Challenge 2 of the Intro to Blue Team Track
Hack The Box
Event Horizon
Description: Our CEO’s computer was compromised in a phishing attack. The attackers took care to clear the PowerShell logs, so we don’t know what they executed. Can you help us?
ALL THE LOGS!
As suspected by the name, you are about to download a large number of event logs.
Start digging!
We weren’t provided much info on the phishing email, so let’s go straight to the PowerShell logs.
Looks like the first PowerShell script was initatied on the 22nd.
This is PowerUp, a script available in PowerSploit. Check it out here if you’d like to learn more about it: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
It appears that the attacker used PowerSploit to gain persistence, enumerate access, elevate privileges, etc.
After they gained RCE, they attempted to download and run Mimikatz.
The good news is, Windows Defender seemed to have caught this:
This is also reflected in the Windows Defender logs:
If we hop over to the Firewall events, we see event 2004 — “A rule has been added to the Windows Defender exception list.”
I’m going to assume this is how they were able to successfully download Mimikatz.
Windows Defender caught it again, but did not block it from running this time.
If you follow the Gist link, you’ll notice that the script is written to run Mimikatz entirely in memory without installing it.
This explains why it wasn’t blocked.
Here is an overview:
But where is the flag?
That is the easy part. Simply open the PowerShell logs and search “HTB” — you will find the flag in the comments section of the PowerUp script.
What is the fun in that though? You may find more than I did. Take your time and search through the logs before grabbing the flag!
