ItsyBitsy | TryHackMe — Walkthrough

5 min readMar 12, 2024

Hey all, this is the thirty-fourth installment in my walkthrough series on TryHackMe’s SOC Level 1 path which covers the third room in this module on Security Information and Event Management, where we will come to understand how SIEM works and get comfortable creating simple and advanced search queries to look for specific answers from the ingested logs.

In this room, we get to put your ELK knowledge together and investigate an incident.

Link: https://tryhackme.com/room/itsybitsy

Hold my hand for deer life, because here we go!

Task 1: Introduction

In this challenge room, we will take a simple challenge to investigate an alert by IDS regarding a potential C2 communication.

Room Machine

Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP Machine IP: MACHINE_IP. The machine will take up to 3-5 minutes to start. Use the following credentials to log in and access the logs in the Discover tab.

Username: Admin

Password: elastic123

Answer the questions below:

1.1 Connect with the lab

For this room, I’lll be connecting through OpenVPN, you can do it this way or by using the provided AttackBox;

Answer: No answer needed

Task 2: Scenario — Investigate a potential C2 communication alert

Scenario

During normal SOC monitoring, Analyst John observed an alert on an IDS solution indicating a potential C2 communication from a user Browne from the HR department. A suspicious file was accessed containing a malicious pattern THM:{ ________ }. A week-long HTTP connection logs have been pulled to investigate. Due to limited resources, only the connection logs could be pulled out and are ingested into the connection_logs index in Kibana.

Our task in this room will be to examine the network connection logs of this user, find the link and the content of the file, and answer the questions.

Answer the questions below:

2.1 How many events were returned for the month of March 2022?

If you followed along with us in the previous ELK room, this will be a piece of cake:

Launch the site provided in Task 1, go to the Discover tab, establish the date range:

Answer: 1482

2.2 What is the IP associated with the suspected user in the logs?

Well, if we filter by “source_ip” we will see exactly 2 IP addresses and one of them is accountable for 99.6% of the traffic. Surely it’s this one right? Nope. They got me on it for sure. This makes the answer pretty obvious as it must therefore be the other one.

If you want to actually analyze it deeper however, as in the real world, it’s not going to be as easy as having a 50/50 shot, we need to see what the traffic is doing and investigate that.

If we click the “user_agent”, we’ll see again that 99.6% to 0.4% ratio represented here, this time by Mozilla and an agent called “bitsadmin”. Further digging into “bitsadmin” reveals that it’s used by Microsoft for Windows update purposes, but according to a Mandiant article, it can also used by attackers to download and execute payloads.

So is this legitimate traffic to Microsoft servers for updating? Let’s find out.

Gasp! That doesn’t look like Microsoft to me!

Let’s take that domain and tack on the URI to see what’s up with it:

So this is a very long winded response to the question that we easily solved above, but I feel it’s important to figure out how we can realize the answer to this question instead of just taking a 50/50 shot. Again, it won’t always be that easy.

Answer: 192.166.65.54

2.3 The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?