跳到主要内容

CrownJewel-1

Sherlock Scenario

Forela's domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get the Domain environment's crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.

Forela 的域控制器受到攻击。据信,该域控制器的域管理员账户已被攻破,并且怀疑威胁者在该域控制器上转储了 NTDS.dit 数据库。我们刚刚收到在 DC 上使用 vssadmin 的警报,由于这不属于例行计划的一部分,我们有充分理由相信攻击者滥用了此 LOLBIN 实用程序来获取域环境的皇冠上的明珠。对所提供的工件进行一些分析,以便快速分流,并在可能的情况下尽早清除攻击者。

题目数据

CrownJewel1.zip

Task 1

攻击者可滥用 vssadmin 实用程序创建卷影快照,然后提取 NTDS.dit 等敏感文件,绕过安全机制。确定卷影复制服务进入运行状态的时间。

TODO 未完成

Task 2

Task 3

Task 4

Task 5

Task 6

Task 7

Task 8

Task 9

Task 10

Task 11

Task 12

Task 13

Task 14

Task 15