Investigating Windows 2.0
In the previous challenge you performed a brief analysis. Within this challenge, you will take a deeper dive into the attack.
medium
45 min
To access material, start machines and answer questions login.
Note: In order to answer the questions in this challenge you should have completed the following rooms:
Tips for LOKI:
- When you run the Loki scan I suggest you save the output to a log file so you can reference it to answer the questions below.
- The scan may take a while to complete. Make sure the prompt is always moving. It's an indicator that the scan is still running. You can kill the scan after you see warnings for ntds.dit files.
Connect to the machine using RDP.
The credentials of the machine are as follows:
Username: Administrator
Password: letmein123!
Your machine's IP is: MACHINE_IP
If you're using Remmina to RDP, set the Color Depth to RemoteFX (32 bpp).
Note: This machine does not respond to ping (ICMP) and may take a few minutes to boot up.
What analysis tool will immediately close if/when you attempt to launch it?
What is the full WQL Query associated with this script?
What is the script language?
What is the name of the other script?
What is the name of the software company visible within the script?
What 2 websites are associated with this software company? (answer, answer)
Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?
What is the location of this file within the local machine?
What is the parent process for these 2 processes?
What is the first operation for the first of the 2 processes?
Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)
Inspect the disk operations, what is the name of the unusual process?
Run Loki. Inspect the output. What is the name of the module after `Init`?
For the 4th warning, what is the class name?
What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?
Which binary alert is marked as APT Cloaked?
What are the matches? (str1, str2)
Which binary alert is associated with somethingwindows.dmp found in C:\TMP?
Which binary is encrypted that is similar to a trojan?
There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?
What is the full path location for the legitimate version?
What is the description listed for reason 1?
There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?
What is the name of the Yara Rule MATCH?
Which binary didn't show in the Loki results?
Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on? (answer, answer, answer)
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
15,120
Created
1639 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in