Scenario

Byte Doctor Reyes is investigating a stealthy post-breach attack where several expected security logs and Windows Defender alerts appear to be missing. He suspects the attacker employed defense evasion techniques to disable or manipulate security controls, significantly complicating detection efforts. Using the exported event logs, your objective is to uncover how the attacker compromised the system's defenses to remain undetected.

https://app.hackthebox.com/sherlocks/Operation Blackout 2025: Smoke & Mirrors

I will use splunk for this challenge

1- The attacker disabled LSA protection on the compromised host by modifying a registry key. What is the full path of that registry key?

HKLM\SYSTEM\CurrentControlSet\Control\LSA

I filtered for the LSA registry path and found it was modified. The logs show a reg add command was used to change the RunAsPPL value to 0, which disables LSA protection and allows LSASS to be dumped more easily.

LSA (Local Security Authority) Protection, also known as LSA Protection Mode or LSA RunAsPPL (Run as Protected Process Light), is a security feature in Windows operating systems designed to enhance the protection of the Local Security Authority Subsystem Service (LSASS). LSASS is a critical component responsible for enforcing the security policy on the system, handling password changes, creating access tokens, and managing user logins.

https://medium.com/h7w/lsa-protection-bypass-detection-16e8db3ab66c

2- Which PowerShell command did the attacker first execute to disable Windows Defender?

Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $true