Tempest Challenge Write-up (Tryhackme)
Hello folks,
This is m0_4de1, Today I will walk through Tempest challenge from Tryhackme hoping to benefit from it.
Follow me: https://linktr.ee/m0_4de1
Challenge
Difficulty
Medium
scenario
In this incident, we will act as an Incident Responder from an alert triaged by one of our Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.
Tools which I will use
Endpoint Logs
To analyze Windows artefacts such as Windows Event Logs and Sysmon logs, we will use the following tools:
- EvtxEcmd
- Timeline Explorer
- SysmonView
- Event Viewer
Network Logs
To analyze the provided packet capture, we will use the following tools:
- Wireshark
- Brim
Are you ready bro?
Fasten your belt and get ready to take off xD
Initial Access — Malicious Document
Q1
The user of this machine was compromised by a malicious document. What is the file name of the document?
From the bellow screen we can notice that we have a pcab file, sysmon logs and windows logs.
To start our investigation, we need first to parse sysmon Logs in CSV format to make it easy for the process of investigation by using a tool called EvtxEcmd “which parses Windows Event Logs into different formats such as CSV, JSON, XML, etc. You may use this tool in conjunction with Timeline Explorer, created by the same author. Timeline Explorer is a GUI-based tool that functions as a data filtering and navigating application to ease incident responders in handling raw data.” so, we will open the powershell and using the following command in C:\Tools\EvtxECmd dir:
.\EvtxECmd.exe -f ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ — csv ‘C:\Users\user\Desktop\Incident Files’ — csvf sysmon.csv
- f : for the file we want to parse
— csv: for the place where we want to save the parsed file
— csvf: name of the parsed file
Okay now we have a file called “sysmon.CSV” lets open it with Timeline Explorer:
We notice that we have many logs but there is a search bar so we can filter our result by searching for “.doc” as he asked about the file name of the document:
Here we got it broooo ;)
Q2
What is the name of the compromised user and machine? Format: username-machine name
It so easy as we cat it our Ans by looking at “Username” column:
Q3
What is the PID of the Microsoft Word process that opened the malicious document?
okay, we need first to search for Microsoft Word process to get its PID but I am not sure of its name, so I asked to google:
Now we can search on it and navigate to the column that contains the PID of each process we can find our Ans:
Q4
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
After the mal document opened by Winword.exe it has a payload that sends a DNS query to malicious URL, so we need to know the IPv4 of this mal URL.
So, we will keep our search about Winword.exe and while I am scrolling left and wright, I notice that there are a two-column called Payload Data4 for the source and Payload Data6 for destination.
if we scrolled down, we would notice that there is DNS query with the malicious URL and the response contain the Dest IP:
yeah bro keep going
Q5
What is the base64 encoded string in the malicious payload executed by the document?
I didn't take to much time to solve it as I just searched for “base64” in search bar, there was one packet and by scrolling I got the Ans under the Executable Info column:
Wow the things goes amazing…
Q6
What is the CVE number of the exploit used by the attacker to achieve a remote code execution? Format: XXXX-XXXXX
In this Q I used the hint as I got stuck:
Okay we already have the PID of Winwird which 496 let's get the other process by back to our payload in the previous Q we can find it:
By searching in google with those two artifacts
Q7
The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?
Well, we need to decode the encoded base64 command first so, I will use cyberchief:
After we decode the base64 we can notice that there is a path and I try to submit it but it's wrong answer so, I think the path is missing something. If we look carefully, we can see $app I searched google and it's a short for AppData environment variable and here is its location:
so, we already have the username by replacing it in and add this path with the other we can get our Ans:
Q8
The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?Format: Remove the double quotes from the log.
Well, The Autostart execution reflects explorer.exe as its parent process ID so, I will go to Timeline explorer and searching for “explorer.exe” we got some logs, by navigating to the Executable Info column and scrolling in the logs we can get our Ans:
Q9
Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?
Okay from the previous Q we know that the malicious file is “first.exe” so, I will search on it and scrolling right to Executable Info column we can see our mal file.
There is column called Payload Data3 contains hash algorithm if we navigate to it, we will get our flag :)
Q10
The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?
Format: domain:port
Well, the stage 2 payload downloaded establishes a connection to a c2 server and he asked about the domain and port so, we need to see the DNS query and we are lucky because sysmon has Event ID 22 which display all DNS query so, by navigate to Event ID column and filter our search to 22
We can see there are many DNS queries to this malicious URL that is our Ans.
Q11
What is the URL of the malicious payload embedded in the document?
From the Sysmon logs, we have two malicious domains — phishteam.xyz and resolvecyber.xyz; we can use both for search queries.
In this question I can't get anything by using timeline explorer, so I Brim and searched for the first mal domain that we got, as he asked about the payload which embedded in the doc:
_path==”http” “resolvecyber.xyz”
and we got it:
Q12
What is the encoding used by the attacker on the c2 connection?
Well, now I will search for the second mal domain as it used for c2 connection by this query:
_path==”http” “resolvecyber.xyz
but I can't get all details about the packet so I decide to use Wireshark, we can view the webpage source code by checking the http protocol in Wireshark; we can use 'Follow http stream' option.
I opened the packet capture using wireshark and filtering for the http traffic between the victim and the malicious domain by this query:
(http) && (ip.addr==192.168.254.107 && ip.addr==167.71.222.162)
We got many packets but by following the tcp stream of the third one:
We can see that the base64 encoding used by the attacker on the c2 connection.
Q13
The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?
From last screenshot in Q12 we can see that its q parameter
Q14
The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?
Again, and again bro check the same screenshot you will get your Ans.
Q15
What is the HTTP method used by the binary?
I think I will name it our hero screenshot xD
Q16
Based on the user agent, what programming language was used by the attacker to compile the binary?
Format: Answer in lowercase
No, it's the superhero screenshot man :)
Q17
The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?
Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:
- We can easily decode the encoded string in the network traffic.
- The traffic contains the command and output executed by the attacker.
Well, we need to know the commands that the hacker used to execute on the victim machine, and we know that he used C2 server to remote connection so, we can inspect the traffic that coming from this domain resolvecyber.xyz by this query:
We can see from the above image that there are URLs encoded we need to decode them so, I select all from here.
and then make a copy and paste them in the empty txt file then I removed tha extra string until it become like this:
We will got to cyberchief again and paste this encoded:
copy and paste it in empty txt file to make it easy to search. Okay now we need the password if we press Crl+F then search for pass we will get our Ans:
Q18
The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
We can see in the decoded URL that there are few listening ports:
I searched for each port which one used in a remote shell, and I find this:
So, port 5985 is the Ans.
Q18
The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?
Format: Remove the double quotes from the log.
I try to search in the decoded string, but I can't find anything useful except the process called ch.exe downloaded by the attacker we can use this as a search query in timeline explorer we will get it:
Q19
What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?
in the same log navigate to Payload Data3 column:
Q20
What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
I put the hash which I got in VT, and we got this:
the Ans is the name of the process.
Q21
The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?
Format: Answer in lowercase
By asking to google: winRM
Q22
After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?
Format: binary name,SHA256 hash
Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy, and from the Q he downloaded another binary to be used for privilege escalation so, I started my investigation in timeline explorer as there is a process creation, I will filter the Event ID to 1 (Event ID for process creation in Sysmon) and sort the result by time then I navigate to Executable Info column and scrolling down until I got this:
“spf.exe” is the process which download another binary now we need to get the downloaded binary to get the hash so, we can search by the process name “spf.exe” and remove the filter from Event ID and here we can see the binary which was downloaded:
to get the hash navigate to Payload Data3 column:
we got it bro!
Q23
Based on the SHA256 hash of the binary, what is the name of the tool used?Format: Answer in lowercase
We can put the hash again in VT to get the name of the tool:
Note that the without 64 :’’
Q24
The tool exploits a specific privilege owned by the user. What is the name of the privilege?
Acually, I got stuck with this so, I used the hint which was “External research needed. Read about the tool to see the privilege being abused” after some searching you can find it.
Ans: SeImpersonatePrivilege
Q25
Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
Well, here I searched for the process “spf.exe” as its the process which the attacker used to execute the tool with another binary to establish a c2 connection and by navigating to Executable Info column and scrolling down we can see the name of the binary:
Q26
The binary connects to a different port from the first c2 connection. What is the port used?
I didn't take too much time to solve this Q as I opened brim and searching for the binary “final.exe” we can see that there is only one packet which the binary connects to a different port from the first c2 connection:
Q27
Upon achieving SYSTEM access, the attacker then created two users. What are the account names?
Now, the attacker has gained administrative privileges inside the machine. We need to know the users which he was created so, I used timeline explorer and searched for our binary “final.exe” with filtering the Event ID to 1(process creation) and navigating to Executable Info column and scrolling down we can see that there are two users successfully created.
Q28
Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
We can see from the previous screenshot in Q27 that after the attacker creates the two user, he wants to add them in localgroup administrators and the syntax to add users to local group is:
localgroup “name of the group” /add “name of the user” so he missed /add.
Q29
Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
Ask to google brooo :’’
Q30
The attacker added one of the accounts in the local administrator’s group. What is the command used by the attacker?
We can see the command in the same screen as Q27:
Q31
Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
Again, ask to google for “what event ID logs successful addition to a local group.” you can find the Ans :”
Q32
After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?
Format: Remove the double quotes from the log.
Well, here I scrolled down some steps after the logs which we saw in the previous screen until I saw a strange command:
And here we can see the full command that the attacker used to execute a technique to establish persistent administrative access.
Finally, we finished our investigation.
I hope you really benefit from this :”
See you later…………
