Refer to Boogeyman3 for the challenge room on TryHackMe

Scenario

The Boogeyman bypassed Quick Logistics LLC's security by compromising an employee and remained undetected, waiting to launch further attacks. From initial email access, the attackers targeted CEO Evan Hutchinson to escalate their efforts.
The email seemed suspicious, yet Evan opened the attachment despite his doubts. After verifying nothing occurred, he reported the phishing email to the security team.

Initial Investigation

After receiving the phishing email report, the security team investigated the CEO's workstation. They found the email attachment in the downloads folder.
The security team also identified a file within the ISO payload, as shown in the image below. The security team determined that the incident likely occurred between August 29 and August 30, 2023. Based on these initial findings, we are tasked with analyzing and assessing the impact of the compromise.

Tools

• Kibana
• PowerShell
• Windows Event Logs
• Sysmon Logs

Task

The scenario indicates that the victim opened the attachment despite doubts, suggesting the payload executed on the victim's machine. We will investigate the logs in Kibana. Upon launching the Kibana Discover UI under Analytics section, we will set the log period to reflect the timeframe of the incident, August 29 to August 30, 2023.

What is the PID of the process that executed the initial stage 1 payload?
First, we will add the filters "user.name: evan.hutchinson" and "process.name: powershell.exe." Since we know the victim's name from the scenario, this will help us identify relevant events. The stage 1 payload typically executes commands via PowerShell, allowing us to see the first event that includes the attachment the victim opened in the command line.

Note: Since the process appears in the parent process column, we will need to look for the PPID (Parent Process ID) rather than the PID (Process ID) to answer this question.

Note: mshta.exe runs HTML Applications (HTA files), allowing them to access system resources with elevated privileges.

The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?
Since we know the process that initiated the stage 1 payload, we will add it to the filter to narrow our scope. The screenshot indicates a command that copies the file to another location.

Note: The command uses xcopy to copy the file review.dat from the D:\ to a temporary location on the C:\, ensuring that hidden and system files are included. The options /s, /i, and /e are mostly unnecessary since a single file is being copied, not a directory.

The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?
After identifying the implanted file name, I searched for "review.dat" using the filter "user.name: evan.hutchinson." The screenshot shows that the process "rundll32.exe" executed the file.

The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?
As I reviewed the events from the previous question, I found a command that creates a scheduled task, revealing the name of the scheduled task.

Note: The command executes rundll32.exe with the argument “review.dat,DllRegisterServer” daily at 06:00. It establishes the task to run with the current user’s privileges and includes settings that control how the task operates. Which ensures that a malicious DLL is registered on a regular basis without user intervention.

The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection?
The logs from the previous tasks indicate that the implanted file was executed on August 29, 2023, at 23:51:16.809. After adding the filter "event.code:3," I found that the events executed after this timestamp primarily connect to a single destination via HTTP port, likely indicating a C2 server.

The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?
While searching through the logs for the scheduled task in the previous task, I found an executable that caught my attention because its parent process is "review.dat, DllRegisterServer." After researching its functionality, I confirmed that it is used for UAC bypassing.

Note: User Account Control (UAC) is a security feature in Windows that prompts users for permission or an administrator password before allowing changes that could affect the system’s operation.

Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?
By searching for the keyword "github.com," we can identify the URL where the attacker downloaded the credentials dump tool (Mimikatz).

After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair?
By searching for "mimikatz.exe," I found the log documenting its execution.

Note: The command uses the sekurlsa::pth functionality to perform Pass-the-Hash (PtH) authentication, allowing the user itadmin to access resources on the domain QUICKLOGISTICS using the provided NTLM hash F84769D250EB95EB2D7D8B4A1C5613F2.

Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?
I spent a long time reviewing logs from the new compromised user, as the question noted that the attacker used new credentials, but I found no relevant logs. By chance, I performed a wildcard search for *share*, and one log appeared. After examining its functionality, I confirmed it is used for retrieving shared files.

Note: The command downloads and executes the PowerView.ps1. Invoke-ShareFinder enumerates accessible network shares on the local machine and across the network.

After noting the timestamp when the attacker downloaded the enumeration tool, I searched for related logs recorded after that time. I found a log showing a command that retrieves and displays the contents of a file from a network share directory.

After getting the contents of the remote file, the attacker used the new credentials to move laterally. What is the new set of credentials discovered by the attacker?
By investigating any logs that has event ID 4624 (Successful logon), we know that the stolen credentials very likely belongs to Allan.Smith.

As the attacker moved to user Allan's account, they executed commands on the first compromised user account. We will filter the username by the first compromised user and search for the keyword "allan.smith"

Note: This command creates a PSCredential object for the user < -ArgumentList > with the password < ConvertTo-SecureString >. It then uses the Invoke-Command cmdlet to authenticate to the remote computer WKSTN-1327, executing a script block that runs the whoami command.

What is the hostname of the attacker's target machine for its lateral movement attempt?
Once we search for the logs related to the second compromised user (Allan), we can determine the hostname of the machine.

The attacker executed the malicious command from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?
After identifying the second compromised username, its password, and the execution time, we can narrow our scope by filtering for the second compromised machine, the username, and the process command.

The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials?
I searched for the keyword "ntlm," as the question asks for the hash value. Knowing that the second machine was targeted on August 30, 2023, at 01:33:34, I will investigate any logs related to Mimikatz that used the sekurlsa::pth function to perform the pass-the-hash attack on the second machine.

After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?
While reviewing the PowerShell logs, I learn the hostname of the domain controller (DC01).

Note: The script executed a remote command on the computer (DC01.quicklogistics.org). It employs the Invoke-Command cmdlet to run a script block that contains the command hostname, which retrieves the name of the computer. By executing this command, the attacker learn the hostname of the specified remote machine.

By searching for the keyword "mimikatz" with the filter (DC01), I found a log containing a command that uses DCSync to dump the hash value.

Note: DCSync attack allows attackers to replicate the Active Directory Domain Controller’s (DC) behavior to retrieve password data, such as hashes for user accounts, by impersonating a Domain Controller. Mimikatz can be used to perform this attack.

Note: The command instructs Mimikatz to simulate a domain controller and request the password hashes for the specified user from the Active Directory domain quicklogistics.org.

After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?
While reviewing the logs for searching the compromised user, I discovered a binary that suggests it is related to ransomware based on its name.