Investigation Report#

Week 8 - Last Ascent: ICS/SCADA Incident Response Investigation#

Wind Turbine SCADA Infrastructure Forensic Analysis#

Challenge: Last Ascent (Week 8)
Investigator: MR. Umair
Date: November 26, 2025
Target: Megacorp One Energy Systems Division - Wind Farm SCADA Infrastructure
Impact: Power stabilization layer compromised, Codex Circuit protective perimeter vulnerable

Executive Summary#

This report documents the comprehensive forensic analysis of a sophisticated multi-stage cyberattack against Megacorp One’s Wind Farm SCADA infrastructure. The threat actor employed a coordinated attack chain spanning:

Initial Access - Phishing attack via fake Microsoft login domain
Privilege Escalation - CVE-2024-35250 kernel vulnerability exploitation
Credential Harvesting - SSP DLL injection to capture plaintext credentials
Lateral Movement - SSH pivot using stolen credentials and private keys
ICS/SCADA Manipulation - Modbus commands to shutdown wind turbines

The attack resulted in autonomous wind turbines being forced into a 24-hour lockout state, compromising the power stabilization layer and exposing the Codex Circuit protective perimeter.

Challenge Overview#

Incident: Autonomous wind turbines manipulated and taken out of MegaCorp One’s control
Affected Systems: CLIENT8 workstation, RESOURCES server, Router2, PLCs (4 turbines)
Attack Duration: Approximately 4-5 hours from initial access to turbine shutdown

Question 1: Powergrid Shutdown Analysis#

Question#

Identify how the Powergrid was shut down. State the technical status of the turbines after the attack (flags, control bits, output states) and provide the IP address of the system from which the attack was performed.

Answer#

Field	Value
Turbine Status	Turbines forced into STOP state, run=0, speed register=0, lockout bit=1
Attacker IP	`192.168.1.253`

Evidence Collection#

1.1 Identifying the Attacker IP Address#

Source File: RESOURCES\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Method: Parsed Sysmon Event ID 3 (Network Connection) logs using python-evtx

1
import Evtx.Evtx as evtx
2

3
evtx_path = r'RESOURCES\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx'
4

5
with evtx.Evtx(evtx_path) as log:
6
    for record in log.records():
7
        xml = record.xml()
8
        if '192.168.1.253' in xml:
9
            print(xml[:3000])

Key Evidence Found:

1
<Event>
2
  <System>
3
    <EventID>3</EventID>  <!-- Network Connection -->
4
    <TimeCreated SystemTime="2025-10-30 08:59:58.343"/>
5
    <Computer>RESOURCES.scada.megacorpone.com</Computer>
6
  </System>
7
  <EventData>
8
    <Data Name="Protocol">tcp</Data>
9
    <Data Name="SourceIp">192.168.1.2</Data>
10
    <Data Name="DestinationIp">192.168.1.253</Data>
11
    <Data Name="DestinationPort">22</Data>
12
  </EventData>
13
</Event>

1.2 Understanding Turbine Technical Status#

Source File: RESOURCES\Shares\SCADA\docs\WT-PLC_Turbine_Control_Manual.pdf

Modbus Register Map from Manual:

Register Type	Address	Description
Holding Register	0	Rotor speed setpoint (010000 = 0100%)
Discrete Input	2	Turbine stopped (speed = 0%)
Discrete Input	3	Lockout active (1 = 24-hour protection mode engaged)

Attack Mechanism: The attacker triggered the protective lockout by making rapid consecutive speed commands (>20% change within 2 minutes), which:

Automatically engages the 24-hour lockout
Forces speed to 0% (run=0, speed register=0)
Sets lockout bit to 1 (lockout bit=1)

Question 2: Attacker Knowledge Source#

Question#

From where did the attacker gain the knowledge necessary to perform this attack? If from a file, include the complete filename and its SHA-256 hash.

Answer#

Field	Value
Filename	`WT-PLC_Turbine_Control_Manual.pdf`
Location	`RESOURCES\Shares\SCADA\docs\`
SHA-256	`635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101`

Evidence Collection#

Hash Verification:

1
certutil -hashfile "RESOURCES\Shares\SCADA\docs\WT-PLC_Turbine_Control_Manual.pdf" SHA256

Output:

1
SHA256 hash: 635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101

Key Information in Manual:

Complete Modbus Register Map (coils, discrete inputs, holding registers)
Operating procedures with Python code examples
Lockout trigger conditions (>20% change in 2 minutes)
Modbus TCP ports (1502-1505 for turbines)

Question 3: RESOURCES Machine Compromise#

Question#

How was the attacker able to compromise the RESOURCES machine? Provide the name of the exploited program and the SHA-256 hash of the malicious file used in the compromise.

Answer#

Field	Value
Exploited Program	`MonitorTool.exe`
Malicious File SHA-256	`E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333`

Evidence Collection#

Source Files:

RESOURCES\Shares\Monitoring\MonitorTool.xml (Scheduled Task)
RESOURCES\Shares\Monitoring\monitor.log (Execution Log)

Scheduled Task Analysis:

1
<Task>
2
  <Triggers>
3
    <TimeTrigger>
4
      <Repetition>
5
        <Interval>PT10M</Interval>  <!-- Runs every 10 minutes -->
6
      </Repetition>
7
    </TimeTrigger>
8
  </Triggers>
9
  <Actions>
10
    <Exec>
11
      <Command>C:\Shares\Monitoring\MonitorTool.exe</Command>
12
    </Exec>
13
  </Actions>
14
</Task>

Attack Timeline from Logs:

1
C:\Shares\Monitoring\CheckHealth.exe not found
2
Backing up PCAPs off of router2
3
...
4
Executing C:\Shares\Monitoring\CheckHealth.exe  <-- Malicious file executed!

Attack Mechanism: Binary Planting / DLL Search Order Hijacking

MonitorTool.exe runs as a scheduled task every 10 minutes
Attacker placed malicious CheckHealth.exe in the Monitoring share
MonitorTool.exe executed the malware with elevated privileges

Question 4: Pivot Information#

Question#

What two pieces of information did the attacker obtain on the RESOURCES system that enabled them to pivot to the next system in the attack path?

Answer#

Field	Value
SSH Username	`vyos`
SSH Private Key	`router2.privkey` (for host 192.168.1.253)

Evidence Collection#

Source File: CLIENT8\amara.okafor\.ssh\router2.privkey

1
Get-ChildItem "CLIENT8\amara.okafor\.ssh" -Recurse
2
# Output: router2.privkey

Key Metadata:

1
-----BEGIN OPENSSH PRIVATE KEY-----
2
nukingdragons@blackarch  <-- Attacker attribution
3
-----END OPENSSH PRIVATE KEY-----

Question 5: Credential Harvesting Analysis#

Question#

How did the attacker harvest credentials on CLIENT8? Enter the SHA-256 hash of the tool or technique responsible for the credential harvesting.

Answer#

Field	Value
Tool	`ssp.dll` (Security Support Provider)
Location	`CLIENT8\System32\ssp.dll`
SHA-256	`566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46`

Investigation Process#

Understanding SSP Credential Harvesting#

Security Support Provider (SSP) is a Windows authentication mechanism. Attackers can register a malicious SSP DLL that gets loaded by LSASS (Local Security Authority Subsystem Service). Once loaded, the malicious SSP intercepts all authentication attempts and captures plaintext credentials.

File Timestamp Evidence#

1
Get-ChildItem "CLIENT8\System32" | Where-Object { $_.Name -eq "ssp.dll" }

Output:

1
Name     Length  LastWriteTime
2
----     ------  -------------
3
ssp.dll  14848   10/30/2025 4:49:20 AM  <-- Attack timestamp!

Hash Verification#

1
$hash = (Get-FileHash "CLIENT8\System32\ssp.dll" -Algorithm SHA256).Hash
2
# Output: 566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46

Captured Credentials:

Username: carmen.santos
Password: Qwerty09!
These credentials were used to pivot to the RESOURCES server

Question 6: Phishing Domain & Browser Analysis#

Question#

What is the domain of the phishing website and the user’s browser name along with its version accessed by Amara on CLIENT8?

Answer#

Field	Value
Phishing Domain	`microsoft-login.com`
Browser	Google Chrome
Version	`137.0.7151.56`

Investigation Process#

Extracting Chrome Version#

1
$versionPath = "CLIENT8\amara.okafor\AppData\Local\Google\Chrome\User Data\Last Version"
2
Get-Content $versionPath
3
# Output: 137.0.7151.56

Analyzing Chrome History#

1
$historyPath = "CLIENT8\amara.okafor\AppData\Local\Google\Chrome\User Data\Default\History"
2
[System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes($historyPath)) |
3
    Select-String -Pattern "microsoft-login" -AllMatches

Output: Multiple references to microsoft-login domain found

Phishing Attack Analysis#

Malicious Domain: microsoft-login.com - Typosquatting domain mimicking Microsoft
Legitimate Domain: login.microsoftonline.com or login.microsoft.com
Attack Flow: User received phishing email Clicked link Visited fake login Credentials harvested

Question 7: Privilege Escalation Analysis#

Question#

How did the attacker elevate their privileges on CLIENT8? Enter the name and SHA-256 hash of the program responsible for the elevation of privileges. What is the CVE related to the vulnerability that was used to escalate their privileges?

Answer#

Field	Value
Program Name	`BitLockerDeviceEncrypton.exe`
Location	`CLIENT8\System32\BitLockerDeviceEncrypton.exe`
SHA-256	`20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA`
CVE	`CVE-2024-35250`

Investigation Process#

File Discovery - Masquerading Technique#

1
Get-ChildItem "CLIENT8\System32" | Where-Object { $_.Name -like "*BitLocker*" }

Output:

1
Name                          Length  LastWriteTime
2
----                          ------  -------------
3
BitLockerDeviceEncryption.exe 184320  5/7/2022 12:39:28 PM   <-- Legitimate
4
BitLockerDeviceEncrypton.exe  29184   10/30/2025 4:43:50 AM  <-- MALICIOUS (typo!)

Key Observation: The malicious filename has a TYPO - “Encrypton” instead of “Encryption”! This is a classic masquerading technique to blend in with legitimate system files.

Timeline Evidence#

Timestamp	Event
04:43:50 AM	BitLockerDeviceEncrypton.exe placed in System32
04:43-04:49	CVE-2024-35250 exploitation occurs
04:49:20 AM	ssp.dll placed in System32 (requires SYSTEM privileges)

The 6-minute gap proves the privilege escalation succeeded - writing to System32 requires SYSTEM privileges!

CVE-2024-35250 Technical Details#

Field	Value
Vulnerability	Windows Kernel-Mode Driver Elevation of Privilege
Component	ks.sys (Kernel Streaming Service / MSKSSRV)
Attack Method	Improper IOCTL handling in kernel driver
CVSS Score	7.8 (High)
Result	Local privilege escalation from user to SYSTEM

Complete Attack Chain#

1
                         COMPLETE ATTACK TIMELINE
2

3

4
  PHASE 1: INITIAL ACCESS
5
  > Phishing email sent to amara.okafor@megacorpone.com
6
  > User visits microsoft-login.com (fake Microsoft portal)
7
  > Browser: Chrome 137.0.7151.56
8
  > Credentials harvested via fake login page
9

10
  PHASE 2: PRIVILEGE ESCALATION (10/30/2025 ~04:43 AM)
11
  > Attacker deploys BitLockerDeviceEncrypton.exe (note typo)
12
  > Exploits CVE-2024-35250 (ks.sys/MSKSSRV vulnerability)
13
  > Gains NT AUTHORITY\SYSTEM privileges
14

15
  PHASE 3: CREDENTIAL HARVESTING (10/30/2025 ~04:49 AM)
16
  > Deploys ssp.dll to System32
17
  > Registers malicious SSP with LSASS
18
  > Intercepts all authentication attempts
19
  > Captures carmen.santos:Qwerty09!
20

21
  PHASE 4: LATERAL MOVEMENT
22
  > SSH pivot using vyos credentials + router2.privkey
23
  > Access to RESOURCES server via MonitorTool.exe exploit
24
  > Pivot through router2 (192.168.1.253) to SCADA network
25

26
  PHASE 5: ICS/SCADA MANIPULATION
27
  > Obtained turbine control knowledge from PDF manual
28
  > Sent Modbus commands to PLCs (192.168.2.1-192.168.2.4)
29
  > Triggered 24-hour lockout on all wind turbines

Network Topology#

1
                    Corporate Network
2

3
     CLIENT8                          RESOURCES
4
   192.168.1.x                       192.168.1.2
5
   (Workstation)                    (SCADA Server)
6

7

8

9
                               SSH (port 22)
10

11

12
                       Router2
13
                    192.168.1.253
14
                       (VyOS)
15

16

17
                               Modbus TCP
18

19

20
                      SCADA Network
21

22
   PLC 1     PLC 2     PLC 3     PLC 4
23
  .2.1:1502  .2.2:1503  .2.3:1504  .2.4:1505
24

25

26

27
   Turbine 1   Turbine 2   Turbine 3   Turbine 4

Evidence Chain - Linking CVE-2024-35250#

How Do We Know BitLockerDeviceEncrypton.exe and CVE-2024-35250 Are Connected?#

1. Sysmon Evidence - MSKSSRV Driver (CVE-2024-35250 Target)#

From the 78MB Sysmon Operational logs:

1
<EventData>
2
  <Data Name='ImageLoaded'>C:\Windows\System32\drivers\mskssrv.sys</Data>
3
  <Data Name='Hashes'>SHA256=6B712ADDF7C6B583F23F518BF35F7ECBBFA632F14E29EBE2A8E38043B1269E74</Data>
4
  <Data Name='Signed'>true</Data>
5
  <Data Name='Signature'>Microsoft Windows</Data>
6
</EventData>

10 references to mskssrv.sys found - This is the exact driver targeted by CVE-2024-35250!

2. Registry Evidence - Kernel Streaming Driver Stack#

1
STACKID: \driver\ksthunk,\driver\mskssrv,\driver\swenum
2
Service: mskssrv
3
DriverName: mskssrv.sys

3. Binary Analysis - Kernel Exploitation APIs#

Strings extracted from BitLockerDeviceEncrypton.exe:

K32EnumDeviceDrivers - Driver enumeration API
NtQuerySystemInformation - System information query
GetSystemTimeAsFileTime - Timing for exploitation
KERNEL32.dll - Kernel operations

4. Timeline Correlation - Proof of Success#

Time	Event	Significance
04:43:50	BitLockerDeviceEncrypton.exe created	Exploit tool deployed
04:43-04:49	6-minute window	Exploitation occurs
04:49:20	ssp.dll created in System32	REQUIRES SYSTEM privileges

The fact that ssp.dll was written to System32 PROVES the privilege escalation succeeded!

Indicators of Compromise (IOCs)#

File Hashes (SHA-256)#

Hash	Filename	Description
`566DEE9A89CE772E640CDB1126480F83EE048CEA4B7661A9427AF42A9FAB8B46`	ssp.dll	SSP Credential Harvester
`20DA751A1B158693C04A392FD499898B055E059EC273841E5026C15E691B6AEA`	BitLockerDeviceEncrypton.exe	CVE-2024-35250 Exploit
`635598615d4a9823b36163796fdc3c45702280097bad8df23fc1b8c39c9d7101`	WT-PLC_Turbine_Control_Manual.pdf	Knowledge Source
`E6E4D51009F5EFE2FA1FA112C3FDEEA381AB06C4609945B056763B401C4F3333`	MonitorTool.exe	Exploited Binary

Malicious Domains#

Domain	Type	Purpose
`microsoft-login.com`	Phishing	Credential harvesting via fake Microsoft login

Network Indicators#

IP Address	Role	Protocol
`192.168.1.253`	Attacker Pivot (Router2)	SSH/Modbus
`192.168.2.1-192.168.2.4`	Target PLCs	Modbus TCP

File Paths (Attacker Artifacts)#

1
C:\Windows\System32\ssp.dll
2
C:\Windows\System32\BitLockerDeviceEncrypton.exe
3
CLIENT8\amara.okafor\.ssh\router2.privkey

CVE References#

CVE ID	Description	Severity
CVE-2024-35250	Windows Kernel-Mode Driver EoP (ks.sys)	High (7.8)

MITRE ATT&CK Mapping#

Technique ID	Technique Name	Description
T1566.002	Phishing: Spearphishing Link	Fake Microsoft login page
T1003.001	OS Credential Dumping: LSASS Memory	SSP credential harvesting
T1547.005	Boot or Logon Autostart: SSP	Malicious SSP DLL registration
T1068	Exploitation for Privilege Escalation	CVE-2024-35250 exploit
T1036.005	Masquerading: Match Legitimate Name	BitLockerDeviceEncrypton.exe (typo)
T1021.004	Remote Services: SSH	Pivot via router2.privkey
T1574.001	Hijack Execution Flow: DLL Search Order	MonitorTool.exe exploitation
T1485	Data Destruction	Turbine lockout (ICS impact)

Recommendations#

Immediate Actions#

Isolate CLIENT8 from the network
Reset all credentials for amara.okafor and carmen.santos
Block domain microsoft-login.com at network perimeter
Deploy IOC signatures to EDR/SIEM
Manual turbine restart after 24-hour lockout expires

Long-term Mitigations#

Patch CVE-2024-35250 on all Windows systems
Enable Credential Guard to protect LSASS
Implement phishing-resistant MFA (FIDO2/WebAuthn)
Network segmentation between IT and OT networks
Monitor SSP registry keys for unauthorized modifications
ICS-specific monitoring for Modbus protocol anomalies
Remove unnecessary documentation from SCADA shares

Tools Used#

Tool	Purpose
`python-evtx`	Parse Windows Event Logs (.evtx)
`PyMuPDF (fitz)`	Extract text from PDF documents
`certutil`	Calculate SHA-256 file hashes
`PowerShell`	File system enumeration and analysis
`Sysmon`	Process and network monitoring analysis
`SQLite`	Chrome History database analysis

Conclusion#

The attacker employed a sophisticated multi-stage attack leveraging:

Social Engineering via typosquatting phishing domain
Zero-Day Exploitation using CVE-2024-35250 for kernel-level access
Credential Theft through SSP injection into LSASS
Operational Technology Manipulation via Modbus protocol abuse

This attack chain demonstrates the critical importance of defense-in-depth strategies, particularly in ICS/SCADA environments where IT-OT convergence creates expanded attack surfaces. The attacker’s ability to pivot from a single phished workstation to complete turbine control highlights the need for robust network segmentation and protocol-aware monitoring.

Date: November 26, 2025
Investigator: MR. Umair
Case: OffSec Echo Response - Week 8: Last Ascent

“The wind cannot be caught, but it can be understood. In cybersecurity, as in nature, knowledge of the system’s flow reveals both its power and its vulnerabilities.”