https://tryhackme.com/room/investigatingwindows3

This is the 3rd room out of the investigating windows series, and I found it most challenging. I learned more about Yara and MITRE. It took me the longest out of the rooms in the series and had to ask for a little help from the forums/discord. Initial Recon When I first connected to the desktop of the machine it initially, you can see a couple of items on the desktop – a process monitor logfile and autoruns logfile.

I initially thought these were from another device but checking the system information shows it is the same pc.

Some standard icons on the task bar (windows explorer, cmd, powershell and eventviewer)

THM leave a few clues on the tools they think you will need.

In the c:\tools folder I could see a sysint (SysInternals) and Sysmon-modular folder.
There is a sysmonconfig.xml which is used for the monitoring of the machine. Lots of technique ids from MITRE to think about.

I initially launched Autoruns from the Log file and could see a few interesting items highlighted in yellow advising not found (meaning they have been removed)

I also opened the process monitor log and found a few thousand events!

Looking at the autoruns logs highlighted earlier I looked at the HKLM\Software\Microsoft\Windows\CurrentVersion\Run entry.

This looked odd and I had not seen a .debug entry before. I opened RegEdit and found the last view was:

I tried a few variations of the key in THM to see if I could get these to match. Finally, one did. Normally registry keys are full: [HKEY_CURRENT_USER*******] THM use: HKCU******************* So the answer format…. (not giving too much away?) HKCU**********

This question took me a little while to locate I looked in Process Monitor saw lots of Sysmon entries and then looked in Event Viewer and checked the application and services logs and found Sysmon entries You can then searched for “powershell” but there were quite a few entries. Search for the registry entry ***** and you should find the Technique_id=Txxxx.xxx, Technique_name=Registery Run keys / Start Folder

If you google the last answer you will get the Mitre.org website technique – the tactics are listed:

Once you find the entry for #2 in the Event Log this has the UTC time

The Event Id and Type are also listed in the Event Log you found from #2

This was a little tricky initially - I did not do the questions in order and came back to this section. I spent some time looking through the logs again and also found the powershell transcripts in the documents folders. Some of these helped and I could see information was base64 encoded

I decoded via cyberchef and https://www.base64decode.org/

This did not give me what I was looking for. Until I found the entry in the Registry

The service was the listed with the port number for #7

Port listed from decode text #6 #8 What process does the payload attempt to terminate? This need a decode of the code found in #6.

This was also listed in the decode but can be found in the event logs.

This can be found in the event logs under

There is only one log entry.

This is found in Printers and scanners

The Printers are controlled by a service in Windows – a little google if you don’t know.

The answer can be found via process monitor – find the process and then click goto event. The log file entry will change behind and the event properties (ctrl+p) will be shown. Click the Process Tab and the Parent PID is shown.

The answer to this question took a little trial and error. What is the PID of the process running the encoded payload maybe a better question.

You can see in process monitor the processes and clicking each shows the commands. (its not mmc)

This was in the 2nd decode text

The question is a bit ambiguous. Getting the order right is half the battle.

The Default communication profile is the variable used - Check the Listeners 101 section on the Quickstart page of the github for the C2 Attack framework.
The Attack framework name found on the Github.

A google of the information you found in #15 (#16) should show some examples of other paths. These are also in the Application and Services log files.

Try search for the #15 answer in the PowerShell logs.

The can be found if you search google for the answer to #15 + mitre Or on Mitre.org

I filtered the processed and looked for “powershell”

There are some TCP Send entries which show the FQDN

Try filtering by TCP Send to see other processes that connect to the same destination as #19

You can see the PID once you see them in the list from #20

Filter by the PID found in #21 and Operation “Load Image”

This took a while – checking through sysmon event logs, I search for the process ID found above

Found a few entries for Powershell and Explorer where they.

Look for the first occurrence.

Look for the first occurrence.

If you look in process monitor around the same time the Event type is listed

Open the Process Monitor Log and look at processes after 5:07 with operation is RegQueryValue

Right click the attack process for powershell and view the process tab, in stack section - the last in the list <*******>

Look on the Mitre page for the Modules and Techniques used.

See #29 and match the ID on Mitre page.

Credits - Blue Teaming is about sharing knowledge. I had help from several members of the forum and discord so am not taking all the credit.