Introduction to HackTheBox Event Horizon
Phishing attack against the CEO
We begin by explaining the background of the cybersecurity challenge named “Event Horizon” from Hack The Box’s Blue Team training. It is revealed that the company’s CEO fell victim to a phishing attack. The phishing email either spoofed someone with knowledge of the CEO or leveraged stolen credentials to gain trust. The CEO was tricked into downloading a file, likely an executable or document with embedded code. Upon opening it, the attacker gained access to the machine.
Walkthrough
PowerShell log deletion hides malicious activity
Post-compromise, the attacker cleared PowerShell logs, a tactic used to cover their tracks and hinder forensic investigations. This is a typical post-exploitation behavior to erase evidence of commands executed, making it harder for investigators to identify what actions the attacker took once inside the system.
Navigating Windows event logs
The walkthrough demonstrates how to examine the compromised system’s log files. Initially, event logs were sorted by size to filter out unhelpful logs. Special attention was paid to the Microsoft-Windows-PowerShell/Operational log, known for storing PowerShell script execution history and module load events—key clues in uncovering attacker behavior.
Antivirus blocks Mimikatz execution attempts
Analysis revealed multiple entries under Event ID 4100, indicating that attempts to run Mimikatz (a tool used to extract credentials) were blocked by antivirus software. Specifically, functions such as Invoke-Mimikatz were flagged and stopped, which suggests the attacker either underestimated endpoint protections or was probing defenses.
Filtering logs to expose executed commands
The analyst used Event ID 4104 to pinpoint which PowerShell scripts were actually executed. This led to the discovery of multiple script block entries that appeared to be part of a large, structured script. Each block was identified with a number like “script block 35 of 37”, enabling reconstruction of the entire script sequence.
Discovery of PowerUp privilege escalation tool
By reassembling the script blocks, the video confirms the use of the PowerUp framework, a well-known PowerShell tool used to find misconfigurations in Windows systems that allow privilege escalation. This indicates the attacker’s objective extended beyond initial access—they were preparing to elevate privileges for broader control.
Piecing together evidence to solve the CTF
Once the PowerUp tool was identified, the analyst traced it through the reconstructed script and found a flag, concluding the challenge. This demonstrated not only the technical process of identifying executed commands but also how to reverse-engineer attacker behavior even when efforts have been made to erase evidence.
Insights Based on Numbers
- 149 filtered events indicated the extensive use of PowerShell, underlining the need for event filtering techniques.
- Event IDs 4100 and 4104 became critical identifiers: 4100 for blocked scripts and 4104 for executed commands.
- Script block entries (e.g., 1 of 35) allowed reconstruction of a sophisticated attack framework, validating the use of PowerUp.
