PortfolioLinkedIn

Day 15

Be it ever so heinous, there's no place like Domain Controller.

Ahead of SOC-mas, the team decided to do a routine security check of one of their Active Directory domain controllers. Upon some quick auditing, the team noticed something was off. Could it be? The domain controller has been breached? With sweat on their brows, the SOC team smashed the glass and hit the panic alarm. There's only one person who can save us...

Welcome to Day 15 of Advent of Cyber

Today we are dealing with Windows AD (Active DIrectory)

  • Start the machine and wait for the windows machine to deploy

Active Directory (AD) is a critical component of enterprise networks, managing and organizing information about network objects such as users, computers, and resources. It ensures secure access and centralized management through Directory Services, built on the Lightweight Directory Access Protocol (LDAP).

Key AD Components

  1. Users, Groups, and Resources

    • Users: Individual accounts for people or services.

    • Groups: Collections of users for role-based access.

    • Resources: Devices like printers or file shares.

  2. Building Blocks of AD

    • Domains: Logical groupings governed by shared policies.

    • Organizational Units (OUs): Containers for structured management.

    • Forest: A collection of domains sharing a schema.

    • Trust Relationships: Allow cross-domain or cross-forest access.

The Event Viewer is critical for tracking system and security events. Relevant IDs:

  • 4624: Successful login.

  • 4625: Failed login attempt.

  • 4672: Privileged actions.

  • 4768: TGT request (Kerberos).

Lets Begin:

First we need to find the day Glitch_Malware last logged in:

For this, Open Event Manager->Windows Logs->Security , and search for Glitch_Malware, look for login date and the event ID:

Next, we need to read the PowerShell history of the Administrator account.

For that go to C:/users/administrator/%APPDATA%\Microsoft\Windows\PowerShell\PSReadLineand open ConsoleHost_history.txt

Here we can see the history.

Next, Glitch_Malware's set password:

Go to Eventviewer -> Application and Services Logs -> Windows PowerShell

And finally to find the name of the installed GPO?

Use this cmd to list all GPOs via PowerShell:

PS C:\Users\Administrator> Get-GPO -All

Questions:

1.On what day was Glitch_Malware last logged in?

A: 07/11/2024

2:What event ID shows the login of the Glitch_Malware user?

A: 4624

3.Read the PowerShell history of the Administrator account. What was the command that was used to enumerate Active Directory users?

A: Get-ADUser -Filter * -Properties MemberOf | Select-Object Name

4.Look in the PowerShell log file located in Application and Services Logs -> Windows PowerShell. What was Glitch_Malware's set password?

A: SuperSecretP@ssw0rd!

5.Review the Group Policy Objects present on the machine. What is the name of the installed GPO?

A: Malicious GPO - Glitch_Malware Persistence

Stay tuned for Day 16, and happy hacking! 🎄

Thank you!

PreviousDay 10NextDay 16

Last updated

Was this helpful?