# PLATFORM HTB# CTF NAME Crown Jewel I# DIFFICULTY Very Easy# CTF LINK https://app.hackthebox.com/sherlocks/CrownJewel-1SCENARIO
Section titled “SCENARIO”Forela’s domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get thee Domain environment’s crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.
Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.
Section titled “Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.”- First, I wanted to analyze the format of the logs and see what properties are available. I was looking after logs related to the execution of services
PS C:\Users\user\Desktop\HTB Sherlocks\Very Easy\CrownJewel-1\Artifacts> Get-WinEvent -Path '*.evtx' | Select-Object -Property *...Message: The Windows Modules Installer service entered the running state. Id: 7036...- Here’s a part of a random service. We see that the Event ID for services that entered a running state is 7036. Based on this, we could filter for “Volume Shadow Copy” string AND EventID 7036
Get-WinEvent -Path '*.evtx' | Where-Object {$_.Id -eq 7036} | findstr "Volume*" | Format-List5/13/2024 8:42:16 PM 7036 Information The Volume Shadow Copy service entered the running state.-
Using a site like https://dateful.com/convert/utc, convert the date found to UTC to have the correct answer.
-
Another method of finding this could be
Get-WinEvent -Path '*.evtx' | Where-Object {$_.message -like "*volume shadow copy*" } | Select-Object -Property *When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the two user groups the volume shadow copy process queries and the machine account that did it.
Section titled “When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the two user groups the volume shadow copy process queries and the machine account that did it.”- After some googling, I came across this vssadmin documentation and I noticed that the Volume Shadow Copy service is running as VSSVC.exe.
- Based on that, I’ve filtered using the following query
Get-WinEvent -Path '*.evtx' | Where-Object {$_.message -like "*vssvc*" } | Where-Object {$_.message -like "*account name*" } | Format-List- Looking through the results, there is exactly one account and two groups used for all the logs.
NOTE: PAY ATTENTION TO THE SPACES AFTER COMMA IN THE ANSWER, IT WON’T WORK IF YOU FORGET THE SPACES.
Identify the Process ID (in Decimal) of the volume shadow copy service process.
Section titled “Identify the Process ID (in Decimal) of the volume shadow copy service process.”- Using the command above, we are also returned a
Process IDin hexa for each log. Convert this to decimal.
Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted.
Section titled “Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted.”- I’ve searched after
GUIDbut the right way would’ve been to look through event IDs 4, 9, 10, 300 and 303.
Get-WinEvent -Path '*.evtx' | Where-Object {$_.message -like "*GUID*" } | Where-Object {$_.message -like "*mounted*" } | Format-List Volume correlation Id: {06c4a997-cca8-11ed-a90f-000c295644f9} Volume name: Volume label: Device name: \Device\HarddiskVolumeShadowCopy1Identify the full path of the dumped NTDS database on disk.
Section titled “Identify the full path of the dumped NTDS database on disk.”- Dump the MFT file to CSV using MFTEcmd
.\MFTECmd.exe -f '..\Very Easy\CrownJewel-1\Artifacts\C\$MFT' --csv . --csvf output.csv- Then, import the CSV in Timeline Explorer for better view
- Search after NTDS.dit
- Then. take a look at the only entry from the day of the event (timestamp found in Q1)
C:\Users\{REDACTED}\ntds.ditWhen was newly dumped ntds.dit created on disk?
Section titled “When was newly dumped ntds.dit created on disk?”- Answered in the question above, check the
Createdcolumn.
A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes?
Section titled “A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes?”- Can be found by filtering by the same
Parent Pathlocation the ntds.dit file was found in.