HCSC 2024 - Forensic 6.

Description

Which service/protocol was used by the attacker to run commands remotely on the DC? Through which port? What is the IP of the attacker machine?

(example: hcsc{serviceShortName_port_remoteIPv4}) – case insensitive

Metadata

Tags: event log, 4104, winrm, powershell, powershell remoting
Points: 400
Number of solvers: 8
Filename: -

Solution

By analyzing the PowerShell Event Log, we can find events with ID 4104, which refer to the PowerShell Remoting technique. This allows you to run PowerShell commands on a remote machine. The communication between the machines is done through the WinRM TCP port, which is port 5985. So the first half of the solution is winrm and 5985.

GamingMonitor.exe PowerShell Event Log

init.dll PowerShell Event Log

The IP address can be taken from the TGT request event in the previous challenge, for example. The solution is 192.168.238.132. If you look for login events before running PowerShell, we can also find the IP address.

IP address

Flag: hcsc{winrm_5985_192.168.238.132}

tkh4ck.github.io

Personal website and blog of tkh4ck

HCSC 2024 - Forensic 6.

Description

Metadata

Solution