Austin Lai | August 1st, 2021
Room = TryHackMe(THM) - Investigating Windows 3.x
Difficulty: Medium
The room require you completed the previous 2 investigating Windows room, those room will equiped you at least basic knowledge and skill to continue this room.
There are 3 files provided in the room which is a saved stated snapshot of the malware:
- Procmon file named "Logfile"
- Autorun file named "WIN-Q5JJRDM876J"
- Sysmon file named "Sysmon"
Those files will be your key to answer the questions in this room.
There are 30 questions in the room.
Note : You will also need at least basic amount of knowledge regarding registry key, powershell command and windows event as well as focusing on the event time.
-
Question 1 = What is the registry key with the encoded payload? (full path)
-
Question 2 = What is the rule name for this run key generated by Sysmon?
-
Question 3 = What tactics is classified with this MITRE ATT&CK ID?
-
Question 4 = What was UTC time for the Sysmon event?
-
Question 5 = What was the Sysmon Event ID? Event Type? (answer, answer)
Suggest you check on the Autorun and Sysmon files file as there are fewer event and key information for you to analyse and understand the environment.
You will find the answer in these 2 files.
Hint 1
powershell command
Hint 2
Look at the detail of the event --- sysmon
Hint 3
Use the answer you find in the question 2, Google it - Mitre Attack
-
Question 6 = Decode the payload. What service will the payload attempt start?
-
Question 7 = The payload attempts to open a local port. What is the port number?
-
Question 8 = What process does the payload attempt to terminate?
Locate the event and full command and payload from previous answer.
Decode it.
Hint
Base64 --- you can use online, linux or powershell to decode
After decoded payload from question 6, you will find the answer here.
- Question 9 = What DLL file does the payload attempt to remove? (full path)
If you decoded correctly all the payload, you will find the answer there.
Hint
Try to decode all the payload ... in payload ... in payload ...
- Question 10 = What is the Windows Event ID associated with this service?
For this question, it is tricky as it require additional step or investigation that does not provided by the room
Once you get the answer from question 9, you will need to find the sysmon event relevant to the dll.
However, you will notice you can't find any event or event id associate with it.
Pay attention to the sysmon event you found, you will need it for further action.
The dll is used by specific file, Google it to find what is the file represent for --- a certain service.
Then you have to Goolge it to get the idea what event or where to search the event associate with the service --- it is under Event Viewer > Applications and Services > Microsoft > Windows > ... > Admin Log
There there ... you will find the event associate with it and event id.
Hint
Question hint given in the toom --- This DLL is associated with Print Spooler or Fax services
- Question 11 = What is listed as the New Default Printer?
You can find this answer in Sysmon file, search the services you get from question 10
Hint
Check out the event detail - Friendly name
- Question 12 = What process is associated with this event?
The answer is right there from question 10 and 11.
- Question 13 = What is the parent PID for the above process?
Although you can find the PID from question 10 once you locate the event.
However, you can also find the PID from procmon file you have.
In the procmon file, search for the dll or the specific file using the dll you get from question 9.
Then, right click to check on "Event Properties" --- check on the "Process" tab.
You will find the parent PID there.
- Question 14 = Examine the other processes. What is the PID of the process running the encoded payload?
For this, you know what process is running the encoded payload that was mentioned in question 1 - 5.
Search it in the procmon file, you will get the answer.
- Question 15 = Decode the payload. What is the a visible partial path?
The answer is right there in the payload, if you not yet done question 9.
Try harder.
- Question 16 = This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)
This question also tricky, the answers are not in corerct order from the question, switch the order.
Hint
There is one specific popular attack framework for powershell, Google it !
Check out the "Quick Start" page from thier website ! Look closer to the screenshot provided in the page !
- Question 17 = What other file paths are you likely to find in the logs? (answer, answer)
The answer was mentioned in the "Quick Start" page from thier website ! Look closer to the screenshot provided in the page !
Hint
The extension of the answer is not the one mentioned in the screenshot.
It was the extension you get from the payload
- Question 18 = What is the MITRE ATT&CK URI for the attack framework?
Google it !
- Question 19 = What was the FQDN of the attacker machine that the suspicious process connected to?
You can find the answer in procmon file.
Only turn on "Show Network Activities", you will find the answer !
- Question 20 = What other process connected to the attacker machine?
In the procmon file, with question 19, you will find other process is connected to the same !
- Question 21 = What is the PID for this process?
Once you locate the process, the answer is right there !
- Question 22 = What was the path for the first image loaded for the process identified in Q's 19 & 20?
Since you have identify the process in procmon file.
With "Show Network Activities" turn on, filter to include only the 2 process PID.
You will get cleaner event, then turn on "Show Process and Thread Activities".
Notice the question asked the "first imaged loaded after the 2 process".
Pay attention to "Operation"
You will find that none of the load image is after those 2 process
TIPS : To help you find the answer quicker, use "Highlight" to hightlight the "Operation = load image"
You will find the answer !
Hint
If you still can't find the answer, here is the big hint for you --- check on the timestamp with x:07:06
-
Question 23 = What Symon event were generated between these 2 processes? What is its associated Event ID #? (answer, answer)
-
Question 24 = What is the UTC time for the first event between these 2 processes?
-
Question 25 = What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])
In the sysmon file, you can search with the combination of PID of 2 process, you will that multiple event generated by these 2 process.
The event shown will contain 2 process, that's the answer !
- Question 26 = What is the first operation listed by the 2nd process starting with the Date and Time from Q25?
The answer is the next event of Question 22 in procmon file.
- Question 27 = What is the full registry path that was queried by the attacker to get information about the victim?
This is the trickiest question !!!
As we have no idea what the information refered in the question.
But, back to basic --- if we want to collect or gather information from the machine --- what can we collect ??
Machines information ?? OS information ??
If that is the case, what is the relevant registry key ??
Google it, you will find one particular register key path is relevant !!
Hint 1
Question hint given by the room --- Try searching for ProcMon events beginning with '1/21/2021 5:07'
Hint 2
To help you find the answer easier, try to filter "Path" only include the base registry key
You will find only handful of relevant registry key path
Hint 3
Last and Big hint, "Window NT", google it what is the interesting registry path
- Question 28 = What is the name of the last module in the stack from this event which had a successful result?
Once you get the answer from question 27, you will find this answer.
Remember to check on the "Event Properties" and "Stack Details"
However, there is a cheatsheet you can used in procmon file.
Go to > Tools > Stack Summary
You will find one particular stack (remember what was the 2 process you found in question 22) with interesting stack modules
- Question 29 = Most likely what module within the attack framework was used between the 2 processes?
For this question, do much more research online regarding the attack framewwork.
What are the popular module provided by the attack framework?
Looking back our investigation, do you notice how the attacker use the attack framework? Specifically, pay attention on the powershell and process used.
There is similiar attack method with sql !!!
- Question 30 = What is the MITRE ID for this technique?
Google it !!
Credit to the post from haksthehax, you will find some detail from the reference; although the reference might not directly help to get the answer for some question, still it can be a very good references point. 😄
Question 27 and 28 took me alots of time to figure out, although initially I was using dump method to find by filter and exclude irrelevant event one by one, once I get the answer, looking back the rationale behind, it is easier to understand the standpoint on how to investigate.
Do let me know any command can be improve or you have any question you can contact me via THM message or write down comment below or via FB