Windows Incident Surface | TryHackMe Writeup with Answers

Welcome to our latest TryHackMe writeup on "Windows Incident Surface". This writeup will guide you through the critical aspects of investigating a Windows system breach, highlighting the necessary steps to acquire, investigate, hunt, and respond to security incidents. If you’re diving into the world of digital forensics, this post is tailored for you!

Task 1: Introduction - Windows Incident Surface | TryHackMe Writeup

In this writeup, we explore the "Windows Incident Surface" room on TryHackMe. This room is designed to test your incident response skills within a Windows environment. Follow along as we break down each task, providing detailed answers and explanations.

TryHackMe | Windows Incident Surface

https://tryhackme.com/r/room/winincidentsurface

Task 2: Acquisite, Investigate, Hunt and Respond

During these tasks, you'll learn how to acquire necessary data and begin your investigation. 

Task 3: VM Environment and Your Incident Case

You'll also dive into the VM environment to understand the incident case.

Task 4: Reliability of the System Tools

This task focuses on identifying the tools and methods used by the adversary to manipulate system logs and store stolen credentials.

Quick Wins:

Environment variables identified; PowerShell profile file identified and secured

Low-Hanging Fruits:

Manipulated PS profile file; Log clearing attempt; Service and registry manipulation attempts;

Action Points:

Investigate registry for credential theft; Check "event log service" status updates; Review logged-in users over time

Known Changes:

Original PS profile disabled, secure profile implemented; Logs affected

Questions Answered:

What tool did the adversary use to delete the logs?

wevtutil

What was the registry path used by the adversary to store and steal the login credentials?

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

Task 5: System Profile

System details provide crucial context for identifying vulnerabilities and system changes. Key findings include network interfaces, OS version discrepancies, and suspicious time zone settings. Notable anomalies, like disabled updates and misaligned policy settings, signal potential threats.

Questions Answered:

What is the hostname of the compromised host?

CCTL-WS-018-B21

What is the OS version of the compromised host?

10.0.17763

What is the Time ID of the compromised host?

Turkey Standard Time

Task 6: Users and Sessions

User activity analysis is crucial for detecting anomalies like unexpected accounts or admin modifications. Suspicious findings include multiple "Admin" accounts, an active "Guest" account, and ongoing user sessions, indicating potential adversary activity. Further investigation is needed.

Questions Answered:

What is the total number of suspicious accounts?

3

What is the security identifier (SID) of the Guest account?

S-1-5-21-1966530601-3185510712-10604624-501

When was the last time the Admin account (the one with the deliberate typo) was logged in?Answer format: MM/DD/YY HH:MM:SS XM

2/28/2024 10:21:10 AM

Task 7: Network Scope

Active ports and connections reveal critical aspects of malicious activity like lateral movement, C2 connections, and exfiltration. Anomalies such as unusual processes and ports, suspicious AnyDesk instances, and SSH executable presence indicate potential threats requiring further investigation.

Questions Answered:

What is the name of the malicious process? Enter your answer in a defanged format.

INITIAL_LANTERN[.]exe

What is the directory path where the malicious process is located?

C:\Users\Administrator\AppData\SpcTmp\

What is the remote port used by the malicious process?

8888

What is the full path of the suspicious program for AnyDesk? Enter your answer in a defanged format.

D:\AnyDesk[.]exe

What port is used by the LMV Co. firewall rules?

5985

Task 8: Background Activities I: Startup and Registry

The Windows startup sequence is crucial for detecting and maintaining backdoors, malicious tasks, and services. Analyzing this phase requires detailed scrutiny to identify anomalies. Suspicious entries, such as cmd.exe linked to the Userinit registry, can indicate malicious activity. A suspicious DLL named "****shield" in the NetSh registry path highlights the importance of using trusted tools during investigations to avoid triggering potentially harmful processes.

Questions Answered:

Which user account will be used to run the AnyDesk application?

Public

What is the value data stored in the "Userinit" key? Enter your answer in a defanged format.

C:\Windows\system32\userinit[.]exe, cmd[.]exe /c "start /min netsh[.]exe -c"

What is the name of the suspicious DLL linked under the netshell hive key?

.\fwshield.dll

Task 9: Background Activities II: Services and Scheduled Items

Services and scheduled tasks in Windows are critical for system behavior analysis and cybersecurity. Services run at startup, often used for persistence, while scheduled tasks trigger post-initialization. Both are key in detecting anomalies and potential security threats.

Questions Answered:

What is the name of the suspicious active service?

LMVCSS

What is the SHA256 value of the suspicious active service executable?

E9AA7564B2D1D612479E193A9F8CB70DF9CFBE02A39900EEE22FE266F5320EBF

What is the name of the non-running service that caught our attention?

aurora-agent

What is the SHA256 value of the non-running service executable?

D5C8BF2D3B56B21639D8152DB277DD714BA1A61BDAF2350BD0FF7E61D2A99003

What is the original filename of the non-running service executable? Enter your answer in a defanged format.

x3xv5weg[.]exe

Task 10: Background Activities III: Processes and Directories

Processes are key in live investigations due to their dynamic nature, revealing signs of anomalies. Essential checks include unusual names, paths, process relationships, and commands. Analyzing parent-child connections and suspicious executables aids in detecting potential threats.

Questions Answered:

What is the parent process name of the suspicious executable (INITIAL_LANTERN) process? Enter your answer in a defanged format.

services[.]exe

Which user name is used for the SSH connection attempts?

James

What is the parent process of the malicious aurora process? Enter your answer in a defanged format.

svchost[.]exe

What is the file name located in the default user's temp directory? Enter your answer in a defanged format.

jmp[.]exe

What is the name of the potential proxy script located in the suspicious non-default temp folder? Enter your answer in a defanged format.

Invoke-SocksProxy[.]psm1

What is the SHA256 value of the potential proxy script located in the suspicious non-default temp folder?

E7697645F36DE5978C1B640B6B3FC819E55B00EE8D9E9798919C11CC7A6FC88B

What is the label of the hidden disc volume?

Setups

Task 11: Conclusion

What kind of content would you like to see next? Share your thoughts in the comments below! Here are some ideas:

TryHackMe Investigating Windows

TryHackMe Learning Paths

TryHackMe Tutorials

What did you think of this writeup? Let us know!

Related Content:

TryHackMe Write-ups Playlist

Critical - TryHackMe Write-up

🔔 Subscribe for more tips from VietKim → Click Here 🌐 Follow VietKim on Facebook 🌐 Visit our blog at BloggerOffer