DeeDee hears the screams,
In the logs, a chilling trace —
Freddy’s waiting near.
Nightmare on Hunt Street was a Forensics challenge released on Day #3 of the Huntress Labs Capture the Flag (CTF) competition. It comprised five parts derived from three provided files: Application.evtx, Security.evtx, and System.evtx.
Upon opening the files in Event Log Explorer, we found Application.evtx to be empty, leaving us just to investigate the Security and System logs.
(1) What is the IP address of the host that the attacker used?
In the Security logs, we observed a large number of Event ID (EID) 4776 and 4625 events within a short timeframe, which indicated a bruteforce attack. The target user was consistently identified as Jsmith.
From EID 4625, we noted that the remote hostname was KALI, while EID 4776 events attributed the IP address 10.1.1.42 to this system:
10.1.1.42
(2) How many times was the compromised account brute-forced?
There were three major spikes in events between 2024–09–24 12:06:30 to 2024–09–24 12:07:10 resulting in a total of 65 events across both EID 4776 and EID 4625.
Filtering specifically for EID 4625, which corresponds to “An account failed to log on”, we get 32 attempts to bruteforce the Jsmith account. A successful logon occurred at 2024–09–24 21:07:10, as recorded by a EID 4624 event.
32
(3) What is the name of the offensive security tool that was used to gain initial access?
Pivoting to the System logs, we noticed two EID 7045 events, indicating a service installation on the system. Both events were linked to the Security Identifier (SID) S-1–5–21–3792037069–2078677046–3387239386–1000 which belongs to Jsmith .
These events also occurred after the successful logon by the attacker at 2024–09–24 21:08:18 and 2024–09–24 21:11:18 and were treated with suspicion, as the Jsmith user was known to be compromised.
Examining the service creation events, we found that the executable names were randomised 8-character strings: MrEQbpfX[.]exe and wgWMRHln[.]exe. This service names were similarly randomised, with 4-characters names: WREx and fdpa.
Research into these patterns confirmed the attack tool used was Impacket, specifically PSEXEC which creates and subsequently deletes a Windows service with a random 4-character mixed-case name referencing an 8-character mixed-case name within %SystemRoot% [1].
impacket-psexec
(4) How many unique enumeration commands were run with net.exe?
Returning to the Security logs, we filtered for “net.exe” starting from the logon time of Jsmith . Several EID 4688 events aligned to process creation revealed the following enumeration commands:
net user
net localgroup
net shareThese commands enumerated local useres, local groups, and available shares on the system, confirming further malicious activity after Jsmith was compromised.
3
(5) What password was successfully given to the user created?
Further investigation of EID 4688 events following the enumeration activity revealed the creation of a new user at 2024–09–24 21:09:49:
The new user was named susan_admin, with the password SusanIsStrong123.
SusanIsStrong123
Summary
In this challenge, we used Event Log Explorer to identify a remote attacker who had brute-forced the Jsmith user’s credentials. The attacker leveraged Impacket’s PSEXEC module to gain initial access into the environment and performed further reconnaissance using net.exe commands to enumerate local users, groups, and shares. Finally, the attacker added a high-privileged user, susan_admin, for persistence.
Below are some resources that were helpful during the invesigation:
[1] Impacket Exec Commands Cheat Sheet — 13Cubed. https://13cubed.s3.amazonaws.com/downloads/impacket_exec_commands_cheat_sheet.pdf
[2] Ultimate Windows Security — Windows Event IDs. https://www.ultimatewindowssecurity.com/
[3] Security Identifiers (SIDs) — Microsoft Documentation. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
