The video is a tutorial on how to use Wazuh for investigating cyber incidents. The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document. The attacker created a scheduled task for persistence and exfiltrated sensitive data. This was part of TryHackMe Monday Monitor.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Wazuh SIEM Study Notes

OSCP Study Notes

Introduction to Wazuh SIEM

The video begins by showing the Wazuh dashboard, where you can see added agents and inspect their configurations.

Agents are executables deployed on workstations to monitor them for security events.The importance of setting up the correct timeline and data index for accurate results is emphasized.

Practical Scenario

The video walks through a real-life cyber attack on “Swift Spend Finance,” where the attack was delivered through an Excel document.

The attacker created a scheduled task for persistence and exfiltrated sensitive data.The process involves using Wazuh to investigate the artifacts of the attack as part of an incident response.

Step-by-Step Investigation

Finding the initial file: Using Wazuh, the command logs are inspected to find the PowerShell command that downloaded the malicious Excel file.

Scheduled task creation: The video demonstrates how to search for the command that created a scheduled task, using the correct index and event data. It reveals the time (12:34) that the task was set to run.

Base64 decoding: A PowerShell command is inspected, and a Base64 string is extracted. Using CyberChef, the string is decoded to find more details about the attacker’s actions, including communication with a C2 (Command and Control) server.

Persistence Mechanism

The attacker created a new user account named “guest” with a password of “I am monitoring.” This persistence allows the attacker continuous access to the system.

Credential Dumping

The well-known tool Mimikatz was used by the attacker to dump credentials. The video shows how to search for its usage within the logs.

Data Exfiltration

The attacker exfiltrated data from the compromised host. The video demonstrates how to search for specific patterns, such as a flag starting with “THM,” which identifies the exfiltrated data through a PowerShell command.

Conclusion

The video concludes the investigation with the final flag and emphasizes the importance of using the right tools and processes in incident response to uncover details of a cyber attack.

Room Answers | TryHackMe Monday Monitor

Initial access was established using a downloaded file. What is the file name saved on the host?
SwiftSpend_Financial_Expenses.xlsm

What is the full command run to create a scheduled task?
\”cmd.exe\” /c \”reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \”ATOMIC-T1053.005\” /TR \”cmd /c start /min \\\”\\\” powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\” /sc daily /st 12:34\”

What time is the scheduled task meant to run?

12:34

What was encoded?

ping www.youarevulnerable.thm

What password was set for the new user account?

I_AM_M0NIT0R1NG

What is the name of the .exe that was used to dump credentials?

memotech.exe

Data was exfiltrated from the host. What was the flag that was part of the data?

THM{M0N1T0R_1$_1N_3FF3CT}

Video Walkthrough | TryHackMe Monday Monitor

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles