How Fired Employees Hacked Their Old Accounts: TryHackMe Block Room Walkthrough Medium
In today’s post, we’re diving into a real-world security incident where two recently fired employees used their old credentials to access private files from a company server. As a cybersecurity professional, my job was to investigate the breach and find concrete evidence of their actions. Here’s how I tackled the challenge using powerful tools and techniques.
The Incident
The junior system administrator forgot to deactivate the accounts of two employees who were recently fired. Suspicious activities were detected on the company’s server, leading to an investigation. The only available data was a network capture of the incident and a memory dump of the Local Security Authority Subsystem Service (LSASS) process. These two pieces of evidence would prove crucial in piecing together what happened.
Analyzing the Memory Dump with PyPykatz
To begin the investigation, I used PyPykatz, a Python tool that extracts credentials from LSASS memory dumps. By analyzing the memory dump, I was able to recover usernames, passwords, and other sensitive data that helped confirm the unauthorized access. PyPykatz is invaluable in these situations as it streamlines the credential extraction process, providing quick and accurate results.
Decrypting SMB2 Traffic with Python
Next, I turned my attention to the network capture, which contained SMB2 traffic — an essential component of the communication between the compromised accounts and the server. Using ChatGPT, I developed a Python script to decrypt SMB2 traffic, allowing me to view the contents of the data being transferred. This step was crucial in understanding the scope of the breach and identifying the specific files that were accessed.
Conclusion
By combining PyPykatz for memory analysis and a custom Python script for SMB2 traffic decryption, I was able to gather the evidence needed to prove the unauthorized access. These tools and techniques are essential for any cybersecurity professional dealing with similar incidents.
If you’re interested in seeing the full process in action, check out my latest YouTube video where I walk you through every step of the investigation. Don’t forget to subscribe for more cybersecurity walkthroughs and tutorials!
