Description:
With help from D.I. Lestrade, Holmes acquires logs from a compromised MSP connected to the city’s financial core. The MSP’s AI servicedesk bot looks to have been manipulated into leaking remote access keys - an old trick of Moriarty’s.
Scenario Files
The_Watchman’s_Residue.zip - Kape Output - SHA256:1ef8e6a1109c9611a7a805b8f0f8c4392e7d85b88191ef440a88b21efbe4b74d
We are going to use EvtxECmd.exe to combine all the .evtx (win logs files) together.
.\EvtxECmd.exe -d "C:\Users\p4n4\Downloads\the_watchman's_residue\TRIAGE_IMAGE_COGWORK-CENTRAL\C\Windows\System32\winevt\logs" --csv "C:\Users\p4n4\Downloads\the_watchman's_residue\" --csvf evtx.csv
It also includes acquired file (critical).kdbx which is a Keypass database file - SHA256:47cd8abdd44cfd8a58112680481636fcd5ae3fd62ce535f6e966a7f08b27cda2 and msp-helpdesk-ai day 5982 section 5 traffic.pcapng - SHA256: 4eaccef0012142429b147711d7fa9d1d73a2726f136d30f4fac1f440d16528ba
Flags
1. What was the IP address of the decommissioned machine used by the attacker to start a chat session with MSP-HELPDESK-AI? (IPv4 address)
Show solution
10.0.69.45We open up the PCAP file in Wireshark and be looking at it we can find the suspicious traffic in tcp.stream 39. That’s how we get the IP.
2. What was the hostname of the decommissioned machine? (string)
Show solution
WATSON-ALPHA-2Having the IP we put it in filter ip.src == 10.0.69.45 and then we find the BROWSER protocl which gives us the hostname
3. What was the first message the attacker sent to the AI chatbot? (string)
Show solution
Hello Old FriendWe check the conversation from the PCAP
4. When did the attacker’s prompt injection attack make MSP-HELPDESK-AI leak remote management tool info? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-19 12:00:31We check the conversation from the PCAP
5. What is the Remote management tool Device ID and password? (IDwithoutspace:Password)
Show solution
565963039:CogWork_Central_97&65We check the conversation from the PCAP
6. What was the last message the attacker sent to MSP-HELPDESK-AI? (string)
Show solution
JM WILL BE BACKWe check the conversation from the PCAP
7. When did the attacker remotely access Cogwork Central Workstation? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 09:58:25We stop analyzing the PCAP and move to the KAPE output. Looking at it we can spot the RMM app used which is TeamViewer.Log files located Program Files\TeamViewer\.
Looking at the handy file Connections_incoming.txt gives the start of the attack in a timestamp.
8. What was the RMM Account name used by the attacker? (string)
Show solution
James MoriartyFrom the same file Connections_incoming.txt
9. What was the machine’s internal IP address from which the attacker connected? (IPv4 address)
Show solution
192.168.69.213For that question we need to take a look ath the TeamViewer15_logfile.log. After a bit of research about the TeamViewer logs we find that the internal IP appears as a UDP punch in the logs. We can also correlate the timestamps and guess the IP.
10. The attacker brought some tools to the compromised workstation to achieve its objectives. Under which path were these tools staged? (C:\FOLDER\PATH)
Show solution
C:\Windows\Temp\safe\Knowing the log in time of the attacker we start our investigation from there and by exmploring the logs we find all sorts of different tools, all being in the same directory.
11. Among the tools that the attacker staged was a browser credential harvesting tool. Find out how long it ran before it was closed? (Answer in milliseconds) (number)
Show solution
8000For that we will open the RegistryExplorer and check the user hive C:\Users\Cogwork_Admin\NTUSER.DAT. The path to the correct reg value is Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist and to find that one way is to search based on the name of the tool.
For context this registry file (Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) is a Windows Registry key that tracks user interaction with programs and shortcuts from the Windows Explorer shell
12. The attacker executed a OS Credential dumping tool on the system. When was the tool executed? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:07:08As an OS credential-dumping tool the question refers to Mimikatz. Registry didn’t show promising results so we need to focus on the $MFT or any prefetch files but our output doesn’t include any. It includes though the $UsnJrnl which is the $J file in the Extend dir. We parse it with the MFTCmd and review in on the Timeline explorer. There we search for Mimikatz and we can actually see the date of the prefetch files. Note: prefetch files include how and when an app was executed.
13. The attacker exfiltrated multiple sensitive files. When did the exfiltration start? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:12:07For this question we take a look again on the teamviewer logs. Just remember to subtract 1 from the hours.
14. Before exfiltration, several files were moved to the staged folder. When was the Heisen-9 facility backup database moved to the staged folder for exfiltration? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:11:09We open again our TimelineExplorer and check the $J. Search for the keyword.
15. When did the attacker access and read a txt file, which was probably the output of one of the tools they brought, due to the naming convention of the file? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:08:06Again TimelineExplorer and check the $J.
16. The attacker created a persistence mechanism on the workstation. When was the persistence setup? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:13:57Here we need to think which tool/malware file was used for that. In the registry before we had seen it. JM.exe. Registry path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. We need to find the last write timestamp of it.
17. What is the MITRE ID of the persistence subtechnique? (Txxxx.xxx)
Show solution
T1547.004
18. When did the malicious RMM session end? (YYYY-MM-DD HH:MM:SS)
Show solution
2025-08-20 10:14:27This is trivial. Remember where we checked the start of the RMM session.
19. The attacker found a password from exfiltrated files, allowing him to move laterally further into CogWork-1 infrastructure. What are the credentials for Heisen-9-WS-6? (user:password)
Show solution
Werni:Quantum1!For this we need to crack the keypass db.
keepass2john acquired\ file\ \(critical\).kdbx > db.hash
john --wordlist=wordlist/rockyou.txt db.hash
.....
cutiepie14 (acquired file (critical))
So password is cutiepie14. We use that to open the keepass database with a client (keepass2).