HTB Sherlock Logjammer

0xdf hacks stuff Home About Me Tags YouTube Gitlab feed
HTB Sherlock: Logjammer

🏷 ctf sherlock-logjammer sherlock-cat-dfir forensics dfir hackthebox evtxecmd
win-event-4624 jq win-event-2004 win-event-2005 win-event-2006 win-event-2010
windows event-logs
win-event-2033 win-
event-2051 win-event-4719 win-event-4698 win-event-1116 win-event-1117 win-event-4103 win-event-4104
win-event-1102 win-event-104
May 16, 2024
HTB Sherlock: Logjammer is a neat look at some

Logjammer Windows event log analysis. I’ll start
with five event logs, security, system,
Challenge Info
Defender, firewall, and PowerShell,
Background and use EvtxECmd.exe to convert
Results them to JSON. Then I’ll slice them
using JQ and some Bash to answer 12
questions about a malicious user on the box, showing their logon,
uploading Sharphound, modifying the firewall, creating a scheduled
task, running a PowerShell script, and clearing some event logs.
Challenge Info
Name Logjammer
Play on HackTheBox
Release Date 13 November 2023
Retire Date 16 May 2024
Difficulty Easy
Category DFIR
Creator
Background
Scenario
You have been presented with the opportunity to work as a junior

DFIR consultant for a big consultancy. However, they have provided a
technical assessment for you to complete. The consultancy Forela-
Security would like to gauge your knowledge of Windows Event Log
Analysis. Please analyse and report back on the questions they have
asked.
Notes from the scenario:
I’ll expect Event Logs.

Not much background here, more of a a follow the questions task.
Questions
To solve this challenge, I’ll need to answer the following 12 questions:
1. When did user cyberjunkie successfully log into his computer? (UTC)
2. The user tampered with firewall settings on the system. Analyze the
firewall event logs to find out the Name of the firewall rule added?
3. What’s the direction of the firewall rule?
4. The user changed audit policy of the computer. What’s the
Subcategory of this changed policy?
5. The user “cyberjunkie” created a scheduled task. What’s the name
of this task?
6. What’s the full path of the file which was scheduled for the task?
7. What are the arguments of the command?
8. The antivirus running on the system identified a threat and
performed actions on it. Which tool was identified as malware by
antivirus?
9. What’s the full path of the malware which raised the alert?
10. What action was taken by the antivirus?
11. The user used Powershell to execute commands. What command
was executed by the user?
12. We suspect the user deleted some event logs. Which Event log file
was cleared?
Artifact Background
I’m given five different event logs:
Powershell-Operational - Records of PowerShell activity on the

system, and can include commands executed, scripts run, and any
errors or warnings generated during their execution.
Security - Records related to security events on the system,
including user authentication, privilege changes, account
management, and security policy changes.
System - Captures system-level events such as startup and
shutdown processes, driver and service failures, hardware
configuration changes, and system resource utilization.
Windows Defender-Operational.evtx - Documents the activities
and status of Windows Defender, including malware detections,
scans, updates, and any other security-related events managed by
Windows Defender.
Windows Firewall-Firewall - Logs firewall-related events such
as allowed and blocked network connections, rule changes, and
firewall service startup and shutdown events.
Each of these will have many event ids within them.
Tools
These Windows Event Log files are a binary format that I’ll need to
either convert to something useful to work with, or log into the
Windows Event Log Viewer. I much prefer working from the Linux
command line, so I’ll use EvtxECmd.exe (a Zimmerman tool) to convert
the logs from this binary format to JSON. Then I can work with jq ,
along with grep and other Bash utilities.
Data
The given data has the five log files:
oxdf@hacky$ unzip -l logjammer.zip

Archive: logjammer.zip
Length Date Time Name
--------- ---------- ----- ----
0 2023-07-21 11:33 Event-Logs/
12652544 2023-03-27 15:00 Event-Logs/Powershell-Operation
1118208 2023-03-27 14:53 Event-Logs/Security.evtx
2166784 2023-03-27 15:02 Event-Logs/System.evtx
1118208 2023-03-27 14:53 Event-Logs/Windows Defender-Ope
1118208 2023-03-27 14:53 Event-Logs/Windows Firewall-Fir
--------- -------
18173952 6 files
I’ll parse these to JSON with EvtxeCmd.exe :
PS Z:\hackthebox-sherlocks\logjammer > C:\Tools\ZimmermanTool

EvtxECmd version 1.5.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)

https://github.com/EricZimmerman/evtx
Command line: -d .\Event-Logs\ --json .
json output will be saved to .\20240511121627_EvtxECmd_Output
Maps loaded: 438

Looking for event log files in .\Event-Logs\
This leaves a single file with 4251 logs:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c .

4251
Results
Login (Task 1)
When did the cyberjunkie user first successfully log into his computer?
(UTC)
Filter 4624 Events
Successful logon events (or “An account was successfully logged on”)
are event id 4624. I’ll look at the first log and see that the event id is
stored in a field named EventId :
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -s

{
"PayloadData1": ": @{Windows.CBSPreview_10.0.19041.1023_neu
"PayloadData2": "",
"PayloadData3": "Direction: Outbound",
"PayloadData4": "Action: Block",
"PayloadData5": "Protocol: All",
"RemoteHost": "*: ",
"MapDescription": "A rule has been added to the Windows Def
"ChunkNumber": 0,
"Computer": "DESKTOP-887GK2L",
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"RuleId\"
"UserId": "S-1-5-19",
"Channel": "Microsoft-Windows-Windows Firewall With Advance
"Provider": "Microsoft-Windows-Windows Firewall With Advanc
"EventId": 2004,
"EventRecordId": "192",
"ProcessId": 2836,
"ThreadId": 4100,
"Level": "Info",
"Keywords": "0x8000020000000000",
"SourceFile": ".\\Event-Logs\\Windows Firewall-Firewall.evt
"ExtraDataOffset": 0,
"HiddenRecord": false,
"TimeCreated": "2023-02-01T00:59:07.7193859+00:00",
"RecordNumber": 1
}
The records are stored as JSON lines. That means that each line has a
even starting with { and ending with } . To read just one of these, I’m
using -s with jq , which slurps these into a list of events, and then I
can select the first one with .[0] .
Given that I want EventId to be 4624, I’ll use a jq keyword select :
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c

67
This filters down to 67 logs (using -c to output one log per line so that
wc -l will count logs).
Filter For CyberJunkie
I’ll check out the first log:

{
"PayloadData1": "Target: NT AUTHORITY\\SYSTEM",
"PayloadData2": "LogonType 0",
"PayloadData3": "LogonId: 0x3E7",
"PayloadData4": "AuthenticationPackageName: -",
"PayloadData5": "LogonProcessName: -",
"UserName": "-\\-",
"RemoteHost": "- (-)",
"ExecutableInfo": "",
"MapDescription": "Successful logon",
"ChunkNumber": 0,
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectU
"Channel": "Security",
"Provider": "Microsoft-Windows-Security-Auditing",
"EventId": 4624,
"ProcessId": 780,
"ThreadId": 784,
"Level": "LogAlways",
"Keywords": "Audit success",
"SourceFile": ".\\Event-Logs\\Security.evtx",
"TimeCreated": "2023-03-27T14:37:08.6008290+00:00",
"RecordNumber": 17
}
The user logging in is a part of the Payload field. I’ll filter more to get
logs where CyberJunkie is in that field with the test function, which
applies a regex and returns True or False:

4
Awesome, it’s down to four logs. There are two different timestamps if I
drop the fractional seconds:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq '.

"2023-03-27T14:37:09.8798913+00:00"
"2023-03-27T14:37:09.8799405+00:00"
"2023-03-27T14:38:32.9374236+00:00"
"2023-03-27T14:38:32.9374588+00:00"
The first time CyberJunkie logged in was 27/03/2023 14:37:09.
Firewall Manipulation (Tasks 2 - 3)
The user tampered with firewall settings on the system. Analyze the
What’s the direction of the firewall rule?
Find Correct Event Id
I’ll grep the log lines for “firewall” (case insensitive) and look at the first
log:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep -i
{
"PayloadData1": ": @{Windows.CBSPreview_10.0.19041.1023_neu
"PayloadData2": "",
"PayloadData3": "Direction: Outbound",
"PayloadData4": "Action: Block",
"PayloadData5": "Protocol: All",
"RemoteHost": "*: ",
"MapDescription": "A rule has been added to the Windows Def
"ChunkNumber": 0,
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"RuleId\"
"UserId": "S-1-5-19",
"Channel": "Microsoft-Windows-Windows Firewall With Advance
"Provider": "Microsoft-Windows-Windows Firewall With Advanc
"EventId": 2004,
"ProcessId": 2836,
"ThreadId": 4100,
"Level": "Info",
"Keywords": "0x8000020000000000",
"SourceFile": ".\\Event-Logs\\Windows Firewall-Firewall.evt
"TimeCreated": "2023-02-01T00:59:07.7193859+00:00",
"RecordNumber": 1
}
The SourceFile attribute seems like a good one to filter on. I’ll just use
grep:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

490 2004
76 2005
315 2006
32 2010
8 2033
8 2051
I’ve got a handful of event ids to look up:

2004: A rule has been added to the Windows Firewall exception list.
2005: A rule has been modified in the Windows Firewall exception
list.
2006: A rule has been deleted in the Windows Firewall exception
list.
2010: Network profile changed on an interface
2033: All rules have been deleted from mthe Windows Firewall
configuration on this computer.
2051: Couldn’t find documentation on this one, but this forum post
suggests they come in pairs with the 2033.
Find Addition
Given that the user logged on and added a rule, I’m looking for a 2004
after 2023-03-27T14:37:09. I can filter both of those with jq :

"2023-03-27T14:37:35.4692787+00:00"
"2023-03-27T14:37:35.4701846+00:00"
"2023-03-27T14:44:43.4157021+00:00"
There’s only three logs left. A quick inspection of the format of the logs
shows the data to pull:

[": Microsoft Edge","Direction: Inbound","Action: Block","Pro
[": Microsoft Edge","Direction: Outbound","Action: Block","Pr
[": Metasploit C2 Bypass","Direction: Outbound","Action: Allo
Task 2 is “Metasploit C2 Bypass”, and Task 3 is “Outbound”.
Audit Policy (Task 4)
The user changed audit policy of the computer. What’s the

The event log for System audit policy was changed is event id 4719.
There’s only one of these:
1
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq 'sel
{
"PayloadData1": "CategoryId: %%8274 SubcategoryId: %%12804"
"PayloadData2": "SubcategoryGuid: 0cce9227-69ae-11d9-bed3-5
"PayloadData3": "AuditPolicyChanges: %%8449",
"UserName": "WORKGROUP\\DESKTOP-887GK2L$",
"MapDescription": "System audit policy was changed",
"ChunkNumber": 0,
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectU
"Provider": "Microsoft-Windows-Security-Auditing",
"EventId": 4719,
"ProcessId": 780,
"ThreadId": 1488,
"Level": "LogAlways",
"Keywords": "Audit success",
"TimeCreated": "2023-03-27T14:50:03.7218352+00:00",
"RecordNumber": 83
}
PayloadData2 gives “SubcategoryGuid: 0cce9227-69ae-11d9-bed3-

505054503030”. Searching for that GUID returns this Microsoft page,
which shows it as “Other Object Access Events”:
I originally tried just Other Object Access, but the placeholder showed I
needed one more word.
Scheduled Task (Tasks 5 - 7)
The user “cyberjunkie” created a scheduled task. What’s the name of

this task?
What’s the full path of the file which was scheduled for the task?
What are the arguments of the command?
The event code for A scheduled task was created is 4698. There’s only
one of these in the dataset:

1
The task name is available in PayloadData1 , the answer to Task 5:

"TaskName: \\HTB-AUTOMATION"
I can go further and get the XML for the scheduled task to include the
script that’s run from Payload which then needs to be converted from
JSON, pull out the TakContent , then get the #text , HTML decode,
remove , , and lint with XML:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -r
��<?xml version="1.0" encoding="UTF-16"?>

<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit
<RegistrationInfo>
<Date>2023-03-27T07:51:21.4599985</Date>
<Author>DESKTOP-887GK2L\CyberJunkie</Author>
<Description>practice</Description>
<URI>\HTB-AUTOMATION</URI>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2023-03-27T09:00:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<RunLevel>LeastPrivilege</RunLevel>
<UserId>DESKTOP-887GK2L\CyberJunkie</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPoli
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatter
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailab
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\CyberJunkie\Desktop\Automation-HTB.ps
<Arguments>-A cyberjunkie@hackthebox.eu</Arguments>
</Exec>
</Actions>
</Task>
The command is C:\Users\CyberJunkie\Desktop\Automation-

HTB.ps1 (Task 6), and the arguments are -A
cyberjunkie@hackthebox.eu (Task 7).
Defender (Tasks 8 - 10)

Isolate Defender Logs
One of the file names was Windows Defender-Operational.evtx . I’ll

grep for that to just get those logs:
444
There are many different EventId values in these logs:

5 1000
5 1001
1 1013
139 1116
71 1117
13 1150
18 1151
18 2000
2 2002
11 2010
3 2014
3 5000
3 5001
152 5007
Filter By Time
There’s a lot of different log types there, so before I figure out what
each of these are, I’m going to assume I’m still looking at events that
happen after that first login. That reduces the logs to look at from 444
to 11:

11
2 1116
2 1117
7 5007
This page documents all the event id values for Defender logs:
1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED
1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
5007 - MALWAREPROTECTION_CONFIG_CHANGED
1116
Starting with the 1116 logs, I’ll pull the interesting parts out of each:

{
"Name": "Malware name: HackTool:PowerShell/SharpHound.B",
"User": "Detection User: DESKTOP-887GK2L\\CyberJunkie",
"ExeInfo": "containerfile:_C:\\Users\\CyberJunkie\\Download
"CreationTime": "2023-03-27T14:42:34.2909353+00:00"
}
{
"Name": "Malware name: HackTool:MSIL/SharpHound!MSR",
"CreationTime": "2023-03-27T14:42:34.2927169+00:00"
}
It’s two detections for the same binary, which is SharpHound (Task 8),
detected as a Zip file at
C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip (Task 9).
1117
Event Id 1117 is very similar to 1116, but this one has the action in the
.Payload . To get to it, I’ll need to select it and then convert that
fromjson , and process it more in a rather annoying way. The cheat is
to just grep :

{
"@Name": "Action Name",
"#text": "Quarantine"
--
{
"@Name": "Action Name",
"#text": "Quarantine"
The action taken was quarantine (Task 10). A pretty jq way to do it is:
"Quarantine"
"Quarantine"
Or I can put it all together with:

{
"Action": "Quarantine",
"CreationTime": "2023-03-27T14:42:48.3526591+00:00"
}
{
"Action": "Quarantine",
"CreationTime": "2023-03-27T14:42:48.3536643+00:00"
}
PowerShell (Task 11)
The user used Powershell to execute commands. What command was

executed by the user?
Powershell Overview
There are 578 logs in the Powershell-Operational.evtx file with six

different event ids:
oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep Po

578
60 40961
60 40962
2 4100
11 4103
381 4104
64 53504
20 of those happen after the first login:

20
2 40961
2 40962
11 4103
3 4104
2 53504
4103 / 4104
The 4103 logs the start of a PowerShell session, where 4104 logs the
commands run. 4103 shows the start of sessions:

{
"Script": "Script Name: C:\\Program Files\\WindowsPowerShel
"Payload": "Payload: CommandInvocation(Set-StrictMode): \"S
}
{
"Script": "Script Name: ",
"Payload": "Payload: CommandInvocation(Get-Variable): \"Get
}
{
"Payload": "Payload: CommandInvocation(Resolve-Path): \"Res
}
{
}
{
"Payload": "Payload: CommandInvocation(PSConsoleHostReadLin
}
{
"Script": "Script Name: C:\\Windows\\system32\\WindowsPower
}
{
"Payload": "Payload: CommandInvocation(Test-Path): \"Test-P
}
{
"Payload": "Payload: CommandInvocation(GetStreamHash): \"Ge
}
{
"Payload": "Payload: CommandInvocation(Get-FileHash): \"Get
}
{
"Payload": "Payload: CommandInvocation(Out-Default): \"Out-
}
{
"Script": "Script Name: C:\\Program Files\\WindowsPowerShel
"Payload": "Payload: CommandInvocation(Set-StrictMode): \"S
}
The second to last one, that runs Automation-HTB.ps1 is most

interesting.
I can pull the commands run from the 4103:

"prompt"
"Get-FileHash -Algorithm md5 .\\Desktop\\Automation-HTB.ps1"
"prompt"
The middle one is the interesting one (Task 11). I’ll get the full log for
the interesting one:

{
"PayloadData1": "Path: ",
"PayloadData2": "ScriptBlockText: Get-FileHash -Algorithm m
"MapDescription": "Contains contents of scripts run",
"ChunkNumber": 180,
"Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"MessageN
"UserId": "S-1-5-21-3393683511-3463148672-371912004-1001",
"Channel": "Microsoft-Windows-PowerShell/Operational",
"Provider": "Microsoft-Windows-PowerShell",
"EventId": 4104,
"ProcessId": 7152,
"ThreadId": 2000,
"Level": "Verbose",
"Keywords": "0x0",
"SourceFile": ".\\Event-Logs\\Powershell-Operational.evtx",
"TimeCreated": "2023-03-27T14:58:33.3647699+00:00",
"RecordNumber": 571
}
Log Clearing (Task 12)
We suspect the user deleted some event logs. Which Event log file was
cleared?
One common log for security event log being cleared is 1102. There is
one of those here:

{
"PayloadData1": "SID: (S-1-5-21-3393683511-3463148672-37191
"UserName": "DESKTOP-887GK2L\\CyberJunkie",
"MapDescription": "Event log cleared",
"ChunkNumber": 0,
"Payload": "{\"UserData\":{\"LogFileCleared\":{\"SubjectUse
"Provider": "Microsoft-Windows-Eventlog",
"EventId": 1102,
"ProcessId": 1320,
"ThreadId": 9512,
"Level": "Info",
"Keywords": "0x4020000000000000",
"TimeCreated": "2023-03-27T14:36:45.3077318+00:00",
"RecordNumber": 1
}
It’s before the first login, and thus I think not of interest (at least it’s not
the accepted answer).
The other log with the word “Cleared” in it is 104:

15 104
1 1102
If I add the filter for after the first login, there’s only one:

{
"PayloadData1": "The Microsoft-Windows-Windows Firewall Wit
"UserName": "DESKTOP-887GK2L\\CyberJunkie",
"MapDescription": "Event log cleared",
"ChunkNumber": 18,
"Payload": "{\"UserData\":{\"LogFileCleared\":{\"SubjectUse
"UserId": "S-1-5-21-3393683511-3463148672-371912004-1001",
"Channel": "System",
"Provider": "Microsoft-Windows-Eventlog",
"EventId": 104,
"ProcessId": 1332,
"ThreadId": 5332,
"Level": "Info",
"Keywords": "Classic",
"SourceFile": ".\\Event-Logs\\System.evtx",
"TimeCreated": "2023-03-27T15:01:56.5158362+00:00",
"RecordNumber": 2186
}
The log cleared in this event is “Microsoft-Windows-Windows Firewall
With Advanced Security/Firewall” (Task 12).
Timeline
Putting all that together makes the following timeline:
Time (UTC) Description Reference
2023-03-
27T14:37:09
CyberJunkie first login Security 4624
2023-03-
27T14:38:32
CyberJunkie second login Security 4624
2023-03-
27T14:42:34
SharpHound zip detected Defender 1116
2023-03-
27T14:42:48
SharpHound quarantined Defender 1117
2023-03- Firewall modified to allow

Firewall 2004
27T14:44:43 Metasploit out
2023-03-
27T14:50:03
System audit policy changed Audit 4719
2023-03-
27T14:51:21
Scheduled task created Security 4698
2023-03- PowerShell
Runs Automation-HTB.ps1
27T14:58:33 4104
2023-03-
27T15:01:56
Firewall event logs cleared System 104
Question Answers
1. When did the cyberjunkie user first successfully log into his
computer? (UTC)
27/03/2023 14:37:09
2. The user tampered with firewall settings on the system. Analyze the
Metasploit C2 Bypass
3. What’s the direction of the firewall rule?
Outbound
4. The user changed audit policy of the computer. What’s the
Other Object Access Events
5. The user “cyberjunkie” created a scheduled task. What’s the name

of this task?
HTB-AUTOMATION
6. What’s the full path of the file which was scheduled for the task?
C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1
7. What are the arguments of the command?
-A cyberjunkie@hackthebox.eu
8. The antivirus running on the system identified a threat and

performed actions on it. Which tool was identified as malware by
antivirus?
SharpHound
9. What’s the full path of the malware which raised the alert?
C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip
10. What action was taken by the antivirus?
Quarantine
11. The user used Powershell to execute commands. What command

was executed by the user?
Get-FileHash -Algorithm md5 .\Desktop\Automation-HTB.ps1
12. We suspect the user deleted some event logs. Which Event log file
was cleared?
Microsoft-Windows-Windows Firewall With Advanced

Security/Firewall
0xdf hacks stuff

0xdf hacks stuff 0xdf_
0xdf.223@gmail.com 0xdf
feed
0xdf
@0xdf@infosec.exchange
CTF solutions, malware analysis, home lab development
Buy me a coffee

HTB Sherlock Logjammer

Uploaded by

Copyright:

Available Formats

HTB Sherlock Logjammer

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HTB Sherlock Logjammer

Uploaded by

Copyright:

Available Formats

0xdf hacks stuff Home About Me Tags YouTube Gitlab feed

HTB Sherlock: Logjammer

HTB Sherlock: Logjammer is a neat look at some

Release Date 13 November 2023

Retire Date 16 May 2024

You have been presented with the opportunity to work as a junior

Notes from the scenario:

I’ll expect Event Logs.

Powershell-Operational - Records of PowerShell activity on the

Each of these will have many event ids within them.

oxdf@hacky$ unzip -l logjammer.zip

PS Z:\hackthebox-sherlocks\logjammer > C:\Tools\ZimmermanTool

Author: Eric Zimmerman (saericzimmerman@gmail.com)

Command line: -d .\Event-Logs\ --json .

json output will be saved to .\20240511121627_EvtxECmd_Output

Maps loaded: 438

This leaves a single file with 4251 logs:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c .

Filter 4624 Events

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -s

Given that I want EventId to be 4624, I’ll use a jq keyword select :

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c

Filter For CyberJunkie

I’ll check out the first log:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq '.

Firewall Manipulation (Tasks 2 - 3)

What’s the direction of the firewall rule?

Find Correct Event Id

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

I’ve got a handful of event ids to look up:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

Task 2 is “Metasploit C2 Bypass”, and Task 3 is “Outbound”.

Audit Policy (Task 4)

The user changed audit policy of the computer. What’s the

PayloadData2 gives “SubcategoryGuid: 0cce9227-69ae-11d9-bed3-

Scheduled Task (Tasks 5 - 7)

The user “cyberjunkie” created a scheduled task. What’s the name of

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -c

The task name is available in PayloadData1 , the answer to Task 5:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq 'sel

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | jq -r

��<?xml version="1.0" encoding="UTF-16"?>

The command is C:\Users\CyberJunkie\Desktop\Automation-

Defender (Tasks 8 - 10)

One of the file names was Windows Defender-Operational.evtx . I’ll

There are many different EventId values in these logs:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

Or I can put it all together with:

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep "W

PowerShell (Task 11)

The user used Powershell to execute commands. What command was

There are 578 logs in the Powershell-Operational.evtx file with six

oxdf@hacky$ cat 20240511121627_EvtxECmd_Output.json | grep Po

20 of those happen after the first login: