Baldi's Basics Answer Key
Forensics
Forensics 1
For forensics 1, you had to decrypt the packets in the given pcap file using the ssl keys on the desktop. Through
that, you would notice a mdns poisoning (2nd answer) attack that began with the url [Link] (1st answer).
Searching through the packets for YouTube video links, you would come across [Link]
v=IFERaX0EwDU and [Link] (3rd answer).
Forensics 2
Searching the system for common auto-run areas, you would find a visual basic script at C:
\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9 \MACHINE\Scripts\Startup\[Link] (1st
answer), which added the Administrator user with the password Sup3rS3cu4eP@ssw0rd! (2nd answer).
Forensics 3
This question could have multiple solutions. Some options would be to analyze the image’s certificates with a
fresh install, check recently installed certificates, or analyze the malware installed by the attacker. Analyzing the
dll at C:\Windows\System32\cbdhsvc_57ffe2.dll would reveal it was signed by Microsoft Root Certificate Authority
2012 (1st answer). Checking this certificate would reveal the expiration date to be 12/31/2029 [Link] PM (2nd
answer).
Forensics 4
The trickery described in the forensics is that there are two different reset password options when you right-
click a user. One of these would work normally, while the other would run a PowerShell script adding back the
Null user. This is done through display-name specifiers in the active directory located at CN=user-
Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=baldi,DC=local (1st answer). The specific attribute in
this object that was modified is adminContextMenu (2nd answer), and the script it is calling is located at C:
\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\reset_password.ps1 (3rd answer).
Vulnerabilites
User Auditing
Administrator account is not enabled - e
Removed unauthorized user Null - e
User Arts and Crafters is not a Domain Admin - e
User Bully no longer uses DES encryption for kerberos - e
User Beans no longer has a SID History - h
You can read more about SID history here: [Link]
Account Policy
Passwords must meet complexity requirements - e
Local Policy
Domain Users can no longer backup files and directories - e
LDAP server requires signing to be negotiated with clients - e
�Storage of credentials is no longer allowed for network authentication - e
Strengthened default permissions of internal system objects - e
UAC switches to secure desktop when prompting for elevation - e
Defensive Countermeasures
Windows Defender blocks process creations originating from PSExec and WMI commands - e
Windows Defender examines DNS queries for exfiltration attempts - m
Windows Defender runs in a sandboxed environment - h
IPsec forces Diffie-Hellman for key exchange - m
IPsec no longer uses MD5 for hashing - m
Blocking process creations from PSExec and WMI is the attack surface reduction rule d1e49aac-8f56-4280-
b9ba-993a6d77406c.
Examining DNS queries for exfiltration is EnableDnsSinkhole in MpPreference options.
Sandboxing Windows Defender is the environment variable MP_FORCE_USE_SANDBOX.
The IPsec vulnerabilities are just located in the advanced Windows Defender firewall properties.
Uncategorized Operating System Settings
IPv6 component disabled - e
Disk quotas disabled for C: - e
PATH environment variable does not contain C:\temp - m
Your SSL keys are no longer logged - m
Everyone no longer has write permissions to the Security event log - m
Non-administrator account are not allowed to make root installations into their own HKCU certificate store - sh
Windows Platform Binary Table (WPBT) functionality disabled - sh
IPv6 isn’t required and only adds to the system’s attack surface.
Disk quotas were set to deny any storage to users, not allowing them to conduct their daily tasks.
The C:\temp directory was writeable by everyone while being in the PATH variable, making it vulnerable.
The student’s SSL keys are being dumped with the SSLKEYLOGFILE environment variable, allowing anyone to
record network traffic and later decrypt it.
Everyone could write to the event log, which means they could implant fake logs, clear their tracks, etc.
By default, non-administrator users can make certificate installations into their own HKCU store. This can be
leveraged by hackers to install their own malicious certificates, even with non-privileged accounts. There is an
undocumented registry key modification outlined by MITRE to mitigate this vulnerability by setting
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots\Flags to 1. ([Link]
techniques/T1553/004/)
There are many persistence mechanisms in Windows; however, not all need to be stored in Windows. During
the Windows boot, [Link] calls the NtQuerySystemInformation() function with the deprecated parameter 0x85.
This scans UEFI tables for WPBT (Windows Platform Binary Table) and passes them back to [Link]. [Link]
then stores this piece of UEFI memory into [Link], takes a command line from the same parameter, checks
[Link] integrity with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY, and [Link] is executed. While extremely
complicated, this means that attackers could execute code (written using only [Link] and no Win32Api calls)
on boot. With this, attackers can obtain UEFI-level persistence and inject executables into Bitlocker-encrypted
drives. The WPBT functionality can be completely disabled, thus mitigating any attack vectors, by setting the
undocumented registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DisableWpbtExecution to 1.
Service Auditing
Windows Defender Firewall startup type is automatic and running - e
Everyone no longer has full control over Windows Event Log service - sh
�Windows Defender Service runs in Protected Process Light (PPL) mode - sh
Permission doesn’t only apply to basic file structures. Services have their own set of permissions stored in their
SDDL string. The Event Log Service’s SDDL has been modified to allow everyone to have full control over the
service. This means that anyone could start or stop the service, as well as a lot more malicious actions.
Many services in Windows run in PPL (Protected Process Light) mode, protecting them from undue
modifications. The most commonly remembered one is LSASS; however, Windows Defender is also one such
service. On the image, Windows Defender is no longer running in PPL mode.
Operating System Updates
Windows automatic updates configured - e
Application Updates
Prohibited Files
Removed startup script with plaintext administrator password - e
Removed unauthorized partition with prohibited files - m
Unwanted Software
Removed Powershell 2.0 - m
Removed DSInternals powershell module - h
Malware
Removed malicious Microsoft Root Certificate Authority 2012 certificate - m
Removed malicious display specifier imitating reset password option - m
Removed service running skeleton key persistence mechanism - m
Application Security Settings
LDAP no longer allows anonymous calls to the NSPI RPC bind method - m
Authenticated users can no longer edit the defualt domain policy GPO - h
Authenticated users may not join computers to the domain - h
DNS version query disabled - e
DNS server no longer performs recursive name resolution - e
[Link] zone only allows secure dynamic updates - e
DHCP server is authorized - e
DHCP audit logging enabled - e
DHCP IPv4 scope uses name protection - e
Enabled Restricted admin for RDP - e
RDP Shadowing blocked at firewall level - h
By default, authenticated users may join up to 10 computers in the domain, which provides full control to the
user. This has been previously used in CVE-2021-42287 to escalate privileges. Thus, it’s recommended to set the
ms-DS-MachineAccountQuota attribute to 0.
There was a firewall rule that specifically allowed RDP shadowing. It is best to block RDP shadowing at the
firewall level to provide an extra level of security.
