TryHackMe: Investigating Windows 3.x (Difficulty: Medium)

Find the artifacts resident on the endpoint and sift through captured data to determine what type attack occurred on the endpoint.

The room is https://tryhackme.com/room/investigatingwindows3.

Task 1: Investigating Windows 3.x

Note: In order to answer the questions in this challenge you should have completed the following rooms:

Answer the questions below:

All logs are:
`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/*’ | Sort-Object TimeCreated`

1
2
3
4
5
6
7

There are many logs to examine. Hence, they must be filtered out.

https://bit.ly/3xA05yj

Review:

q1: What is the registry key with the encoded payload? (full path)

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=13’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*enc*”} | fl`

Voila! You’ll find encoded payload.

Alternatively, click “Autoruns Log File” WIN-Q5JJRDM876J is dubbed on the desktop:

“Updater” sounds like suspicious that it is not verified as others are verified by Publisher.

Go up one directory deleting Run:

Voila! You’ll find encoded payload.

Other alternative is Event Viewer:

q2: What is the rule name for this run key generated by Sysmon?

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=13’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*\Software\Microsoft\Windows\CurrentVersion*”} | fl`

Alternatively, it can be found with Event Viewer:

q3: What tactics is classified with this MITRE ATT&CK ID?

Review:

https://attack.mitre.org/techniques/T1547/

https://attack.mitre.org/techniques/T1547/001/

q4: What was UTC time for the Sysmon event?

It’s already been found in the above results.

q5: What was the Sysmon Event ID? Event Type? (answer, answer)

q6: Decode the payload. What service will the payload attempt start?

`regjump HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Debug`

In the same way;

In addition the aboves, Jump to Entry may be used on Autoruns. That’s enough. Let’s continue through photos from now.

Copy the encoded payload into CyberChef, and decode like in the below:

The code’ll be like the following:

q7: The payload attempts to open a local port. What is the port number?

Review the above code.

q8: What process does the payload attempt to terminate?

Decode the base64 code:

The code is:

After last time decoding the base64 code, whole code’ll be:

q9: What DLL file does the payload attempt to remove? (full path)

Everything is in the above code.

q10: What is the Windows Event ID associated with this service?

Review: https://www.file.net/process/fxssvc.exe.html

`Get-WinEvent -ListLog * | findstr “Print”`

`Get-WinEvent -FilterHashtable @{logname=”Microsoft-Windows-PrintService/Admin”} | fl -property *`

Also, it can be searched on Event Viewer if not so many logs exist, too:

q11: What is listed as the New Default Printer?

The solution’s been already found above.

q12: What process is associated with this event?

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=13’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*ualapi.dll*”} | fl -property *`

Via Event Viewer:

Through Process Monitor:

q13: What is the parent PID for the above process?

q14: Examine the other processes. What is the PID of the process running the encoded payload?

Using powershell;

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=1’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*enc*”} | fl`

The above code seems like Empire’s powershell payload.

On Process Monitor:

q15: Decode the payload. What is the a visible partial path?

Decode the highlighted part on CyberChef:

Later than decode bold part last time using base64 decoding last time:

The whole code is:

Findings by now:

  • 2 encoded payloads were found and decoded,
  • service of fxvssc.exe (fax service), ualapi.dll, PrintDemon, and Antimalware Scan Interface (AMSI) on the payload,
  • remote ip: 34.245.128.161 and remote port: 9001 which we’ve found from both payloads we’ve decoded, and also we’ve obtained ‘/admin/get.php’,

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=3’ | Sort-Object TimeCreated | fl`

First Payload
Second Payload

On the first payload, attacker kills the fax service and removes ualapi.dll. And then probably, attacker’ll do process inject to hide into a legitimate process.

  • “The default printer was changed to PrintDemon.”

`Get-WinEvent -FilterHashtable @{logname=”Microsoft-Windows-PrintService/Admin”} | fl -property *`

All actions are malicious, and so let’s search them using google-fu.

Review the links in the below as I won’t explain:

o https://github.com/BC-SECURITY/Invoke-PrintDemon

o https://github.com/ionescu007/faxhell

o https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/

o https://windows-internals.com/printdemon-cve-2020-1048/

o https://github.com/BC-SECURITY/Empire

o https://bc-security.gitbook.io/empire-wiki/quickstart

o https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

o https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

q16: This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)

Place the attack framework(1) to second, and put the variable(2) to first place, vice versa. (variable, attack framework)

Review:

https://github.com/BC-SECURITY/Empire

http://www.powershellempire.com/?page_id=110

q17: What other file paths are you likely to find in the logs? (answer, answer)

Review:

https://github.com/BC-SECURITY/Empire

http://www.powershellempire.com/?page_id=110

q18: What is the MITRE ATT&CK URI for the attack framework?

https://attack.mitre.org/software/S0363/

q19: What was the FQDN of the attacker machine that the suspicious process connected to?

`nslookup 34.245.128.161`

Alternatively,

`ping -a 34.245.128.161`

q20: What other process connected to the attacker machine?

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=3’ | Sort-Object TimeCreated | fl`

q21: What is the PID for this process?

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=3’ | Sort-Object TimeCreated | fl`

q22: What was the path for the first image loaded for the process identified in Q’s 19 & 20?

q23: What Symon event were generated between these 2 processes? What is its associated Event ID #? (answer, answer)

2 encoded payloads’ logs are in the below:

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=13’ | Sort-Object TimeCreated`

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=13’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*enc*”} | fl`

TimeCreated : 1/21/2021 5:08:13 PM

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=1’ | Sort-Object TimeCreated`

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=1’ | Sort-Object TimeCreated | Where-Object {$_.Message -like “*enc*”} | fl`

TimeCreated : 1/21/2021 5:05:45 PM

Investigate the interval between “1/21/2021 5:05:45 PM” and 1/21/2021 “5:08:13 PM”.

All logs:

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/*’ | Sort-Object TimeCreated`

The Event ID which is answer will monitor for processes injecting code into other processes. This function is used for legitimate tasks and applications. However, it could be used by malware to hide malicious activity.

q24: What is the UTC time for the first event between these 2 processes?

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=8’ | Sort-Object TimeCreated`

`$date = [datetime]”1/21/2021 5:07:06 PM”`

`Get-WinEvent -Path .\Sysmon.evtx -FilterXPath ‘*/System/EventID=8’ | Sort-Object TimeCreated | Where-Object {$_.TimeCreated -like $date} | fl`

q25: What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])

q26: What is the first operation listed by the 2nd process starting with the Date and Time from Q25?

q27: What is the full registry path that was queried by the attacker to get information about the victim?

Review:

q28: What is the name of the last module in the stack from this event which had a successful result?

q29: Most likely what module within the attack framework was used between the 2 processes?

q30: What is the MITRE ID for this technique?

Review: https://attack.mitre.org/techniques/T1055/

I’ve got the badge of “Investigating Windows” after completing this room.

The last but not the least, taking notes especially after the rooms and the machines which cover knowledge and descriptions is so crucial, and handy to create your own methodology when you need and make easier to recall you.

#tryhackme #investigating-windows #sysinternals #sysmon #mitre #mitre-att&ck #event-logs #powershell #process-monitor #event-viewer #Faxhell #PrintDemon #ualapi.dll #powershell-empire #empire #c2 #command-and-control-server #psinject #process-inject #Invoke-PrintDemon #CVE-2020–1048 #autoruns #empireproject #/admin/get.php #fxvssc.exe #Antimalware Scan Interface (AMSI)

Thanks for reading and sharing. See you later, stay health and have a nice day.

You can find me on:

LinkedIn: bit.ly/34BKvtC

Github: bit.ly/3JNmXkK

linktr.ee: bit.ly/3DZiDN1

Hamdi Sevben

--

--

| Penetration Tester | AWS Cloud Practitioner | eWPTXv2 | eMAPT | CPTE | CEH | CPEH | HTB Practitioner | TryHackMe Top %1 |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hamdi Sevben

| Penetration Tester | AWS Cloud Practitioner | eWPTXv2 | eMAPT | CPTE | CEH | CPEH | HTB Practitioner | TryHackMe Top %1 |