The video is a tutorial on how to use Wazuh for investigating cyber incidents. The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document. The attacker created a scheduled task for persistence and exfiltrated sensitive data. This was part of TryHackMe Monday Monitor.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Introduction to Wazuh SIEM
The video begins by showing the Wazuh dashboard, where you can see added agents and inspect their configurations.
Agents are executables deployed on workstations to monitor them for security events.The importance of setting up the correct timeline and data index for accurate results is emphasized.
Practical Scenario
The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document.
The attacker created a scheduled task for persistence and exfiltrated sensitive data.The process involves using Wazuh to investigate the artifacts of the attack as part of an incident response.
Step-by-Step Investigation
Finding the initial file: Using Wazuh, the command logs are inspected to find the PowerShell command that downloaded the malicious Excel file.
Scheduled task creation: The video demonstrates how to search for the command that created a scheduled task, using the correct index and event data. It reveals the time (12:34) that the task was set to run.
Base64 decoding: A PowerShell command is inspected, and a Base64 string is extracted. Using CyberChef, the string is decoded to find more details about the attacker’s actions, including communication with a C2 (Command and Control) server.
Persistence Mechanism
The attacker created a new user account named “guest” with a password of “I am monitoring.” This persistence allows the attacker continuous access to the system.
Credential Dumping
The well-known tool Mimikatz was used by the attacker to dump credentials. The video shows how to search for its usage within the logs.
Data Exfiltration
The attacker exfiltrated data from the compromised host. The video demonstrates how to search for specific patterns, such as a flag starting with “THM,” which identifies the exfiltrated data through a PowerShell command.
Conclusion
The video concludes the investigation with the final flag and emphasizes the importance of using the right tools and processes in incident response to uncover details of a cyber attack.
Room Answers | TryHackMe Monday Monitor
Initial access was established using a downloaded file. What is the file name saved on the host?
SwiftSpend_Financial_Expenses.xlsm
What is the full command run to create a scheduled task?
\”cmd.exe\” /c \”reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \”ATOMIC-T1053.005\” /TR \”cmd /c start /min \\\”\\\” powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\” /sc daily /st 12:34\”
What time is the scheduled task meant to run?
12:34
What was encoded?
ping www.youarevulnerable.thm
What password was set for the new user account?
I_AM_M0NIT0R1NG
What is the name of the .exe that was used to dump credentials?
memotech.exe
Data was exfiltrated from the host. What was the flag that was part of the data?
THM{M0N1T0R_1$_1N_3FF3CT}
