[Day 23] Blue Teaming PowershELlF Magic | Advent of Cyber 3 (2021)

It’s like a super power shell.
But, today we will not interact with powershell. We will be learning about how looking for Powershell logging.

Let’s know what the attacker do with the powershell..

# What command was executed as Elf McNealy to add a new user to the machine?

Invoke-Nightmare

The best way of looking needle in straw is use your “magnet”. So, in Event Log we must get specific time and search with advanced Options.

Then, search for a command like making a new user.

# What user executed the PowerShell file to send the password.txt file from the administrator’s desktop to a remote server?

adm1n

# What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)

10.10.148.96,4321

# What was the encryption key used to encrypt the contents of the text file sent to the remote server?

j3pn50vkw21hhurbqmxjlpmo9doiukyb

# What application was used to delete the password.txt file?

sdelete.exe

# What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)

11/11/2021 7:29:27 PM

# What were the contents of the deleted password.txt file?

Mission Control: letitsnowletitsnowletitsnow

We know the “keyword” and use Advanced Options to filter again.

We get the encrypted value and use the encryption key from last question and the decryptor to decrypt the value.

Just run the decryptor.ps1 on the powershell.

Conclusion

Dive into EventViewer is a hard way, if you are not using the Advanced Options (filter). Learn more about this tool and be better in logging the event.