HackTheBox — CrownJewel-2 Sherlock Walkthrough
Investigating a Compromised Domain Controller Using Windows Event Logs
Introduction:
Imagine this: You’re on the front lines of an organization’s security team, trying to catch your breath and recover from an attack against your domain controller just yesterday. Suddenly, another alert fires from the domain controller about a new exfiltration attempt of the NTDS.dit database which holds the domain’s secrets. Springing back to action, you must determine how the attacker got in this time by investigating the Windows Event Logs to establish a timeline, understand how the attack unfolded, and evict the attacker…again.
If this sounds exciting to you, welcome to my weekly walkthrough, you’ve stumbled on the right blog!
This week, we’re tackling the CrownJewel-2 challenge from Hack The Box, a direct follow-up to CrownJewel-1. The scenario assumes that we’re the same incident responder that investigated the first attack, so you’ll get the most out of this challenge if you complete CrownJewel-1 first. I’ll leave a link to my walkthrough for part 1 below.
CrownJewel-2 is another digital forensics and incident response (DFIR) challenge. This time, we’ll leverage the Windows Event Logs to understand how the attacker exfiltrated the NTDS.dit database. Using the Event Viewer, we’ll establish a timeline of the attack and track what activities occurred before the exfiltration.
While this challenge is geared toward beginners, it’s a fantastic lab for all skill levels to get some hands-on practice with Windows Event Log analysis. So, let’s grab our magnifying glasses again, take a deep breath, and get ready to dive back into the investigation!
And hey, if you find this walkthrough helpful — whether it levels-up your skills, gets you through a stumbling block, or serves as a handy reference — please give it a clap!
Thanks for reading and joining me on this investigation!
Challenge Link: https://app.hackthebox.com/sherlocks/CrownJewel-2
Challenge Scenario:
Forela’s Domain environment is pure chaos. Just got another alert from the Domain controller of NTDS.dit database being exfiltrated. Just one day prior you responded to an alert on the same domain controller where an attacker dumped NTDS.dit via vssadmin utility. However, you managed to delete the dumped files kick the attacker out of the DC, and restore a clean snapshot. Now they again managed to access DC with a domain admin account with their persistent access in the environment. This time they are abusing ntdsutil to dump the database. Help Forela in these chaotic times!!
Setup the Analysis Environment & Extract the challenge file:
Safety first! It’s always important when working with lab/challenge files from Hack the Box (or any educational lab/challenge/range) to keep yourself protected by performing these tasks in a dedicated, isolated virtual machine environment. For example, since this is a Windows-based lab, I’m using FLARE-VM for this challenge and walkthrough.
To keep this write-up focused I’m going to skip the step-by-step setup of FLARE-VM but if you’d like to set up your own environment, please follow the directions provided directly by FLARE-VM on GitHub.
Okay! Once we have our virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start the investigation!
Question 1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?
Time to kick off this investigation and see what the attackers are doing this time! After unzipping the challenge file, we’ll find three Windows Event Log (.evtx) files that we’ll use to investigate the attacker’s activities.
- Application: Contains application related log events.
- System: Contains events related to Windows and its components like services, drivers, and hardware.
- Security: Contains security-related events, including user logins, access attempts, and account enumeration.
Each of these logs will have a role to play during our investigation, but to answer Question 1, we’re searching for when the Volume Shadow Service (VSSVC.exe) last entered the running state, which might correlate with suspicious ntdsutil.exe database dumping activity.
If you joined me for the CrownJewel-1 investigation, you might remember that we learned the SYSTEM log contains the start and stop events for services, logged as Event ID 7036. Let’s try it out.
Open the SYSTEM log and filter it for the relevant Event ID we want by pressing Filter Current Log then entering 7036 into the Event ID field.
Once we’ve filtered the events, press Find and enter the keywords “volume shadow copy” — to find any instances of Volume Shadow Copy service events. Since the events are listed in descending order, the newest ones will be at the top of the log — so the first hit should be the one we need to find the most recent entry.
Now, with the event selected, we can obtain the precise system time when the service was started by clicking Details tab > XML View > TimeCreated SystemTime.
Question 2: Identify the full path of the dumped NTDS file.
To answer Question 2, let’s jump over to the APPLICATION logs. Without any further filtering, let’s try simply searching for NTDS and review the hits. It may take a few tries to find a meaningful event, but then we’ll stumble on the entry below:
Here we’ll observe that the ESENT database engine created a new NTDS.dit database which is the file for which we received the exfiltration alert. Recalling what we discovered in CrownJewel-1, dumping the NTDS.dit file is a method an attacker can use to create a copy of the “Active Directory domain database in order to steal credential information.”
Notice the suspicious file path of the dump and that the time stamp is one second after the Volume Shadow Service started? These are both clues that we are on the right path.
Question 3: When was the database dump created on the disk?
Fortunately, we already noticed the event timestamp correlation in the last question. In the same event from Question 2, let’s capture the system time by navigating to the Details tab, copying the System Time for the event, and then submitting the answer to continue building our timeline.
Question 4: When was the newly dumped database considered complete and ready for use?
Since we’ve already found the database events in the APPLICATION log, let’s manually review the entries that follow the database’s creation, starting with the event from Questions 2 & 3.
Scrolling through the logs, we’ll quickly come across the following event reporting that the database engine detached the dumped NTDS.dit database, indicating that the creation is completed.
Following the same process that we used in Questions 1 & 3, copy the System Time from the detailed view and submit the answer.
Question 5: Event logs use event sources to track events coming from different sources. Which event source provides database status data like creation and detachment?
Throughout the investigation of the APPLICATION logs, you may have noticed that both database events from Questions 3 & 4 were provided by the same event source: ESENT, a database engine that’s part of Windows. This is all we need to answer Question 5.
Question 6: When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Give the groups in alphabetical order joined by comma space.
The key word to answering this question is “enumerate.” To find the answer, we’ll pivot to the SECURITY log. Once again, if you followed along during the CrownJewel-1 investigation, this next part will look very familiar.
First, filter the SECURITY log for Event ID 4799 — “A security-enabled local group membership was enumerated.” This event indicates that a local group membership was queried to check the account privileges.
Now that we’re only filtering the group membership enumeration events, we can narrow it down to the entries within the timeline we found in Question 2. During this time period, we’ll notice some events with the source process name of ntdsutil.exe where two distinct groups are enumerated.
Putting the two groups in the correct alphabetized format, we can submit the answer and continue.
Question 7: Now you are tasked to find the Login Time for the malicious Session. Using the Logon ID, find the Time when the user logon session started.
We’ve made it to the last question! To tackle Question 7, copy the Logon ID field (0x8DE3D) from the events that we found in the previous question. We’ll use this to correlate other events that share this ID.
For more granular searching than the built-in Event Viewer filtering options allow, we can write a custom filter within the XML tab of the Filter Current Log options. This filter will only display events with the matching Logon ID and clears the 4799 event filter we had before.
[EventData[Data[@Name='SubjectLogonId']='0x8de3d']]
With our custom filter in place, scroll to the bottom of the list (if you’re still in descending order) to find the oldest events. Here, we’ll find a few, non-enumeration (4799) events with the same timestamp.
For one last time, switch to the XML View for any of these events, copy the System Time value, and submit the answer. Now let’s wrap up this investigation!
Conclusion:
Let’s wrap up this investigation of CrownJewel-2 with a quick recap: Using the Windows Event logs, we discovered details about how and when ntdsutil was abused on the domain controller, including the start time, dumped file path, enumerated groups, and Logon ID. This helps us identify the attacker’s activities and create a detailed timeline to document the incident. Great job with the triage!
A big thank you to Hack The Box for the fun and realistic challenge! This is the first series of Sherlocks that I’ve done with the platform, and it was an excellent experience both times. Remember, while this challenge is geared toward beginners, the narrative and triage processes are very realistic and valuable practice for all skill levels. Continuous, hands-on practice is key to staying sharp for incident response in the real world — very cool stuff!
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
FLARE-VM: https://github.com/mandiant/flare-vm
MITRE ATT&CK — OS Credential Dumping: NTDS (T1003.003): https://attack.mitre.org/techniques/T1003/003/
Microsoft Learn — Extensible Storage Engine Managed Reference: https://learn.microsoft.com/en-us/windows/win32/extensible-storage-engine/extensible-storage-engine-managed-reference
Microsoft Learn — 4799(S): A security-enabled local group membership was enumerated: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799?source=post_page-----2efb81522f2c--------------------------------
Microsoft Learn — Ntdsutil: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)