Windows Forensics Challenge Walkthrough (LETSDEFEND)

Ahmed Belhadjadji
4 min readMar 25


This is a writeup for the “Windows Forensics” letsdefend challenge

The organization has been the target of a phishing campaign, and as a result, the phishing email has been opened on three systems within our network. To identify the Tactics, Techniques, and Procedures (TTPs) employed by the attackers, a rapid triage image was taken from one of the compromised systems and submitted to you for analysis. We need your expertise to help our incident response team respond quickly and take steps to prevent any further breaches across the network.

1/ Initial Access was made through a Malicious Document delivered through email. What Was the full path where the document was downloaded?

Extract the relevant artifacts file

Open AccessData FTK Imager

File > Add Evidence File > Image File > Browse to the relevant file > Finish

Right click on the [root] folder > Export Files > Select destination file > Ok

Open ShellBagsExplorer.exe >

File > Load offline hive > Browse to “LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Windows”

Select “UsrClass.dat” file > Hold Shift key and open the file

from absolute path:


2/ What’s the document name? (The document which was delivered via phishing)

Since the file was downloaded we can check the downloads folder, if it’s not there we can check the recycler bin

Using RBCmd.exe from Eric Zimmerman tools, open the cmd as administrator

Insert the following command and change the appropriate fields:

RBCmd.exe -f “Path to the file”

> .\RBCmd.exe -f "LETSDEFEND\$Recycle.Bin\S-1–5–21–1187034906–4050784041–186213912–1001\$IWKWHDC.docx"

Security Awareness.docx

3/ What’s the stager name which connected to the attacker C2 server

The file was deleted on 2022–08–21 14:03:33

Let’s investigate if any program has been executed that time

Move to preftech directory

.\PECmd.exe -d “LETSDEFEND\Windows\Prefetch” — csv “LETSDEFEND”

Open the csv result file


4/ The attacker manipulated MACB Timestamps of the stager executable to confuse Analysts. Analyze the timestamps of the stager and verify the original timestamp and tampered one.

$STANDARD_INFO (SI) can be modified by user level processes $FILE_NAME (FN) can only be modified by the system kernel

Check system timezone

Open MFTExplorer > Load the $MFT file > Browse to the stager executable path “C:\users\cyberjunkie\desktop\”

2022–08–21 13:02:23.66 : 2021–12–25 15:34:32

5/ The attacker set up persistence by manipulating registry keys. All we know is that GlobalFlags image file technique was used to set up persistence. When exiting a certain process, the attacker persistence executable is executed. What’s the name of that process?

Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ for activity after the execution of the stager

Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ for any suspicious information


6/ What’s the full path alongside name of the executable which is setup for persistence?

From the previous screenshot


7/ The attacker logged in via RDP and then performed lateral Movement. Attacker accessed an Internal network-connected Device via RDP. What command was run on cmd after successful RDP into Other Windows machine?

Each time we use Remote Desktop Protocol (RDP) to connect to a computer, small bitmap images are cached on the source machine. These images are stored in Cache files within the Windows Terminal Services directory. By extracting the bitmap images from the cache file, we can view small, literal pictures of the cached images.

for more reading: See this

Cache for RDP is saved here:

LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache

.\ -s "LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache" -d [destination folder]

Take a close look, because there is no order in seeing those files

net localgroup

8/ The attacker tried to download a tool from the user’s browser in that second machine. What’s the tool name?

Same way


9/ What command was executed which resulted in privilege escalation?

I answered this question using the CyberJunnkie writeup

we can use a tool called DeepBlueCLI used for Threat Hunting via Windows Event Logs

.\DeepBlue.ps1 System.evtx

cmd.exe /c echo kyvckn > \\.\pipe\kyvckn

10/ What framework was used by the attacker?

I don’t know how we can be sure of this answer but it’s the most probable one


Happy Learning !!