CrownJewel-1

Sherlock Scenario

Forela's domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get the Domain environment's crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.

Q1) Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.

We should focus on the System log, which captures Service Control Manager events such as when services are started or stopped. Specifically, we need to look for entries related to the VSS (Volume Shadow Copy Service); Event ID 7036 is commonly used to indicate changes in service state on Windows systems.

We need to convert this to Coordinated Universal Time (UTC).

Or using Powershell.

 Get-WinEvent -Path .\SYSTEM.evtx | Where-Object {$_.Id -eq 7036 -and $_.Message -like "*Volume Shadow Copy*entered the running state*"} | Select-Object TimeCreated, Message

Answer: 2024-05-14 03:42:16

Q2) When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the two user groups the volume shadow copy process queries and the machine account that did it.

Or using Powershell.

Get-WinEvent -Path .\SECURITY.evtx | Where-Object {$_.Id -eq 4799 -and $_.Properties[8].Value -match "VSSVC" } 
| Select-Object TimeCreated, @{Name="UserName";Expression={$_.Properties[4].Value}}, @{Name="EnumeratedGroup"; Expression={$_.Properties[0].Value}} 
| Sort-Object UserName, EnumeratedGroup -Unique

Answer: Administrators, Backup Operators, DC01$

Q3) Identify the Process ID (in Decimal) of the volume shadow copy service process.

We need to convert this hexadecimal value to its decimal equivalent.

Answer: 4496

Q4) Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted.

When a shadow copy is created (using the command vssadmin create shadow /for=C:), the Volume Shadow Copy Service (VSS) generates a snapshot of the specified volume. This snapshot is assigned a unique Volume GUID ( \?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX, where X represents a numerical identifier such as 1, 2, etc.). By mounting the shadow copy, it becomes accessible as a volume, and its GUID is used to reference it, such as for tasks like copying files ( NTDS.dit).

Answer: {06c4a997-cca8-11ed-a90f-000c295644f9}

Q5) Identify the full path of the dumped NTDS database on disk.

The $MFT file contains metadata for all files on the NTFS filesystem, including the path and creation time of the dumped NTDS.dit file. This information is crucial for distinguishing the new NTDS.dit file from the original located at C:\Windows\NTDS\NTDS.dit.

C:\Users\jdoe\Desktop\net6\MFTECmd.exe -f '.\C\$MFT' --csv mft.csv

Let's open the output file using Timeline Explorer.

Answer: C:\Users\Administrator\Documents\backup_sync_Dc\Ntds.dit

Q6) When was newly dumped ntds.dit created on disk?

Answer: 2024-05-14 03:44:22

Q7) A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes?

Answer: SYSTEM, 17563648