Windows Incident Surface | TryHackMe Writeup

Опубликовано: 23 Июль 2024
на канале: VietTube

645

Windows Incident Surface | TryHackMe Writeup #VietTube #LabViet #10 #winincidentsurface ►Click the link in the description to enter our latest giveaway 👉 https://bit.ly/VietTube ✅ Room: https://tryhackme.com/r/room/critical

00:00 Task 1: Introduction - Windows Incident Surface | TryHackMe Writeup #VietTube #LabViet #10

00:12 Task 2, 3: Acquisite, Investigate, Hunt and Respond; Task 3: VM Environment and Your Incident Case

00:39 Task 4: Reliability of the System Tools
What tool did the adversary use to delete the logs?
wevtutil

What was the registry path used by the adversary to store and steal the login credentials?

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

09:59 Task 5: System Profile
What is the hostname of the compromised host?
CCTL-WS-018-B21

What is the OS version of the compromised host?
10.0.17763

What is the Time ID of the compromised host?
Turkey Standard Time

11:30 Task 6: Users and Sessions
What is the total number of suspicious accounts?
3

What is the security identifier (SID) of the Guest account?
S-1-5-21-1966530601-3185510712-10604624-501

When was the last time the Admin account (the one with the deliberate typo) was logged in?Answer format: MM/DD/YY HH:MM:SS XM
2/28/2024 10:21:10 AM

15:37 Task 7: Network Scope
What is the name of the malicious process? Enter your answer in a defanged format.
INITIAL_LANTERN[.]exe

What is the directory path where the malicious process is located?
C:\Users\Administrator\AppData\SpcTmp\

What is the remote port used by the malicious process?
8888

What is the full path of the suspicious program for AnyDesk? Enter your answer in a defanged format.

D:\AnyDesk[.]exe

What port is used by the LMV Co. firewall rules?
5985

20:28 Task 8: Background Activities I: Startup and Registry
Which user account will be used to run the AnyDesk application?
Public

What is the value data stored in the "Userinit" key? Enter your answer in a defanged format.
C:\Windows\system32\userinit[.]exe, cmd[.]exe /c "start /min netsh[.]exe -c"

What is the name of the suspicious DLL linked under the netshell hive key?
.\fwshield.dll

24:05 Task 9: Background Activities II: Services and Scheduled Items
What is the name of the suspicious active service?
LMVCSS

What is the SHA256 value of the suspicious active service executable?
E9AA7564B2D1D612479E193A9F8CB70DF9CFBE02A39900EEE22FE266F5320EBF

What is the name of the non-running service that caught our attention?
aurora-agent

What is the SHA256 value of the non-running service executable?
D5C8BF2D3B56B21639D8152DB277DD714BA1A61BDAF2350BD0FF7E61D2A99003

What is the original filename of the non-running service executable? Enter your answer in a defanged format.
x3xv5weg[.]exe

32:03 Task 10: Background Activities III: Processes and Directories
What is the parent process name of the suspicious executable (INITIAL_LANTERN) process? Enter your answer in a defanged format.
services[.]exe

Which user name is used for the SSH connection attempts?
James

What is the parent process of the malicious aurora process? Enter your answer in a defanged format.
svchost[.]exe

What is the file name located in the default user's temp directory? Enter your answer in a defanged format.
jmp[.]exe

What is the name of the potential proxy script located in the suspicious non-default temp folder? Enter your answer in a defanged format.
Invoke-SocksProxy[.]psm1

What is the SHA256 value of the potential proxy script located in the suspicious non-default temp folder?
E7697645F36DE5978C1B640B6B3FC819E55B00EE8D9E9798919C11CC7A6FC88B

What is the label of the hidden disc volume?
Setups

39:40 Task 11 Conclusion

👉What kind of video would you like to see next?
tryhackme investigating windows
tryhackme learning paths
tryhackme tutorial

👉What did you think of this video?
#windowsincidentsurface #tryhackme #digitalforensics

▶️TryHackMe Write-ups Playlist:
https://youtube.com/playlist/PL5ZO3Id...

▶️Critical - TryHackMe Write-up:
• Critical - Find Secret Data🔏TryHackMe...

👇For any Query message me on Facebook👇
Facebook Link :- https://FB.COM/K3Lvinmitnick

-----------------
Disclaimer: The content in this video is strictly for Education purposes only. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. This video is not forcing anything on you.
-----------------

🔔📢 Subscribe for more TIPs from VietKim → https://bit.ly/VietTube
🌐 Follow VietKim on https://FB.COM/K3Lvinmitnick
🌐 Visit https://bloggeroffer.blogspot.com/ to learn more ...

Смотрите видео Windows Incident Surface | TryHackMe Writeup онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь VietTube 23 Июль 2024, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 645 раз и оно понравилось 7 людям.