Windows Log Analysis - Evaluate Attack Outcome

Find the sprayer!

Instructions from the badge:

We’re seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.

Link to Event logs: https://downloads.elfu.org/Security.evtx.zip (this file is binary, so a preview is not possible).

Technical Challenge

If you need further help before solving this objective, head down to the Train Station and talk with Bushy Evergreen. He will be glad to help you, as long as you help him out with an issue with his terminal:

Hi, I’m Bushy Evergreen. Welcome to Elf U! I’m glad you’re here. I’m the target of a terrible trick. Pepper Minstix is at it again, sticking me in a text editor. Pepper is forcing me to learn ed. Even the hint is ugly. Why can’t I just use Gedit? Please help me just quit the grinchy thing.

Click on the TERMINAL next to him, and solve the presented problem:

                ........................................
             .;oooooooooooool;,,,,,,,,:loooooooooooooll:
           .:oooooooooooooc;,,,,,,,,:ooooooooooooollooo:
         .';;;;;;;;;;;;;;,''''''''';;;;;;;;;;;;;,;ooooo:
       .''''''''''''''''''''''''''''''''''''''''';ooooo:
     ;oooooooooooool;''''''',:loooooooooooolc;',,;ooooo:
  .:oooooooooooooc;',,,,,,,:ooooooooooooolccoc,,,;ooooo:
.cooooooooooooo:,''''''',:ooooooooooooolcloooc,,,;ooooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;ooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;l'
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,..
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc.
coooooooooooooo,,,,,,,,,;ooooooooooooooloooo:.
coooooooooooooo,,,,,,,,,;ooooooooooooooloo;
:llllllllllllll,'''''''';llllllllllllllc,

Oh, many UNIX tools grow old, but this one's showing gray.
That Pepper LOLs and rolls her eyes, sends mocking looks my way.
I need to exit, run - get out! - and celebrate the yule.
Your challenge is to help this elf escape this blasted tool.
-Bushy Evergreen

Exit ed.
1100

q                                            <<< type q to exit

Loading, please wait......
You did it! Congratulations!

Okay, it was a rather simple issue… However, it was good practice, as you will encountering similar technical challenges down the road. Once you go back and click on Bushy, you will finally get your hints for solving this challenge:

Wow, that was much easier than I’d thought. Maybe I don’t need a clunky GUI after all! Have you taken a look at the password spray attack artifacts? I’ll bet that DeepBlueCLI tool is helpful. You can check it out on GitHub. It was written by that Eric Conrad. He lives in Maine - not too far from here!

What he is essentially telling you is to use this tool, to solve Objective 3. For this purpose you will be most likely needing a windows-based machine (physical or virtual does not matter). You should first clone the given repository from GitHub, and then download the Security.evtx file provided in the Objective description. Then you should execute the DeepBlue.ps1 script with this file as its first argument. Be sure to start a new PowerShell session as ADMIN!

# command #1 set the execution policy unrestricted so we can call the DeepBlueCLI script
$ Set-ExecutionPolicy unrestricted

# command #2
$ .\DeepBlue.ps1 .\Security.evtx
...
Date    : 2019. 08. 24. 2:00:20
Log     : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: supatree
          Total logon failures: 76
...
Date    : 2019. 08. 24. 2:00:20
Log     : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: pminstix
          User SID Access Count: 2

Full output can be seen in this PB document: https://pastebin.com/X5LBNVCy

After the DeepBlueCLI tool finished processing the file, it will produce a ton of output. Your task will be to find the account name and submit it through your personal badge, to see if it is the right solution. When I was trying to solve this challenge, I just scrolled until I found pminstix and supatree account names. I first tried the former, which did not work, and thentried to submit the latter, which did work, so objective #3 is now solved!

One could probably write a more sophisticated script to parse and search for same the answer, but simple ways can sometimes lead to quicker solutions… :)