https://app.hackthebox.com/sherlocks/CrownJewel-2/
In this challenge we will be working with some more event logs. I tried going through this with ChainSaw again but it seemed less effective. I think I need some more practice with hunting for things I do not know using Chainsaw.
Task 1
When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?
For this, we simply look for the most recent (latest) instance of the Volume Shadow Copy service.
Once we find that, we need to go into the details tab in order to grab the system timestamp.
There does not seem to be a way (that I can find) to change the Date and Time view to UTC or a different timezone. I have no idea why this isn’t a thing…
2024-05-15 05:39:55
Task 2
Identify the full path of the dumped NTDS file.
Searching for ntds.dit in the logs, we can find ESENT ID 325, The database engine created a new database. Here we can see the name and path of the new DB.
C:\Windows\Temp\dump_tmp\Active Directory\ntds.dit
Task 3
When was the database dump created on the disk?
Similar to before, if we go into the details tab and expand the system section, we can see the system time created.
2024-05-15 05:39:56
Task 4
When was the newly dumped database considered complete and ready for use?
We can look at the surrounding logs to the DB dump, we can see ESENT ID 327, The database engine detached a database.
Looking at the system details of this log, we get our timestamp.
2024-05-15 05:39:58
I do not know if the 2 second timeframe is relevant. That is something I will look into.
Task 5
Event logs use event sources to track events coming from different sources. Which event source provides database status data like creation and detachment?
We already touched on this before, but all these events are from the ESENT source.
ESENT
Task 6
When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Also, find the Logon ID so we can easily track the malicious session in our hunt.
We already know this answer from the first challenge, but we can find it again my looking at what groups are enumerated by ntdsutil.exe
For some reason this answer is very picky and you need to have Administrators first, probably because that’s the order they show up in the logs?
Administrators, Backup Operators, 0x8DE3D
Task 7
Now you are tasked to find the Login Time for the malicious Session. Using the Logon ID, find the Time when the user logon session started.
Alright, so we know the Login ID is 0x8DE3D, so we can now look through the logs for the first time we see these credentials being used.
Same as before, once we find the log, we will dig into the system details and find the time created.
2024-05-15 05:36:31
Killian Sherer 