Room Banner

Elevating Movement

Investigate the second, Windows part of the Honeynet Collapse!

hard

60 min

1,549

User avatar
User avatar
Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Introduction

Meet DeceptiTech

DeceptiTech is a fast-growing cyber security company specializing in honeypot development and deception technologies. At the heart of their success are DeceptiPots - lightweight, powerful, and configurable honeypots that you can install on any OS and capture every malicious action!

The internal DeceptiTech network is organized around a traditional on-premises Active Directory domain with approximately 50 active users. The product platform, however, is isolated and hosted entirely in the AWS cloud:

A diagram of the DeceptiTech network

Elevating Movement

One ordinary morning, DeceptiTech's entire network collapsed. Within minutes, all critical on-premises systems were locked down and encrypted. The IT department hurried to restore backups, while the security team rushed to their SIEM - only to find the backups corrupted and all SIEM data wiped clean.

This room is about the second attack stage (#2 on the network diagram). As part of an external DFIR unit, can you help DeceptiTech perform a full-scope investigation and explain how the attack continued?

Answer the questions below

Let's go!

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Attacker machineMachine info
Status:Off
Target machineMachine info
Status:Off
Target Machine card placeholder

Elevating Movement

Hey Emily, when you are done with DeceptiPot deployment, can you take a look at SRV-IT-QA? It became unstable after we replaced the motherboard, so maybe you can debug what's going on there. ~ Matthew

While Emily worked on the issue from a local admin account, the threat actor continued the attack. With the entry point secured and Emily's domain credentials stolen, they now wanted to explore opportunities for privilege escalation. Leveraging your knowledge of Windows forensics, can you uncover the elevating movement?

Monday, Day 4

The threat appears from the "deceptipot-demo" host and targets the "SRV-IT-QA" server.

Credentials

  • IP Address: MACHINE_IP
  • Connection: via RDP
  • Username: Administrator
  • Password: Secure!

Tips and Tools

  • Emily created a periodic system checker automation.
  • Other IT administrators often log in to this machine.
  • You might need to use EZ tools for this scenario.
Answer the questions below

When did the attacker perform RDP login on the server?
Answer Format Example: 2025-01-15 19:30:45

What is the full path to the binary that was replaced for persistence and privesc?

What is the type or malware family of the replaced binary?

Which full command line was used to dump the OS credentials?

Using the stolen credentials, when did the attacker perform lateral movement?
Answer Format Example: 2025-01-15 19:30:45

What is the NTLM hash of matthew.collins' domain password?

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more