Tempest - TryHackMe

Scenario

This room aims to introduce the process of analysing endpoint and network logs from a compromised asset. Given the artefacts, we will aim to uncover the incident from the Tempest machine. In this scenario, you will be tasked to be one of the Incident Responders that will focus on handling and analysing the captured artefacts of a compromised machine.

Documents Provided

• capture.pcap
• sysmon.evtx
• windows.evtx

Task 3

In this task we are asked to obtain the SHA256 of each file that we wull use for this investigation. The information we need to do it is already on the task, we will use Powershell to obtain the hashes.

 Get-FileHash -Algorithm SHA256 [filename]

Also as the tasks says I will create the parsed csv of the event log sysmon as the task suggests. I will use the following command:

.\EvtxECmd.exe -f "C:\Users\user\Desktop\Incident Files\sysmon.evtx" --csv "C:\Users\user\Desktop\Incident Files\out"

Q1: What is the SHA256 hash of the capture.pcapng file?

Q2: What is the SHA256 hash of the sysmon.evtx file?

Q3: What is the SHA256 hash of the windows.evtx file?

Task 4

This challenge has a guideline all along so it makes it easier for people stating on these kind of analysis, such as me! This makes it easier and provides you a path to follow that you can later put in practice in other scenarios. So following this I will open Timeline Explorer to open the sysmon log as suggested.

Q4: The user of this machine was compromised by a malicious document. What is the file name of the document?

In the description of the task we have a clue, that we should investigate child processes of WinWord.exe, this question Its more related to the executable itself. So what I did was search for the name of the file in the search bar, and then identify its process ID, to again search for it. In this case since its the begining it could be related to a Process Creation, or in sysmon Event ID 1. Searching a little bit we will find the name of the file.

Q5: What is the name of the compromised user and machine?

We can find this information in the same event we found, care with the format to answer the question.

Q6: What is the PID of the Microsoft Word process that opened the malicious document?

This also we found it when I started looking for the file, so we already have it.

Q7: Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?

Now, still searching for the process ID 496, we can look what Map Description does contain a DNS Event (DNS query). Following the event of the previous document we can find two, one named ecs.office.com and the other phishteam.xyz, we can see that one of these is already suspicious by the name and the TLD, if we investigate the event of the suspicious event we will find the answer.

Q8: What is the base64 encoded string in the malicious payload executed by the document?

For this one since its an execution its probably another sysmon event ID 1, a process creation, so we can check the following process creations and also we know that ist from the document so the parent process ID will be the one we found at Q6. Knowing this we will find the answer in the Executable Info of the event.

Q9: What is the CVE number of the exploit used by the attacker to achieve a remote code execution?

The previous event contains a script, this will give us the clue. If we search part of the script we will find information about the CVE.

Task 5

Q10: The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?

Now that we have the base64 string from Q8 we can decode it, and it will have a path, we only have to guess un part of the path, that is related to the ApplicationData. We know the username, and the other part we can guess it if we know how the AppData folder is structured.

Q11: The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?

For this one we already have some clues in the task, we know the parent process explorer.exe, the sysmon ID to search and the user. searching with this information will give us the answer.

Q12: Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?

We can just search the name of the file downloaded and we will find an event of the execution of the file, that will provide us the answer.

Q13: The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?

Having the previous answer we also can obtain the ProcessID of it, so I started looking for other processes related with this ProcessID, mainly DNS queries. We will find a DNS query to a domain that you will see that already looks suspicious, having that you will also find the IP of that domain, and searching for that IP you will also find in a natwork connection event which port it is using for the connection.

Task 6

Q14: What is the URL of the malicious payload embedded in the document?

Now we have to open the network log file, I will use Wireshark. Then I will check the http packets, we have the clue on the task description. There we will see the previous .doc file that we detected on the system logs, and right after we will see a file retrieved from the same suspicious domain, this is the URL that was embedded and also called. If we could we also could analyse the .doc but its not available.

Q15: What is the encoding used by the attacker on the c2 connection?

Now we can analyze the different requests after the download of the malicious executable that we have identified, doing it we can see that there are several requests that contains long string, these seem to be the strings we have to decode. If we copy one of these and paste it as an input on CyberChef it will help us answer the question if we use the magic wand.

Q16: The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?

We just have to analyze the previous requests and see the parameter used in order to execute the query that its requesting.

Q17: The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?

The answer is already on the requests we are analyzing.

Q18: What is the HTTP method used by the binary?

Nothing new, we already know what kind of requests are being used.

Q19: Based on the user agent, what programming language was used by the attacker to compile the binary?

Analyzing the header of any of these requests we will find the answer on the user-agent parameter.

Task 7

Q20: The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

For this one I scrolled down untill I saw a requests that was different than the encoded ones, and then I stared to decode the lasts requests, if we do this we will find that the user had a file automation.ps1 in the Desktop, that contained its password and he retrieved the information inside of it, so just use CyberChef and you will find the answer in one of the requests.

Q21: The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?

Here we already have found the result of the enumeration that was encoded in one of the requests from checking different ones from previous question, there we will see all the ports open, so one thing we can do is search each port and try to see if its possible to setup a remote shell from one of these, at some point we will find the answer.

Q22: The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?

Analyzing the following commands we will see that later a executable is downloaded, and then executed using a powershell command. For this one we have to come back to the sysmon logs and find the command realted to the executable downloaded, there we will find the answer.

Q23: What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?

In the same event log we can find the answer.

Q24: What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.

Here we need to use a tool to analyze this previous hash, I will use VirusTotal. There we will find the answer.

Q25: The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?

In the sysmon logs we have to locate when does the socks command was executed I look for the next process creation, once we have it we have to find the name of the service of the executable.

Task 8

Q26: After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?

Still in the same search as before we can continue looking at the sysmon logs, and we will find another executable, searching for its name we will find the SHA256 hash of the file.

Q27: Based on the SHA256 hash of the binary, what is the name of the tool used?

Same as before, we can use VirusTotal to seach the SHA256, and the we will find the name of the tool.

Q28: The tool exploits a specific privilege owned by the user. What is the name of the privilege?

We just have to search a little bit about the previous tool on the internet to see what privilege its exploit.

Q29: Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?

Following the nexts process creations we can see the name of the another executable.

Q30: The binary connects to a different port from the first c2 connection. What is the port used?

Going back to wireshark, looking for the executable of the previous question we can see again a pattern we have seen before, if we take a look at the port used this time we will find the answer.

Task 9

Q31: Upon achieving SYSTEM access, the attacker then created two users. What are the account names?

Now lets take a look at the windows.etvx, if we search for new users created we will find the answer, search which is the EventID for user creation, and we will find the name of the users.

Q32: Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?

Now that we know the names we can search on the sysmon log about these names and check possible attempts, we will find the answer after searching the names.

Q33: Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?

In Q31 I already searched the users using this EventID, you can just search online about it, its also useful to remember this EventID.

Q34: The attacker added one of the accounts in the local administrator’s group. What is the command used by the attacker?

Following the next commands in the sysmon logs we will find the answer.

Q35: Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?

We can search this information on the internet.

Q36: After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?

If we continue following the next commands, we will find it. We are looking for something that can be executed by the victim machine itself, for example when the machine starts.