Room Banner

Investigating Windows 3.x

Find the artifacts resident on the endpoint and sift through captured data to determine what type attack occurred on the endpoint.

medium

45 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Investigating Windows 3.x


Note: In order to answer the questions in this challenge you should have completed the following rooms:

Connect to the machine using RDP.

The credentials of the machine are as follows:

Username: Administrator
PasswordblueT3aming!

Your machine's IP is: MACHINE_IP

If you're using Remmina to RDP, set the Color Depth to RemoteFX (32 bpp).

Note: This machine does not respond to ping (ICMP) and may take a few minutes to boot up.


Answer the questions below
What is the registry key with the encoded payload? (full path) 

What is the rule name for this run key generated by Sysmon?

What tactics is classified with this MITRE ATT&CK ID?

What was UTC time for the Sysmon event?

What was the Sysmon Event ID? Event Type? (answer, answer)

Decode the payload. What service will the payload attempt start?

The payload attempts to open a local port. What is the port number?

What process does the payload attempt to terminate?

What DLL file does the payload attempt to remove? (full path)

What is the Windows Event ID associated with this service?

What is listed as the New Default Printer?

What process is associated with this event?

What is the parent PID for the above process?

Examine the other processes. What is the PID of the process running the encoded payload?

Decode the payload. What is the a visible partial path?

This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)

What other file paths are you likely to find in the logs? (answer, answer)

What is the MITRE ATT&CK URI for the attack framework?

What was the FQDN of the attacker machine that the suspicious process connected to?

What other process connected to the attacker machine?

What is the PID for this process?

What was the path for the first image loaded for the process identified in Q's 19 & 20?

What Sysmon event was generated between these 2 processes? What is its associated Event ID #? (answer, answer)

What is the UTC time for the first event between these 2 processes?

What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])

What is the first operation listed by the 2nd process starting with the Date and Time from Q25?

What is the full registry path that was queried by the attacker to get information about the victim?

What is the name of the last module in the stack from this event which had a successful result?

Most likely what module within the attack framework was used between the 2 processes? 

What is the MITRE ID for this technique?

Created by

User avatar
tryhackme

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

10,195

Created

1646 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more