We covered a threat hunting challenge that involved hunting Windows event logs exported from a compromised machine due to recent phishing email.
The hunt started with finding the initial attachment that was downloaded using Outlook and later on extracted.
The extracted files contained a payment invoice in PDF that when opened spawned a powershell process that downloaded a reverse shell and connected to the attacker C2 server where further commands were launched to enumerate the system and finally to exfilterate data from a file server using Nslookup tool.
This was part of TryHackMe Hunt Me 1: Payment Collectors room.
The scenario
On Friday, September 15, 2023, Michael Ascot, a Senior Finance Director from SwiftSpend, was checking his emails in Outlook and came across an email appearing to be from Abotech Waste Management regarding a monthly invoice for their services. Michael actioned this email and downloaded the attachment to his workstation without thinking.
The following week, Michael received another email from his contact at Abotech claiming they were recently hacked and to carefully review any attachments sent by their employees. However, the damage has already been done. Use the attached Elastic instance to hunt for malicious activity on Michael’s workstation and within the SwiftSpend domain!
Check out the video below for detailed explanation.
Room Answers | TryHackMe Hunt Me I: Payment Collectors
WWhat was the name of the ZIP attachment that Michael downloaded?
Invoice_AT_2023-227.zip
What is theWhat was the contained file that Michael extracted from the attachment?
Payment_Invoice.pdf.lnk.lnk
WhWhat was the name of the command-line process that spawned from the extracted file attachment?
powershell.exe
What URL did the attacker use to download a tool to establish a reverse shell connection?
https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
What port did the workstation connect to the attacker on?
19282
WhWhat was the first native Windows binary the attacker ran for system enumeration after obtaining remote access?
systeminfo.exe
What is the URL of the script that the attacker downloads to enumerate the domain?
https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1
What was the name of the file share that the attacker mapped to Michael’s workstation?
SSF-FinancialRecords
What directory did the attacker copy the contents of the file share to?
C:\Users\michael.ascot\downloads\exfiltration
What was the name of the Excel file the attacker extracted from the file share?
ClientPortfolioSummary.xlsx
What was the name of the archive file that the attacker created to prepare for exfiltration?
exfilt8me.zip
What is the MITRE ID of the technique that the attacker used to exfiltrate the data?
T1048
What was the domain of the attacker’s server that retrieved the exfiltrated data?
haz4rdw4re.io
The attacker exfiltrated an additional file from the victim’s workstation. What is the flag you receive after reconstructing the file?
THM{1497321f4f6f059a52dfb124fb16566e}
Video Walkthrough | TryHackMe Hunt Me 1: Payment Collectors
