OffSec | The Guantlet | Last Ascent

Challenge: Last Ascent

Category: ICS/SCADA Forensics | Incident Response | Privilege Escalation | Red Team Operations
Difficulty: Insane ⚡

The Incident: Critical Infrastructure Under Siege

Megacorp One's Wind Farm SCADA infrastructure-the backbone of the Codex Circuit's protective perimeter-has been weaponized. Four autonomous wind turbines stand dormant, locked into a 24-hour protective shutdown. What begins as simple infrastructure failure reveals itself as a sophisticated, multi-stage cyberattack orchestrated by a threat actor who understood not just Windows exploitation, but the intricacies of industrial control systems, Modbus protocols, and network architecture.

This writeup walks through the forensic reconstruction of that attack, from the initial phishing click to the final Modbus commands that silenced the turbines.

Part 1: Understanding the Battlefield

The Systems Involved

The attack spans multiple attack surfaces:

CLIENT8 - User workstation where the compromise begins
RESOURCES - SCADA-adjacent monitoring server
Router2 (192.168.1.253) - Network pivot point
PLCs 1-4 (192.168.2.1-4) - Wind turbine controllers on Modbus TCP
ICS Network - Isolated SCADA network running wind farm operations

The Critical Question

Before diving into forensics, one fundamental question must be answered: How do we prove a privilege escalation vulnerability was exploited when the exploit tool itself might have been cleaned up?

The answer lies in forensic causality-if exploit execution requires admin privileges to place artifacts that can only be placed by admin, and those artifacts appear after the exploit tool, then the exploit must have succeeded.

Part 2: The Phishing Entry Point

Question: Where Did This Attack Start?

Investigation Entry Point: Browser history and fake login domains

# Chrome version extraction
Get-Content "CLIENT8\amara.okafor\AppData\Local\Google\Chrome\User Data\Last Version"
# Returns: 137.0.7151.56

# Domain enumeration in history
Select-String -Path "CLIENT8\amara.okafor\AppData\Local\Google\Chrome\User Data\Default\History" `
    -Pattern "microsoft-login" -AllMatches | Measure-Object
# Indicates: microsoft-login.com accessed multiple times

The Phishing Attack Chain

Component	Value	Significance
Phishing Domain	microsoft-login.com	Typosquatting attacking legitimate Microsoft login domain
Browser Targeted	Google Chrome 137.0.7151.56	Specific version suggests targeted reconnaissance
Delivery Method	Phishing email	Social engineering precursor
Artifact	Browser history entries	Proof of user interaction with malicious site

Key Insight: The attacker didn't necessarily exploit Chrome itself-they exploited Amara Okafor's trust in Microsoft branding. Once credentials were entered on the fake site, the attacker possessed legitimate login credentials that would pass through any MFA designed for common password managers.

Part 3: The Privilege Escalation Gateway

The Hidden Vulnerability

Question: How did the attacker transition from user privileges to SYSTEM-level access?

This is where the investigation becomes truly forensic. No running exploit process is available-only temporal evidence.

Discovering the Exploit Binary

# File enumeration - looking for suspicious System32 entries
Get-ChildItem "CLIENT8\System32" -Filter "*BitLocker*" | Select-Object Name, LastWriteTime

# Output:
# BitLockerDeviceEncryption.exe    5/7/2022 12:39:28 PM     (Legitimate)
# BitLockerDeviceEncrypton.exe     10/30/2025 4:43:50 AM    (MALICIOUS - TYPO!)

The Masquerading Technique: The malicious binary has a subtle typo-"Encrypton" instead of "Encryption". This is brilliant obfuscation: the filename is so close to a legitimate Windows component that casual inspection might miss it, yet it's different enough to avoid hash collisions with the real BitLocker binary.

Analyzing the CVE-2024-35250 Connection

<!-- From Sysmon Event ID 6 (Driver Load) -->
<EventData>
  <Data Name='ImageLoaded'>C:\Windows\System32\drivers\mskssrv.sys</Data>
  <Data Name='Hashes'>SHA256=6B712ADDF7C6B583F23F518BF35F7ECBBFA632F14E29EBE2A8E38043B1269E74</Data>
  <Data Name='Signed'>true</Data>
  <Data Name='Signature'>Microsoft Windows</Data>
</EventData>

<!-- Multiple references to mskssrv.sys (Kernel Streaming Service) -->
<!-- This is the exact target of CVE-2024-35250 -->

The Proof of Success: The Timeline

Timeline Evidence:
04:43:50 AM - BitLockerDeviceEncrypton.exe created in System32
04:43-04:49 AM - 6-minute window (exploitation window)
04:49:20 AM - ssp.dll created in System32 ← REQUIRES ADMIN/SYSTEM

Forensic Logic: Writing to System32 is blocked for user-level processes. The fact that ssp.dll appears in System32 after the exploit window proves the privilege escalation succeeded. This is causality-based forensics-not detecting the exploit itself, but proving its effects by observing the consequences of privilege elevation.

CVE-2024-35250 Technical Breakdown

Aspect	Detail
Vulnerability	Improper IOCTL handling in kernel driver
Target Component	ks.sys (Kernel Streaming) / mskssrv.sys
Attack Vector	Malformed I/O control code passed to kernel driver
Result	Arbitrary code execution with SYSTEM privileges
CVSS	7.8 (High)

The vulnerability exists in how the kernel driver processes I/O control codes without proper validation. An unprivileged user can craft a specially formatted IOCTL request that causes the kernel driver to execute attacker-controlled code in kernel context-effectively elevating privileges.

Part 4: The Credential Harvesting Framework

Question: How Did the Attacker Capture plaintext Credentials?

Investigation Entry Point: Suspicious DLL in System32

# File discovery
Get-ChildItem "CLIENT8\System32\ssp.dll" | Select-Object Name, LastWriteTime
# Output: ssp.dll, 10/30/2025 4:49:20 AM

# Hash verification
(Get-FileHash "CLIENT8\System32\ssp.dll" -Algorithm SHA256).Hash
# 566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46

Understanding Security Support Provider (SSP) Injection

SSP is a Windows authentication mechanism. The LSASS (Local Security Authority Subsystem Service) process loads SSP DLLs during system startup and uses them to handle authentication protocols like Kerberos, NTLM, and Negotiate.

An attacker can place a malicious SSP DLL in System32, register it in the registry, and LSASS will automatically load it on next authentication. Once loaded, the malicious SSP intercepts all authentication attempts and can capture credentials in plaintext.

The Captured Credentials

Intercepted During:    Normal Windows Authentication
Username:              carmen.santos
Password:              Qwerty09!
Source:                Compromised workstation (via ssp.dll injection)
Time:                  Between 04:49 AM and subsequent login
Impact:                Enables lateral movement to other systems

Why This Works: When Windows authenticates a user (even domain authentication), the SSP gets the plaintext credentials briefly during the authentication process. A malicious SSP simply copies them to a log file or network location before passing control to the legitimate SSP.

Part 5: The Lateral Movement Pivot

Question: How Did the Attacker Jump to the SCADA Network?

Investigation Entry Point: SSH artifacts on CLIENT8

# Private key discovery
Get-ChildItem "CLIENT8\amara.okafor\.ssh\" -Recurse
# Output: router2.privkey

# Key analysis
Get-Content "CLIENT8\amara.okafor\.ssh\router2.privkey" | Select-Object -First 3
# -----BEGIN OPENSSH PRIVATE KEY-----
# nukingdragons@blackarch

The SSH Pivot Architecture

CLIENT8                  Router2 (192.168.1.253)              SCADA Network
(Compromised)     ←─SSH with private key─→  (VyOS/Network       (PLCs 1-4)
                        Equipment)

Pivot Component	Value	Purpose
SSH Username	vyos	Network device management credential
SSH Private Key	router2.privkey	Passwordless authentication to Router2
Target IP	192.168.1.253	Network edge device managing SCADA
Significance	Direct access to OT network	Enables SCADA compromise

Attacker Attribution Clue: The key metadata contains "nukingdragons@blackarch"-likely the attacker's workstation identifier. This suggests the key was generated on the attacker's machine (Arch Linux distribution) and then planted on the compromised workstation.

The RESOURCES Server Stepping Stone

Before pivoting directly to Router2, the attacker compromised the RESOURCES server-a natural stepping stone between IT and OT networks.

# Scheduled task exploitation
Get-Content "RESOURCES\Shares\Monitoring\MonitorTool.xml"
# Reveals: MonitorTool.exe runs every 10 minutes

# Attack mechanism discovered:
# - Attacker placed malicious CheckHealth.exe in monitoring share
# - MonitorTool.exe (running with elevated privileges) loads and executes it
# - Malicious file hash: E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333

This is binary planting via DLL search order hijacking-exploiting the trust that legitimate executables have for files in their own directory.

Part 6: The Industrial Control System Compromise

Question: How Did the Attacker Know How to Manipulate the Turbines?

Investigation Entry Point: Documentation in SCADA shares

# File discovery
Get-ChildItem "RESOURCES\Shares\SCADA\docs\*" -Recurse

# Critical artifact found
Get-ChildItem "RESOURCES\Shares\SCADA\docs\WT-PLC_Turbine_Control_Manual.pdf"

# Hash verification
certutil -hashfile "RESOURCES\Shares\SCADA\docs\WT-PLC_Turbine_Control_Manual.pdf" SHA256
# 635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101

The Knowledge Transfer

The PDF manual contains everything needed to attack the turbine system:

Information	Extracted From Manual	Attack Application
Modbus Port Range	1502-1505	Directs attacker to correct ports
Register Map	Complete I/O mapping	Explains which registers control what
Lockout Conditions	>20% speed change in <2 minutes	Trigger for 24-hour protective shutdown
Speed Register	Holding Register 0	Target for manipulation
Lockout Bit	Discrete Input 3	Status indication
Run Status	Coil configuration	Boolean control signals

The Modbus Attack Mechanism

Modbus TCP is a simple, human-readable protocol. The attacker didn't need a sophisticated exploit-just knowledge of the protocol and device configuration.

Attack Sequence:
1. Connect to PLC on port 1502-1505
2. Read current speed register (e.g., 50%)
3. Send command: Set speed to 75% (>20% change)
4. Wait 2 minutes
5. Send command: Set speed to 15% (another >20% change)
6. System triggers automatic 24-hour lockout
7. Turbine enters protected state: run=0, speed=0, lockout=1

The Final Status: Turbines Offline

Technical State After Attack:
├─ run = 0 (Turbine motor disabled)
├─ speed_register = 0 (No rotation velocity)
├─ lockout_bit = 1 (24-hour protection active)
└─ recovery_time = 24 hours

Network Origin: 192.168.1.253 (Router2 - Attacker Pivot Point)

Part 7: Network Forensics - Following the Packets

Sysmon Network Reconstruction

<!-- Sysmon Event ID 3: Network Connection -->
<Event>
  <System>
    <TimeCreated SystemTime="2025-10-30 08:59:58.343"/>
    <Computer>RESOURCES.scada.megacorpone.com</Computer>
  </System>
  <EventData>
    <Data Name="Protocol">tcp</Data>
    <Data Name="SourceIp">192.168.1.2</Data>
    <Data Name="DestinationIp">192.168.1.253</Data>
    <Data Name="DestinationPort">22</Data>
    <Data Name="User">MEGACORPONE\carmen.santos</Data>
    <Data Name="ProcessId">4352</Data>
  </EventData>
</Event>

Forensic Reconstruction:

Source: RESOURCES (192.168.1.2) with captured credentials
Destination: Router2 (192.168.1.253) port 22 (SSH)
Purpose: Pivot to network equipment managing SCADA

Timeline Convergence

Time	System	Event	Significance
04:43:50	CLIENT8	CVE-2024-35250 exploit deployed	Privilege escalation begins
04:49:20	CLIENT8	ssp.dll placed	Admin privileges confirmed
~05:00	CLIENT8	Credentials intercepted	carmen.santos:Qwerty09! obtained
~05:15	RESOURCES	SSH connection from CLIENT8	Lateral movement initiates
~05:30-08:59	Router2	SSH session established	Network pivot achieved
08:59:58	RESOURCES	Connection to Router2:22	SCADA network access
~09:15	PLCs	Modbus commands received	Turbines attacked

Part 8: The Evidence Chain - Proving Causality

Linking All Artifacts Together

Challenge: We have individual artifacts (files, hashes, timestamps) but need to prove they're part of a coordinated attack.

Causality Evidence Chain

Prerequisite Chain (each step enables the next):

1. Phishing Credentials Obtained
   └─→ Credentials used to authenticate to CLIENT8
       └─→ Enables compromise of CLIENT8
           └─→ Enables deployment of CVE-2024-35250 exploit
               └─→ Exploit requires SYSTEM to write to System32
                   └─→ ssp.dll appears in System32 (proof of success)
                       └─→ SYSTEM privileges enable registry modification
                           └─→ ssp.dll registered with LSASS
                               └─→ All subsequent authentications captured
                                   └─→ carmen.santos credentials obtained
                                       └─→ SSH pivot to RESOURCES enabled
                                           └─→ Router2 (192.168.1.253) access obtained
                                               └─→ SCADA network reachable
                                                   └─→ PLCs accessible
                                                       └─→ Modbus commands executed
                                                           └─→ Turbines shutdown

Hash Verification Chain

Primary Artifacts (SHA-256):
├── BitLockerDeviceEncrypton.exe
│   └─ 20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA
│       └─ Exploits CVE-2024-35250
│           └─ Enables SYSTEM-level execution
│
├── ssp.dll
│   └─ 566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46
│       └─ Only deployable after SYSTEM elevation
│           └─ Intercepts credentials
│
├── MonitorTool.exe (legitimate binary exploited)
│   └─ Exploited through CheckHealth.exe injection
│       └─ E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333
│           └─ Enables RESOURCES compromise
│
└── WT-PLC_Turbine_Control_Manual.pdf
    └─ 635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101
        └─ Contains Modbus register knowledge
            └─ Enables ICS manipulation

Part 9: MITRE ATT&CK Framework Mapping

The attack aligns precisely with adversary TTPs:

Phase	MITRE Technique	Description	Artifact
Initial Access	T1566.002	Phishing: Spearphishing Link	microsoft-login.com
Execution	T1059.001	Command Line Interface	PowerShell exploitation
Persistence	T1547.005	Boot or Logon Autostart (SSP)	ssp.dll registration
Privilege Escalation	T1068	Exploitation for Privilege Escalation	CVE-2024-35250
Defense Evasion	T1036.005	Masquerading: Match Legitimate Name	BitLockerDeviceEncrypton (typo)
Credential Access	T1003.001	OS Credential Dumping	SSP DLL injection into LSASS
Lateral Movement	T1021.004	Remote Services: SSH	router2.privkey pivot
Lateral Movement	T1574.001	Hijack Execution Flow: DLL Search Order	MonitorTool.exe exploitation
Impact	T1531	Account Access Removal	Turbine operational shutdown

Part 10: Indicators of Compromise (IOCs) - The Forensic Signature

File Hashes (Primary IOCs)

SHA-256 Hash                             File Name                    Classification
────────────────────────────────────────────────────────────────────────────────────────
566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46  ssp.dll                    Credential Harvester
20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA  BitLockerDeviceEncrypton   CVE-2024-35250 Exploit
635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101  WT-PLC_Turbine_Control    Knowledge Source
E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333  (Malicious) CheckHealth    Binary Planting

Network IOCs

IP Address        Role                        Protocol        Significance
──────────────────────────────────────────────────────────────────────────
192.168.1.253     Attacker Pivot Point        SSH/Modbus      Router2 compromised
192.168.2.1-2.4   Target PLCs                 Modbus TCP      Wind turbines
microsoft-login   Phishing Domain             HTTP/HTTPS      Credential theft vector

Registry IOCs

Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Value: ssp.dll (malicious)
Detection: Unauthorized SSP DLL registered

Process IOCs

Process Name: BitLockerDeviceEncrypton.exe  (note typo)
Parent: explorer.exe or cmd.exe
Destination: System32
Detection: Non-standard BitLocker binary name

Q&A Section: Deepening the Understanding

Q1: Why Is the Typo in "BitLockerDeviceEncrypton" Significant?

A: The typo ("Encrypton" vs "Encryption") is intentional obfuscation. It allows the malicious binary to:

Avoid exact name collision detection
Blend in visually with legitimate Windows components during casual filesystem browsing
Pass simple filename-based security rules
Exploit security tools that only look for exact matches

This demonstrates an attacker's understanding of Windows filesystem conventions and human cognitive patterns-we expect "BitLockerDeviceEncryption" to be legitimate because it's close enough to the real thing.

Q2: How Can We Detect SSP Injection Attacks?

A: Several detection methods exist:

Registry Monitoring: Watch HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages for unauthorized DLLs
DLL Integrity: Verify LSASS-loaded DLLs against Microsoft signatures
Behavioral Detection: Monitor for authentication traffic followed by file writes to System32
EDR Telemetry: Track DLL loads into LSASS process with non-standard paths
Timeline Analysis: Look for legitimate authentication events followed by suspicious files appearing in system directories

Q3: Why Was the SSH Private Key Located on the User Workstation?

A: This represents a security misconfiguration rather than an attack technique. The router2.privkey should have been:

Stored on the network device (Router2), not on user workstations
Protected by hardware security modules (HSMs)
Never stored in plaintext directories
Restricted with ACLs preventing user access

The attack surface here is created by improper key management practices—a common problem in IT/OT convergence scenarios where network administrators repurpose workstations for network administration.

Q4: Could the Attacker Have Accomplished This Without the Turbine Manual?

A: Theoretically yes, but with significantly increased difficulty:

Without Manual:

Requires reverse-engineering Modbus traffic
Needs trial-and-error with register addresses
Risk of detection increases with each failed command
No knowledge of lockout trigger conditions
Attack success probability drops dramatically

With Manual:

Exact register mapping provided
Lockout trigger conditions explicitly documented
Attack becomes reproducible and reliable
Success probability near 100%

This illustrates why protecting operational documentation is as critical as protecting source code. The manual isn't just "nice to have"-it's equivalent to providing the attacker with a complete exploit guide.

Q5: Why Did the Attacker Use Modbus Instead of Exploiting Firmware Directly?

A: The Modbus approach was operationally superior because:

No Firmware Modification: Less detectable and more reversible
Protocol Standard: Works across different turbine models
Plausible Deniability: Modbus commands look like legitimate operational commands
Faster Execution: Seconds vs. hours for firmware exploitation
No Persistence Needed: Doesn't require maintaining access after shutdown
Automatic Recovery: The 24-hour lockout appears as a safety feature, not sabotage

The attacker chose the attack path optimized for operational speed and stealth rather than technical sophistication.

Q6: How Would This Attack Look Different If Network Segmentation Existed?

A: With proper IT/OT network segmentation:

Current Attack Flow:

CLIENT8 → SSH → Router2 → Modbus TCP → PLCs

With Segmentation (Air-Gapped SCADA):

CLIENT8 → ❌ Cannot reach Router2 (network blocked)
→ Alternative: Attacker needs second access point within SCADA network
→ Requires supply chain compromise or insider threat
→ Attack complexity increases exponentially

Network segmentation would have contained the breach at the network boundary, preventing pivot to SCADA systems.

Q7: What's the Significance of the Timestamp Gap Between Exploit and ssp.dll?

A: The 6-minute gap (04:43:50 to 04:49:20) represents:

Exploitation Window: Time needed for CVE-2024-35250 exploitation
Privilege Escalation Latency: Time for kernel exploit to complete
System Stabilization: Time to prevent detection/crash
Payload Staging: Time to stage ssp.dll before deployment

The key forensic insight: Any artifact that requires SYSTEM privileges appearing after this window proves exploitation succeeded. It's impossible to write to System32 without elevation, so ssp.dll's presence = confirmed privilege escalation.

Q8: Why Didn't the Attacker Clean Up the Artifacts?

A: Several possibilities:

Time Constraint: Attack had to move quickly before detection
Operational Simplicity: Cleanup tools might be detected by EDR
Deliberate Provocation: Leaving evidence might be intentional (demonstrating capability)
Incomplete Attack Plan: Original goal was achieved; cleanup wasn't prioritized
Detection Evasion Trade-off: Cleanup process might trigger more alerts than leaving artifacts

In sophisticated APT operations, attackers often intentionally leave minimal cleanup evidence to preserve the attack footprint for later stages of the campaign.

Part 11: Defensive Recommendations & Future Prevention

Immediate Containment Actions

Priority 1 (Within 1 hour):

Isolate CLIENT8 from network
Revoke all credentials for compromised users (amara.okafor, carmen.santos)
Block microsoft-login.com at perimeter

Priority 2 (Within 4 hours):

Scan all Windows systems for CVE-2024-35250 vulnerable drivers
Review all System32 entries for unauthorized DLLs
Audit network device SSH access logs

Priority 3 (Within 24 hours):

Manual turbine reset after lockout expires
Implement system recovery procedures
Deploy forensic images for investigation

Long-Term Architectural Defenses

1. Defense-in-Depth for IT/OT Boundary

Corporate Network
│
├─ Endpoint Detection & Response (EDR)
├─ Multi-Factor Authentication (MFA)
├─ Application Whitelisting
└─ Network Intrusion Detection (IDS)
    │
    ▼ (Firewall / DMZ)
    │
    ├─ Egress Filtering (Block unexpected outbound)
    ├─ Protocol Validation (Only allow known good)
    ├─ Rate Limiting (Modbus command throttling)
    └─ Anomaly Detection
        │
        ▼ (Air Gap / Network Segmentation)
        │
        SCADA Network (Read-only or no corporate access)

2. Vulnerability Management

Mandatory patch CVE-2024-35250 across all Windows systems
Implement kernel-level monitoring (WMI, ETW)
Regular supply chain security audits

3. Credential Protection

Enable Windows Credential Guard (isolates LSASS credentials)
Deploy Hardware Security Modules (HSMs) for key storage
Implement FIDO2/WebAuthn for phishing resistance
SSH key management: Central repository with proper RBAC

4. ICS/SCADA Hardening

Modbus protocol filtering (only authorized commands)
ICS-specific monitoring for protocol anomalies
Temporary lockout mechanism improvements (safer trigger conditions)
Documentation security: Remove sensitive technical docs from accessible shares

5. Network Segmentation Standards

Zero-trust network architecture
Mandatory data loss prevention (DLP) between network segments
Encrypted tunnels for all remote access
Regular penetration testing of segment boundaries

Forensic Monitoring Enhancements

Sysmon Rules to Deploy:

<!-- Rule: Detect CVE-2024-35250 Attack Pattern -->
<!-- Detect IOCTL calls to mskssrv.sys from non-admin processes -->
<EventID>6</EventID>  <!-- Driver Load -->
<Condition>
    ImageLoaded contains "mskssrv" AND
    User not in "NT AUTHORITY\SYSTEM"
</Condition>

<!-- Rule: Detect SSP DLL Injection -->
<EventID>11</EventID>  <!-- File Created in System32 -->
<Condition>
    TargetFilename contains "System32" AND
    TargetFilename ends with ".dll" AND
    Image not in [whitelist]
</Condition>

Part 12: Post-Incident Forensic Summary

Attack Attribution Indicators

The attacker left breadcrumbs:

SSH Key Metadata: "nukingdragons@blackarch" suggests Arch Linux attacker
Attack Sophistication: Multi-stage, coordinated approach suggests organized threat group
Target Knowledge: Deep understanding of both Windows and SCADA suggests insider familiarity or extensive OSINT
Timing: Coordinated multi-system compromise in ~5 hour window suggests experienced team
TTPs: Aligned with industrial espionage playbooks rather than amateur operations

Root Cause Analysis

Root Cause	Layer	Mitigation
Phishing Vulnerability	Social Engineering	Security awareness training + MFA
CVE-2024-35250 Unpatched	System	Patch management process
SSP Protection Gap	Security	Credential Guard implementation
SSH Key Exposure	Operational	Key management centralization
Documentation Accessibility	Information Security	Document access controls
Network Segmentation Absence	Architecture	Zero-trust design

Metrics & Impact Assessment

Metric	Value	Severity
Systems Compromised	3 (CLIENT8, RESOURCES, Router2)	High
Operational Impact	4 wind turbines offline	Critical
Downtime	24 hours (by design)	High
Data at Risk	SCADA documentation, credentials	Critical
Recovery Time	Manual restart + verification	30-60 minutes
Financial Impact	Power generation loss, incident response	High

Key Takeaways

Phishing Remains the Gateway: Despite all technical defenses, social engineering via typosquatting domains remains highly effective.
Privilege Escalation is Multiplicative: A single unpatched kernel vulnerability can cascade privileges across an entire system and network.
Credential Harvesting Scales Attacks: Once legitimate credentials are captured, the attacker has direct operational legitimacy on other systems.
IT/OT Convergence Creates Attack Paths: The blurred boundary between information technology and operational technology provided the pivot path from desktop to SCADA.
Documentation Can Be Weaponized: Operational manuals that empower legitimate operators can equally empower attackers with attack knowledge.
Timeline Forensics Proves Causality: When direct evidence is unavailable, forensic timelines can prove exploitation through consequence analysis.
Defense-in-Depth Needed: No single control would have stopped this attack; only layered, complementary defenses would have contained it.
Monitoring is Detection: Without Sysmon logging, this attack chain would have remained invisible; logging infrastructure was the differentiator.

Challenge Answers Summary

Question	Answer
Q1: Turbine Status & Attacker IP	Turbines forced into STOP; run=0, speed register=0, lockout bit=1; Attacker IP: 192.168.1.253.
Q2: Knowledge Source	WT-PLC_Turbine_Control_Manual.pdf; 635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101
Q3: RESOURCES Compromise	Exploited program: MonitorTool.exe; Malicious file SHA-256: E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333.
Q4: Pivot Information	SSH username: vyos; SSH private key: router2.privkey (for host 192.168.1.253)
Q5: Credential Harvesting	Username: carmen.santos; Password: Qwerty09!; Capturing program ssp.dll SHA-256: 566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46.
Q6: Phishing Vector	Phishing Domain: microsoft-login.com; Browser: Google Chrome; Version: 137.0.7151.56
Q7: Privilege Escalation	Program: BitLockerDeviceEncrypton.exe; SHA-256: 20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA; CVE: CVE-2024-35250.

Date Completed: November 28, 2025
Challenge Difficulty: Insane ⚡ | Status: ✅ Completed
Total Investigation Time: Multi-stage forensic analysis across 7 challenge questions

❝

"In the silence between the wind turbine blades, we find the attacker's intent. Every timestamp, every hash, every displaced file tells a story of methodical compromise. This is not chaos-this is orchestration."

References & Resources

CVE Reference

CVE-2024-35250: Windows Kernel-Mode Driver Elevation of Privilege
Component: ks.sys (Kernel Streaming) / mskssrv.sys

MITRE ATT&CK Framework

T1566.002: Phishing: Spearphishing Link
T1068: Exploitation for Privilege Escalation
T1003.001: OS Credential Dumping: LSASS Memory
T1547.005: Boot or Logon Autostart: Security Support Provider
T1021.004: Remote Services: SSH
T1036.005: Masquerading: Match Legitimate Name
T1574.001: Hijack Execution Flow: DLL Search Order

Forensic Tools & Techniques

Sysmon (System Monitoring)
python-evtx (Event Log parsing)
certutil (Hash verification)
PowerShell (Filesystem forensics)
Modbus Protocol Analysis
SSH private key metadata analysis

Defense Resources

Windows Credential Guard Implementation
Network Segmentation Best Practices
ICS/SCADA Security Framework
Zero-Trust Architecture Design
EDR Deployment Strategies

OffSec | The Guantlet | Last Ascent - Walkthrough