CrownJewel-2

Forela 的 Domain 环境是纯粹的混乱。刚刚从域控制器收到另一个警报，指出 NTDS.dit 数据库正在泄露。就在一天前，您响应了同一域控制器上的警报，攻击者在该域控制器上通过 vssadmin 实用程序转储了 NTDS.dit。但是，您设法删除了转储的文件，将攻击者踢出 DC，并恢复了干净的快照。现在，他们再次设法使用域管理员帐户访问 DC，并在环境中具有持久访问权限。这一次，他们滥用 ntdsutil 来转储数据库。在这些混乱的时期帮助 Forela！！

Task 1

When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?

利用 ntdsutil.exe 将 NTDS 转储到磁盘上时，它会同时使用 Microsoft 卷影复制服务。此服务进入运行状态的最新时间戳是什么，表示可能启动 NTDS 转储过程？

2024-05-15 05:39:55

Task 2

Identify the full path of the dumped NTDS file.

确定转储的 NTDS 文件的完整路径。

C:\Windows\Temp\dump_tmp\Active Directory\ntds.dit

Task 3

When was the database dump created on the disk?

何时在磁盘上创建数据库转储？

2024-05-15 05:39:56

Task 4

When was the newly dumped database considered complete and ready for use?

新转储的数据库何时被视为完整并可供使用？

2024-05-15 05:39:58

Task 5

Event logs use event sources to track events coming from different sources. Which event source provides database status data like creation and detachment?

事件日志使用事件源来跟踪来自不同源的事件。哪个事件源提供数据库状态数据，例如创建和分离？

ESENT

Task 6

When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Give the groups in alphabetical order joined by comma space.

当 ntdsutil.exe 用于转储数据库时，它会枚举某些用户组以验证正在使用的帐户的权限。ntdsutil.exe 进程枚举了哪两组？按字母顺序给出组，并用逗号分隔。

Administrators, Backup Operators

Task 7

When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Give the groups in alphabetical order joined by comma space.

现在，您的任务是查找恶意 Session 的 Login Time。使用 Logon ID，找到 Time when the user logon session started。

2024-05-15 05:36:31