Post

TryHackMe: Tempest Challenge

Posted Updated
By Aisha
7 min read
TryHackMe: Tempest Challenge

Preparation - Tools and Artifacts

Challenge Link: Tempest

We will prepare the artifacts and introduce the tools needed for the investigation.

  1. hash the artifacts

Screenshot 2025-06-08 211931

  1. Toolset: The toolset needed for this task is focused on analysing
    • Sysmon Logs,
    • Windows Event Logs,
    • and Packet Capture.
  2. Endpoint Logs: To analyse Windows artefacts such as Windows Event Logs and Sysmon logs, we will use the following tools:
    • EvtxEcmd
    • Timeline Explorer
    • SysmonView
    • Event Viewer
  3. Network Logs:
    • Wireshark
    • Brim

Initial Access - Malicious Document

Tempest Incident

In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.

As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:

  • The malicious document has a .doc extension.
  • The user downloaded the malicious document via chrome.exe.
  • The malicious document then executed a chain of commands to attain code execution.

Initial Access:

  1. The analyst said that the user had downloaded a malicious .doc from the internet. Let’s confirm this by viewing the pcap file and following the HTTP stream Screenshot 2025-06-09 111926

  2. From the pcap file, we confirm:
    • src: 192.168.254.107
    • dst: 167[.]71[.]199.191
    • malicious domain: phishteam[.]xyz
    • file name: free_magicules.doc

  3. This is the chrome.exe process summarized in the SysmonView Screenshot 2025-06-09 111533

  4. The file extension is .doc, then let’s look for the winWord.exe process execution summary in the sysmon view

    Screenshot 2025-06-09 111023

  5. From the winWord.exe (PID: 496) process, we confirm:
    • One file has been created and two file streams
    • There is a DNS query for the malicious domain
    • and a process creation
  6. Inspect the child process that was created by the execution of the .doc file
    • filter PPID 496, and Event-id 1 (process creation)

    Screenshot 2025-06-09 113931 Screenshot 2025-06-08 224830 Screenshot 2025-06-09 115504

  7. from the executed command, we confirm:
    • it executed at 2022-06-20 17:13:35
    • exploit MSDT (msdt.exe) with a crafted URL
    • Inside the param, it uses double Invoke-Expression, and Base64-encoded code to download and extract a ZIP file from the malicious domain
    • It extracts the contents into the Startup folder so that it persists across reboots.
    • Then it tries to execute mpsigstub.exe, which is a legitimate Windows binary (Microsoft Malware Protection Signature Stub) — often abused in living-off-the-land attacks.
  8. CVE-2022-30190

Initial Access - Stage 2 execution

Malicious Document - Stage 2

Based on the initial findings, we discovered that there is a stage 2 execution:

  • The document has successfully executed an encoded base64 command.
  • Decoding this string reveals the exact command chain executed by the malicious document.

Execution:

  1. The execution of the payload happened at 2022-06-20 17:13:35
  2. Using the Windows logs we found, the user has successfully logged in at 2022-06-20 17:13:39
  3. The Autostart execution reflects explorer.exe as its parent process ID.
  4. now lets start filtering, process creation (Event-id: 1), the compromised user (benimaru) and parent process (explorer.exe)
  5. Inspect the Executable info for events that happened after the user logged in.

Screenshot 2025-06-10 145154 Screenshot 2025-06-10 145217

  1. at 17:15:10, the process used powershell to download a binary (first.exe) from a suspicious domain and save it in the download folder.
  2. Filter based on the downloaded binary to extract the md5 hash

Screenshot 2025-06-10 151617

  1. Use sysmonView to view a summary of the first.exe process

Screenshot 2025-06-10 153546

Initial Access - Malicious Document Traffic

Malicious Document Traffic

Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:

  • We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
  • There is another domain and IP used by the stage 2 payload logged from the same data source.

C2:

  1. in the stage-2, we found a malicious domain was queried by the downloaded binary
  2. Using Wireshark, let’s first filter HTTP traffic related to phisteam.xyz to find the URL of the malicious payload embedded in the document.

Screenshot 2025-06-10 174525

  1. Then filter for HTTP traffic of the second domain (resolvcyber.xyz) used for C2 communication

Screenshot 2025-06-10 161455

  1. The attacker used Base64 encoding for the C2 connection. The malicious C2 binary sends payloads via the q parameter, which contains the results of executed commands. It connects to the specific URL /9ab62b5 to retrieve commands for execution.

Discovery - Internal Reconnaissance

Internal Reconnaissance

Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:

  • We can easily decode the encoded string in the network traffic.
  • The traffic contains the command and output executed by the attacker.

Reconnaissance:

  1. I copied all the base64 encoding commands in the C2 traffic and decoded them.

Screenshot 2025-06-10 181209

  1. As shown in the picture above, the attacker listed all the files in the desktop folder, then cat the content of the automation.ps1 file which contains sensitive information related to the user benimaru
  2. The attacker also used netstat command to list all active connections. and the listening port 5985 used by winRM service to connect to the machine remotely via a shell

Screenshot 2025-06-10 184247

  1. If we filter for the parent process of the binary that was used for C2 connection (first.exe), we will find that at 17:18:48 the attacker has established a reverse socks proxy using the binary ch.exe to access the internal services hosted inside the machine.

Screenshot 2025-06-10 185534

  1. Copy the hash of the binary and search for it in VirusTotal, which returns the real name of the binary, which is “Chisel

Screenshot 2025-06-10 190411

Privilege Escalation - Exploiting Privileges

Privilege Escalation

Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.

Privilege Escalation:

  1. Search for winRM process, and if we inspect the Payload column, we will find a description for the process wsmprovhost.exe. “Host Process for winRM”. Wsmprovhost.exe is a crucial process in Windows responsible for hosting PowerShell remote sessions using WinRM (Windows Remote Management). It’s the host process that executes PowerShell scripts and commands sent from a remote computer, acting as a dedicated environment for each PowerShell session

Screenshot 2025-06-10 194305

  1. Filter for the processes executed by the parent process Wsmprovhost.exe

Screenshot 2025-06-11 144234 Screenshot 2025-06-11 144043

  1. at 2022-06-20 17:20:06, the attacker downloaded spf.exe tool. Copy the hash and search for this tool on VirusTotal

Screenshot 2025-06-11 144531 Screenshot 2025-06-11 143856

  1. PrintSpoofer is a post-exploitation tool used in Windows environments to escalate privileges by exploiting weaknesses in the Print Spooler service. It primarily focuses on abusing SeImpersonatePrivilege to gain elevated privileges, such as SYSTEM or Administrator, from a lower-privileged account.
  2. at 2022-06-20 17:21:05, the attacker also downloaded another binary called final.exe, then at 17:21:34 the attacker executed the printSpoofer.exe with the final.exe.

Screenshot 2025-06-11 150004

  1. using sysmonView, parse final.exe process.

Screenshot 2025-06-11 150933

  1. the binary used as c2 connection using the same domain but with different port (8080).

Screenshot 2025-06-11 151338

Actions on Objective - Fully-owned Machine

Fully-Owned Machine

Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.

In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation

Persistent:

  1. Now that the attacker gains SYSTEM privileges, filter for the system user, and the parent process final.exe

Screenshot 2025-06-11 152030

  1. From the decoded base64 payloads, the attacker was trying to add Shuna and Shion, but it returned with failures. It was missing the add option

Screenshot 2025-06-11 152918 Screenshot 2025-06-11 153225

  1. To confirm the creation of those users, load Windows logs and filter for event-id: 4720. Shuna user was added at 17:27:19, Shion user was added at 17:27:28

Screenshot 2025-06-11 153524

  1. At 17:27:41, the attacker used net command to add Shion account to the local administrator’s group

Screenshot 2025-06-11 154026

  1. Based on the timestamp of the added Shion to the local administrator’s group, in windows logs filter for event-id: 4732(“A member was added to a security-enabled local group”). the user added to the Builtin\Administrators group

Screenshot 2025-06-11 154500

  1. At 17:26:29, the attacker executed a technique to establish persistent administrative access. This command registers C:\ProgramData\final.exe as a persistent Windows service on a machine named TEMPEST under the name TempestUpdate2. Since it’s set to start= auto, it will run on every reboot.

image

TryHackMe, SOC Level 1
pcap analysis Windows Log Analysis
This post is licensed under CC BY 4.0 by the author.