Operation Blackout 2025: Smoke & Mirrors
CHALLENGE DESCRIPTION
Byte Doctor Reyes is investigating a stealthy post-breach attack where several expected security logs and Windows Defender alerts appear to be missing. He suspects the attacker employed defense evasion techniques to disable or manipulate security controls, significantly complicating detection efforts. Using the exported event logs, your objective is to uncover how the attacker compromised the system’s defenses to remain undetected.
SET UP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 1. Create a Python virtual environment
python3 -m venv myenv
# 2. Activate the virtual environment
source myenv/bin/activate # For Linux/macOS
# 3. Install the python-evtx library
pip install python-evtx
# 4. Download the evtx_dump.py script
wget https://raw.githubusercontent.com/williballenthin/python-evtx/master/scripts/evtx_dump.py
# 5. Run the script on your .evtx file
python3 evtx_dump.py some.evtx > log.xml
SOLUTION
After unzipping the file, we see lots of evtx files.
The attacker disabled LSA protection on the compromised host by modifying a registry key. What is the full path of that registry key?
1
grep -i lsa *
Answer
HKLM\SYSTEM\CurrentControlSet\Control\LSAWhich PowerShell command did the attacker first execute to disable Windows Defender?
1
grep 'Set-MpPreference' *
Answer
Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $trueThe attacker loaded an AMSI patch written in PowerShell. Which function in the DLL is being patched by the script to effectively disable AMSI?
Search hunt for AMSI bypasses in PowerShell logs
1
egrep -i 'AmsiScanBuffer|VirtualProtect|LoadLibrary|GetProcAddress' *
Answer
AmsiScanBufferWhich command did the attacker use to restart the machine in Safe Mode? Search command used to restart machine in safe mode on Google
1
grep -i '/set safeboot' *
Answer
bcdedit.exe /set safeboot networkWhich PowerShell command did the attacker use to disable PowerShell command history logging?
1
grep -i 'history' *