靶场介绍

A junior SOC analyst on duty has reported multiple alerts indicating the presence of PsExec on a workstation. They verified the alerts and escalated the alerts to tier II. As an Incident responder you triaged the endpoint for artefacts of interest. Now please answer the questions regarding this security event so you can report it to your incident manager.

一名初级SOC值班分析师报告了多个警报，表明工作站上存在PsExec。他们验证了警报，并将警报升级到第二级。作为事件响应者，您对端点进行了感兴趣的人工制品的分类。现在，请回答有关此安全事件的问题，以便向事件经理报告。

Task 1

The SOC Team suspects that an adversary is lurking in their environment and are using PsExec to move laterally. A junior SOC Analyst specifically reported the usage of PsExec on a WorkStation. How many times was PsExec executed by the attacker on the system?

SOC团队怀疑对手潜伏在他们的环境中，并使用PsExec进行横向移动。一位初级SOC分析师专门报告了工作站上PsExec的使用情况。攻击者在系统上执行了多少次PsExec？

查看system.evtx日志文件，按照给定的要求搜索

一共出现了9次

Task 1：9

Task 2

What is the name of the service binary dropped by PsExec tool allowing attacker to execute remote commands?

允许攻击者执行远程命令的PsExec工具丢弃的服务二进制文件的名称是什么？

查看详细的数据包

执行的文件名为PSEXESVC.exe

Task 2：PSEXESVC.exe

Task 3

Now we have confirmed that PsExec ran multiple times, we are particularly interested in the 5th Last instance of the PsExec. What is the timestamp when the PsExec Service binary ran?

现在我们已经确认PsExec运行了多次，我们对PsExec的第五个Last实例特别感兴趣。PsExec服务二进制文件运行时的时间戳是多少？

由题目可知我们看的是第五次运行的exe文件从下往上数第五个，将其时间转化为UTC+0

Task 3：07/09/2023 12:06:54

Task 4

Can you confirm the hostname of the workstation from which attacker moved laterally?

您能确认攻击者横向移动的工作站的主机名吗？

查看Security.evtx文件，搜索administrator用户，查看该用户登录了哪些工作组

发现一个登录失败的记录

Task 4：FORELA-WKSTN001

Task 5

What is full name of the Key File dropped by 5th last instance of the Psexec?

Psexec的第五个最后一个实例丢弃的密钥文件的全名是什么？

使用MFTECmd工具将$J文件转化为csv文件打开查看

MFTECmd.exe -f "C:\Desktop\C\$Extend\$J" --csv "./" --csvf "$J.csv"

查找key文件

结果即为答案

Task 5：PSEXEC-FORELA-WKSTN001-95F03CFE.key

Task 6

Can you confirm the timestamp when this key file was created on disk?

你能确认这个密钥文件在磁盘上创建的时间戳吗？

直接能够看出创建的时间

Task 6：07/09/2023 12:06:55

Task 7

What is the full name of the Named Pipe ending with the “stderr” keyword for the 5th last instance of the PsExec?

PsExec最后第五个实例的以“stderr”关键字结尾的命名管道的全名是什么？

查看Microsoft-Windows-Sysmon%4Operational.evtx日志，设置条件

从下往上数，第五个创建的管道即为答案：\PSEXESVC-FORELA-WKSTN001-3056-stderr

Task 7：\PSEXESVC-FORELA-WKSTN001-3056-stderr