Summary

The web content is a detailed write-up of a TryHackMe room focused on implementing Digital Forensics and Incident Response (DFIR) techniques to explore the Windows incident surface, emphasizing the identification of low-hanging fruits in a compromised system.

Abstract

The TryHackMe "Windows Incident Surface" room is designed to educate cybersecurity professionals on the methodologies for navigating the complexities of a compromised Windows host. It guides participants through a series of tasks that simulate a real-world incident response scenario. The room emphasizes the importance of prioritizing investigative efforts by targeting easily accessible and impactful evidence, known as low-hanging fruits. This approach helps to quickly uncover vulnerabilities, identify malicious activities, and reconstruct the narrative of the incident. The tasks range from setting up a virtual machine environment to diving deep into system profiling, user and session analysis, network scope examination, and background activities investigation, including startup, registry, services, scheduled tasks, processes, directories, and potential proxy scripts. The room also covers the reliability of system tools and concludes with a directive to continue with the next room in the module, ensuring a comprehensive learning experience.

Opinions

The incident response and forensic process is likened to solving a puzzle, where the challenge is to identify the most relevant pieces of evidence (low-hanging fruits) to efficiently progress the investigation.
The use of a virtual machine environment is recommended for safely exploring the incident surface without risking further compromise of the actual system.
Adversaries may employ tools like wevtutil to delete logs and manipulate registry paths such as HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to store and steal login credentials.
The importance of collecting and analyzing data such as hostname, OS version, Time ID, user accounts, and security identifiers (SIDs) is highlighted to build a system profile and identify suspicious activities.
Network analysis includes identifying malicious processes, their directory paths, remote ports, and associated programs like AnyDesk, as well as examining firewall rules for suspicious ports like 5985.
Background activities are scrutinized, including startup programs, registry hive keys, active and non-running services, scheduled tasks, and files located in user temp directories.
The write-up suggests that SSH connection attempts and hidden disc volumes should not be overlooked during an investigation.
The room encourages the use of defanged formats for sharing information about malicious files and scripts to prevent accidental execution or further spread of malware.
The conclusion of the room emphasizes the continuous nature of cybersecurity education, prompting learners to proceed to subsequent modules for further skill development.

TryHackMe | Windows Incident Surface | WriteUp

Learn how to implement DFIR techniques to explore the Windows incident surface.

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

https://tryhackme.com/signup?referrer=62f3f5b5f9ea33006194e018

TryHackMe | Windows Incident Surface | WriteUp

Task 1 Introduction

Exploring the incident surface of a compromised system can be like navigating a maze with mines. The pressure ramps up when deciding where to start and where and how much to focus. Especially when your toolbox is loaded, and you have a breadth of skills to dive deep into multiple artefact sources. The challenge lies in deciding where to start and what to do initially when the surface is extensive.

Incident response and forensic process is like doing a puzzle. There are multiple artefacts in incident response and forensic cases, just like puzzle pieces. Therefore, it is hard to decide where to start and easy to get lost in details. However, to minimise the risk of drowning in the details, the main schema should be derived (and defined), and the prominent parts (low-hanging fruits) should be identified and considered. Collecting the low-hanging fruits helps unravel the incident response case and unfold the narrative by assisting the decision-maker in uncovering vulnerabilities and identifying malicious activities.

In this room, we will explore the Windows incident surface and learn to discover the low-hanging fruit by executing the top checks on a compromised Windows host.

Read the task above.

No answer needed

Task 2 Acquisite, Investigate, Hunt and Respond

Read the task above.

No answer needed

Task 3 VM Environment and Your Incident Case

I have deployed the attached VM and I am ready to continue.

No answer needed

Task 4 Reliability of the System Tools

What tool did the adversary use to delete the logs?

wevtutil

What was the registry path used by the adversary to store and steal the login credentials?

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

Task 5 System Profile

What is the hostname of the compromised host?

CCTL-WS-018-B21

What is the OS version of the compromised host?

10.0.17763

What is the Time ID of the compromised host?

Turkey Standard Time

Task 6 Users and Sessions

What is the total number of suspicious accounts?

3

What is the security identifier (SID) of the Guest account?

S-1–5–21–1966530601–3185510712–10604624–501

When was the last time the Admin account (the one with the deliberate typo) was logged in? Answer format: MM/DD/YY HH:MM:SS XM

2/28/2024 10:21:10 AM

Task 7 Network Scope

What is the name of the malicious process? Enter your answer in a defanged format.

INITIAL_LANTERN[.]exe

What is the directory path where the malicious process is located?

C:\Users\Administrator\AppData\SpcTmp\

What is the remote port used by the malicious process?

8888

What is the full path of the suspicious program for AnyDesk? Enter your answer in a defanged format.

D:\AnyDesk[.]exe

What port is used by the LMV Co. firewall rules?

5985

Task 8 Background Activities I: Startup and Registry

Which user account will be used to run the AnyDesk application?

Public

What is the value data stored in the “Userinit” key? Enter your answer in a defanged format.

C:\Windows\system32\userinit[.]exe, cmd[.]exe /c “start /min netsh[.]exe -c”

What is the name of the suspicious DLL linked under the netshell hive key?

.\fwshield.dll

Task 9 Background Activities II: Services and Scheduled Items

What is the name of the suspicious active service?

LMVCSS

What is the SHA256 value of the suspicious active service executable?

E9AA7564B2D1D612479E193A9F8CB70DF9CFBE02A39900EEE22FE266F5320EBF

What is the name of the non-running service that caught our attention?

aurora-agent

What is the SHA256 value of the non-running service executable?

D5C8BF2D3B56B21639D8152DB277DD714BA1A61BDAF2350BD0FF7E61D2A99003

What is the original filename of the non-running service executable? Enter your answer in a defanged format.

x3xv5weg[.]exe

Task 10 Background Activities III: Processes and Directories

What is the parent process name of the suspicious executable (INITIAL_LANTERN) process? Enter your answer in a defanged format.

services[.]exe

Which user name is used for the SSH connection attempts?

James

What is the parent process of the malicious aurora process? Enter your answer in a defanged format.

svchost[.]exe

What is the file name located in the default user’s temp directory? Enter your answer in a defanged format.

jmp[.]exe

What is the name of the potential proxy script located in the suspicious non-default temp folder? Enter your answer in a defanged format.

Invoke-SocksProxy[.]psm1

What is the SHA256 value of the potential proxy script located in the suspicious non-default temp folder?

E7697645F36DE5978C1B640B6B3FC819E55B00EE8D9E9798919C11CC7A6FC88B

What is the label of the hidden disc volume?

Setups

Task 11 Conclusion

Continue with the next room of the module.

No answer needed

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

https://tryhackme.com/signup?referrer=62f3f5b5f9ea33006194e018