry key to see whether i hit the jackpot or no. I opened the SOFTWARE hive in registry explorer and navigated to the location.

The last entry seemed SUS to me

We see that this command was added which executes a c2 beacon/Reverse shell residing in Temp dir. basically how this persistence works is that whenever the system is booted this command would get executed

Answer netsh add helper C:\Users\Work\AppData\Local\Temp\h1dd3nshell.exe

--

--

CyberJunnkie
CyberJunnkie

Written by CyberJunnkie

Senior Defensive Content Engineer @HackTheBox 🖥️ 🐱‍💻 DFIR Analyst @ ProvenData

No responses yet