Foreword¶

Sherlock challenges on Hack The Box are investigative Blue Team scenarios designed to assess defensive security skills. They place the analyst in the aftermath of a targeted cyber attack, where the objective is to analyze the provided forensic artifacts and reconstruct the attack chain based on the available evidence.

Sherlock Scenario | SOC¶

You are a blue team analyst tasked with investigating a suspected breach in an Active Directory environment named Main.local. The network includes a Domain Controller (DC01 and two client machines (Client02 and Client03). A user on Client03 received a phishing email, leading to a series of attacks that compromised the domain. Your job is to analyze the provided Windows Event Logs and Sysmon logs from Client02, Client03, and DC01 to reconstruct the attack chain, identify the attacker’s actions, and uncover critical artifacts such as credentials, hashes, and persistence mechanisms.

Provided Artifacts¶

The provided files are:

├── Logs-Client02
│   ├── Application.evtx
│   ├── C
│   │   └── $MFT
│   ├── Powershell.evtx
│   ├── Security.evtx
│   └── Sysmon.evtx
├── Logs-Client03
│   ├── Application.evtx
│   ├── C
│   │   └── $MFT
│   ├── Powershell.evtx
│   ├── Security.evtx
│   └── Sysmon.evtx
└── Logs-DC
    ├── Application.evtx
    ├── C
    │   └── $MFT
    ├── Powershell.evtx
    ├── Security.evtx
    └── Sysmon.evtx

Question 1: What is the name of the malicious phishing attachment downloaded by the user on Client02?¶

To identify the initial payload, I reviewed Sysmon Event ID 15, which records file stream creation events typically associated with browser downloads. I applied the following filter: Event.System.EventID.#text.keyword:15 and source_file.keyword:Client02 and source_filename.keyword:Sysmon.evtx

Among the matching events, one entry shows chrome.exe writing a macro-enabled Word document to the user's Downloads folder:

C:\Users\jody\Downloads\Profits.docm

The download occurred at 2025-05-25 03:27:50, making this the phishing attachment referenced in the question.

Therefore, the answer is: Profits.docm.

Question 2: What is the IP address from which the malicious attachment was downloaded?¶

To recover the original download source, I searched the $MFT for Profits.docm and extracted the corresponding record metadata.

Using the Entry Number and Sequence Number of that record, I queried the file directly with MFTECmd:

./MFTECmd/bin/Release/net9.0/MFTECmd -f ../GhostTrace/Logs-Client02/C/\$MFT --de 105294-13 
    ASCII:   [ZoneTransfer]
ZoneId=3                                                                                                                                                                                   
HostUrl=http://192.168.204.152/Profits.docm

The Zone Identifier data reveals the HostUrl from which the document was downloaded.

This could also have been confirmed by correlating nearby Sysmon download activity from Question 1.

Therefore, the answer is: 192.168.204.152.

Question 3: After the victim opened the file, the malware initiated a network connection to a remote IP address. What is the IP address and the port number?¶

To identify the first outbound connection triggered by the malicious document, I reviewed Sysmon Event ID 3, which records network connections, on Client02: Event.System.EventID.#text.keyword:"3" and source_file.keyword:Client02 and source_filename.keyword:Sysmon.evtx

Shortly after the document download, at 2025-05-25 03:29:04, WINWORD.EXE initiates a network connection to 192.168.204.152 on port 4444. Given the timing, this is consistent with malicious macro execution.

Therefore, the answer is: 192.168.204.152:4444.

Question 4: What is the name of the second-stage payload uploaded to Client02?¶

To identify the follow-up payload, I pivoted on the attacker IP address 192.168.204.152 within the Sysmon logs for Client02.

At 2025-05-25 03:32:23, a new network connection is recorded from the executable:

C:\Users\jody\Downloads\UpdatePolicy.exe

This suggests that UpdatePolicy.exe is the second-stage payload dropped and executed on the victim host.

Therefore, the answer is: UpdatePolicy.exe.

Question 5: What port was used for the reverse shell connection from the second-stage payload on Client02?¶

From the same Sysmon Event ID 3 associated with UpdatePolicy.exe, the remote communication is established over port 1337.

Therefore, the answer is: 1337.

Question 6: The attacker subsequently downloaded a tool to enumerate the Active Directory environment. What is the name of this tool?¶

Later in the timeline, at 2025-05-25 03:37:05, the attacker downloads and uses PowerView, a well-known PowerShell-based Active Directory enumeration tool. I found this information using the EventID 11 (file create).

Therefore, the answer is: powerview.ps1.

Question 7: What is the username of the targeted service account?¶

Because PowerView is commonly used to enumerate Active Directory and prepare for Kerberoasting, I pivoted to Kerberos service ticket activity on the domain controller. To isolate suspicious ticket requests, I filtered on Event ID 4769 and selected RC4-encrypted tickets (0x17): Event.System.EventID.#text.keyword:4769 and Event.EventData.Data.TicketEncryptionType.keyword:0x00000017 and source_file.keyword:DC

At 2025-05-25 03:42:33, a relevant ticket request reveals the targeted service account as sqlsvc.

Therefore, the answer is: sqlsvc.

Question 8: After acquiring the account credentials, the attacker was able to crack the ticket. When did the attacker first use them to log in? (UTC)¶

To identify the first use of the compromised service account, I reviewed successful logon events for sqlsvc on the domain controller: Event.System.EventID.#text.keyword:"4624" and Event.EventData.Data.TargetUserName.keyword:"sqlsvc"

The first successful login for this account appears at 2025-05-25 04:03:47 UTC.

Therefore, the answer is: 2025-05-25 04:03:47.

Question 9: What is the executable associated with the first service created by a Sysinternals tool on the target system following the attacker's initial login attempt?¶

To identify the first service-related payload dropped after the attacker's initial login, I filtered for Sysmon Event ID 11 file creation events after the first successful sqlsvc logon: Event.System.EventID.#text:11 and @timestamp > "2025-05-25T04:03:47"

This reveals a suspicious executable created in C:\Windows at 2025-05-25 04:05:12: C:\Windows\VgYTbFEK.exe

This naming pattern is consistent with a PsExec-style service binary deployed by a Sysinternals tool during lateral movement.

Therefore, the answer is: VgYTbFEK.exe.

Question 10: On Client03, what was the file name of the executable used to dump cleartext credentials from memory?¶

To identify the credential-dumping tool on Client03, I reviewed Sysmon Event ID 1 process creation events after the attacker's lateral movement: Event.System.EventID.#text:1 and source_file.keyword:*Logs-Client03* and @timestamp >= "2025-05-25T04:05:47"

At 2025-05-25 04:10:43 UTC, there's a suspicious executable named C:\Users\sqlsvc\Downloads\netdiag.exe. Its embedded metadata identifies it as Mimikatz, with fields such as Description: mimikatz for Windows, Product: mimikatz, and OriginalFileName: mimikatz.exe.

Because Mimikatz is commonly used to dump cleartext credentials from LSASS, the executable used for credential dumping is netdiag.exe.

Question 11: What is the username of the account whose cleartext password was found on Client03?¶

Using the same investigation window, I identified a runas.exe execution at 2025-05-25 04:12:21 with the argument /user:Main\lucas.

This is further supported by successful logon activity for the same account on Client03.

Therefore, the answer is: lucas.

Question 12: After obtaining the cleartext password of this account, the attacker carried out a domain-level credential extraction attack. At what time did the compromised account perform this attack on the domain? (UTC)¶

To identify the domain-level credential theft activity, I filtered on Event ID 4662 on the domain controller: Event.System.EventID.#text.keyword:"4662" and source_file.keyword:*DC*

This reveals a DCSync-style access pattern, where the lucas account performs directory replication operations against the domain controller.

The answer is 2025-05-25 04:26:36

Question 13: At what time did the attacker initially authenticate using the administrator account? (UTC)¶

To determine when the attacker first authenticated as Administrator, I reviewed successful logon events after the DCSync activity: Event.System.EventID.#text.keyword:"4624" and administrator and @timestamp >= "2025-05-25T04:26:36"

The first successful authentication using the Administrator account appears at 2025-05-25 04:34:01 UTC.

Therefore, the answer is: 2025-05-25 04:34:01.

Question 14: What is the name of the service created by the attacker on DC01 for persistence?¶

To identify persistence established after the domain compromise, I reviewed relevant events on DC01 after the first Administrator logon with the following filter: Event.System.EventID.#text.keyword:"1" and source_file.keyword:*Logs-DC* and @timestamp > "2025-05-25T04:34:01"

At 2025-05-25 04:43:01, the attacker creates a service named WindowsUpdateSvc, which is consistent with a persistence mechanism designed to blend in with legitimate Windows activity.

Therefore, the answer is: WindowsUpdateSvc.

Question 15: What is the name of the scheduled task created by the attacker on DC01 for persistence?¶

To identify scheduled-task persistence, I filtered on Event ID 4698, which records task creation events, on the domain controller: Event.System.EventID.#text.keyword:"4698" and source_file.keyword:*Logs-DC* and @timestamp > "2025-05-25T04:34:01"

At 2025-05-25 04:38:53, a new scheduled task named WindowsUpdateCheck is created.

Therefore, the answer is: WindowsUpdateCheck.

Question 16: What is the registry key name created by the attacker on DC01 for persistence?¶

To identify registry-based persistence, I reviewed Sysmon Event ID 13, which records registry value modifications, on DC01 after the scheduled task creation: Event.System.EventID.#text.keyword:"13" and source_file.keyword:*Logs-DC* and @timestamp > "2025-05-25T04:38:53"

At 2025-05-25 04:40:09, the attacker creates a suspicious registry key/value for persistence named xcvafctr.

Therefore, the answer is: xcvafctr.

Conclusion¶

This investigation reconstructs a full Active Directory compromise starting from a phishing document and ending with domain persistence on the controller. The attacker used a staged payload, Active Directory enumeration, Kerberoasting, lateral movement, credential dumping, DCSync, and multiple persistence mechanisms to maintain long-term access.

Timeline¶

• 2025-05-25 03:27:50: Profits.docm is downloaded on Client02.
• 2025-05-25 03:29:04: WINWORD.EXE connects to 192.168.204.152:4444.
• 2025-05-25 03:32:23: UpdatePolicy.exe appears as the second-stage payload.
• 2025-05-25 03:37:05: powerview.ps1 is downloaded for AD enumeration.
• 2025-05-25 03:42:33: the sqlsvc service account is targeted via Kerberoasting activity.
• 2025-05-25 04:03:47: the cracked sqlsvc credentials are first used to log in.
• 2025-05-25 04:05:12: VgYTbFEK.exe is created during Sysinternals-style lateral movement.
• 2025-05-25 04:10:43: netdiag.exe (Mimikatz) is executed on Client03.
• 2025-05-25 04:12:21: the attacker uses runas.exe with the lucas account.
• 2025-05-25 04:26:36: the lucas account performs DCSync activity on the domain controller.
• 2025-05-25 04:34:01: the attacker authenticates as Administrator.
• 2025-05-25 04:38:53: a scheduled task named WindowsUpdateCheck is created on DC01.
• 2025-05-25 04:40:09: the registry key/value xcvafctr is created for persistence.
• 2025-05-25 04:43:01: the service WindowsUpdateSvc is created on DC01.