This room challenged me to analyze the tactics, techniques, and procedures (TTPs) of a sophisticated threat actor known as Boogeyman. The complex hands-on exercise walks through tracing the full attack chain, from the CEO falling prey to a phishing email, to weaponized payload execution, credential theft, lateral traversal and attempted ransomware deployment.
Room link: https://tryhackme.com/room/boogeyman3
Task 1 Introduction
Due to the previous attacks of Boogeyman, Quick Logistics LLC hired a managed security service provider to handle its Security Operations Center. Little did they know, the Boogeyman was still lurking and waiting for the right moment to return.
In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.
Prerequisites
This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.
Investigation Platform
Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. The provided virtual machine runs an Elastic Stack (ELK), which contains the logs that will be used throughout the room.
Once the machine is up, access the Kibana console (via the AttackBox or VPN) using the credentials below.
URLhttp://MACHINE_IPUsernameelasticPasswordelastic
Note: The Kibana instance may take 3–5 minutes to initialise.
Answer the questions below
Let’s end this Boogeyman incident!
Task 2 The Chaos Inside
Lurking in the Dark
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Initial Investigation
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
In addition, the security team also observed a file inside the ISO payload, as shown in the image below.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
Given the initial findings, you are tasked to analyse and assess the impact of the compromise.
Before answering the question, set the time time filter to the date of the incident.
I also turned the KQL off.
Answer the questions below
What is the PID of the process that executed the initial stage 1 payload?
Answer: 6392
Filter events that contain files with html extension and events related to the malicious file attachment.
".html" OR "ProjectFinancialSumary_Q3.pdf"Select the fields as seen in the image below to display their values. It is seen in the field “process.command_line” the command that executed the malicious file. Displayed as well is its process ID.
The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?
Answer: “C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
Edit the search query to filter events related to the malicious file attachment.
ProjectFinancialSummary_Q3.pdf*We can see that after the first payload is executed, another process is started that copies the file “review.dat” to the “TEMP” directory.
The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?
Answer: “C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer
Following the series of events taking place, rundll32.exe is used to execute the file “review.dat” to register a DLL.
The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?
Answer: Review
In continuation, a PowerShell command was issued to create a scheduled task to execute the DLL that was created by the previous process or event. The scheduled task is registered as “Review”.
The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)
Answer: 165.232.170.151:80
Filter events that triggered network connection. This event is Sysmon refers to Event ID 3.
Select only the interesting fields to display and we can see the C2 connection established.
The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?
Answer: fodhelper.exe
Filter events related to the malicious file that was executed and created a DLL file. Sort @timestamp to ascending.
We see command executed to enumerate users and groups in the machine.
Scrolling up, we see the attacker enumerating the groups the user is part of.
After which the attacker executed a command. Googling about it, it turns out that it is a trusted binary in Windows which can be utilized for elevating privileges by bypassing the UAC prompt.
Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?
Answer: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Filter events that contains the keyword “github” with event code of 1 for process creation.
A very popular tool used for enumeration is seen being downloaded as “mimi.zip”
After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)
Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
Filter events that contains the keyword “mimi*”, referring to the tool that was downloaded.
After dumping the logon passwords, the tool was also used for lateral movement, accessing machines the user has access to.
Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?
Answer: IT_Automation.ps1
Scrolling down, we can see that the attacker utilized another popular PowerShell script for finding file shares in the machine. It was also able to read the contents of it.
After getting the contents of the remote file, the attacker used the new credentials to move laterally. What is the new set of credentials discovered by the attacker? (format: username:password)
Answer: QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987
Using the credentials obtained from reading a file, the attacker then uses the credentials to execute commands remotely to “WKSTN-1327”. The last command was to move laterally to the target machine.
If we decode the payload in cyberchef, we see an interesting domain.
What is the hostname of the attacker’s target machine for its lateral movement attempt?
Answer: WKSTN-1327
We were able to identify that from the previous question.
Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?
Answer: wsmprovhost.exe
Filter events with Event ID of 1 and with the host name of “WKSTN-1327”.
We can see that the command issued to move laterally was a child process of another process.
The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)
Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec
Scrolling down from the filtered events, the attacker downloaded mimikatz, enumerated the machine, then passed the hash of user for lateral movement.
After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?
Answer: backupda
We see here the flow of attack performed by the attacker. After passing the hash of the Administrator, the attacker performed a few commands and the conducted a DCSYN attack against the user Administrator.
If we edit the filter to the hostname of the DC machine, we can see the other account where the DCSYNC attack was performed.
After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?
Answer: http://ff.sillytechninja.io/ransomboogey.exe
Scrolling down, we see the URL where a file was downloaded from.
Thank you for reading. Until next time. :-)
