THM - Investigating Windows 3.x
Hi,
This is my writeup about the TryHackMe box “Investigating Windows 3.x”.
I was not able to get it spoiler-free for the previous tasks, so I decided to be aware by process. Avoid looking ahead to the next task, if you want to stay spoiler-free for the current task.
1. What is the registry key with the encoded payload?
Right after I connected to the machine over rdp client of my choice, I found those two files laying on the desktop:
And I opened both. The first look I took, was on the Logfile.pml file. But there where so much informations, and I didn’t know where to start. So I decided to look into the second file WIN-Q5JJRDM876J.arn and there was a suspecious entry which jumps right into my eyes: 
First I let me mislead and think the full path would be the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but the real path which is asked, is a bit different and can be found in the Image Path column: 
2. What is the rule name for this run key generated by Sysmon?
This one should be easy if you have done the sysmon room on THM. But, there is no sysmon file or anything. I have searched long until I found this:
Now I create a custom view which filters for EventID 13:
You may ask: “But where did you know which EventID you are looking for?”
Well that’s simple, I use a cheatsheet for that reason, since I have done the sysmon room: Sysmon-Cheatsheet.pdf
Now, you can waste your time like I did and go all events one by one, or you could do it the smart way.
- Right click the custom view
- Choose
Find... - Search for
Debugbecause this is a important keyword from the first task
3. What tactics is classified with this MITRE ATT&CK ID?
This task is a short one. I just did a search on google for the keywords “MITRE” and “T1547.001” and the first suggestion has the answer:
4. What was UTC time for the Sysmon event?
Ye, no-brainer:
5. What was the Sysmon Event ID? Event Type?
And again no-brainer, because the EventID was used on task 2 and the EventType is also known:
6. Decode the payload. What service will the payload attempt start?
First I got the Base64 encoded payload from the registry path, which was asked in the first task:
After that, saved the string to a text file and decoded it with powershell commands. To get the job done, first read the content of the file into a variable:
1
$payload = Get-Content .\payload.txt
Then use this “short” powershell command to decode it:
1
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($payload)) | Out-File -Encoding "ASCII" decoded_payload.txt
And yes, I say “short” in quotes, because I hate windows and all what it is. The powershell commands are hilarious compared to simple bash. In bash, the same command would look like this:
1
cat ./payload.txt | base64 -d > decoded_payload.txt
However, now the payload is readable and the answer for this question is at the first line:
7. The payload attempts to open a local port. What is the port number?
In the same file, look a bit further in the first line:
8. What process does the payload attempt to terminate?
To answer this question I decoded the base64 string inside the decoded payload content. As before, first save the content into a file and read it to a variable:
After that as before, the answer could be found inside the content:
9. What DLL file does the payload attempt to remove?
Can be found in the same file as the previous question:
10. What is the Windows Event ID associated with this service?
The service name is FAX as seen in the decoded payload content. I decided to search for something related to FAX service.
1
Get-WinEvent -ListLog * | findstr "Fax"
As can be seen in the screenshot, with the keyword Fax in all variations, nothing could be found. I decided to search for the next thing come into mind when thinking of fax devices: Printer
Remember the room Windows Event Logs task 4. Where we got introduced into FilterHashtable. I also use this cheatsheet for Get-WinEvent command: Get-WinEvent.pdf
1
Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-PrintService/Admin"} | fl
11. What is listed as the New Default Printer?
This one is also shown in the output before:
12. What process is associated with this event?
To make my life easier at this one, and because I don’t like GUI’s for this kind of work, I decided to save the sysmon logs into a .evtx file.
After that, I was able to search by using powershell. Which is much better. Again, remember Windows Event Logs, where XPath Queries were introduced on task 5.
With XPath Queries and the information already known, I was able to create a search. The following informations are important:
- That DLL’s are target by executables.
- What DLL was target:
ualapi.dll - That the event we are looking, is a
Registry Event: EventID 13
With that, I run this command and got the answer:
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/EventID=13' | Where-Object {$_.Message -like "*ualapi.dll*"} | fl
13. What is the parent PID for the above process?
I have waste to much time trying to get the answer for this by using Get-WinEvent. But the right answer can be found by viewing the Logfile.PML with Process Monitor.
- Search for the DLL file
- Make the
Parent PIDvisable - Take the answer
14. What is the PID of the process running the encoded payload?
My though: “This is a windows machine and the attacker will use powershell, as many attacking tools for windows relay on powershell. How would powershell encode a string then?”
There is this command for example:
1
$EncodedPayload = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Write-Host 'Hello, World!'"))
But this don’t lead me to the answer. So, the next though was: “The payload, which is encoded, has to be executed? How to execute encoded commands with powershell then?”
By doing a google search with the phrase “powershell run encoded commands”, I found the flag -EncodedCommand. Through further searching, I came across an Article written by Jeff White. The interesting part here is that powershell accept a short version of the -EncodedCommand flag, which is -enc.
The best will be, to search for this keyword then:
1
Get-WinEvent -Path \.sysmon.evtx -FilterXPath '*/System/EventID=1' | Where-Object {$_.Message -like "*enc*"} | fl
And as expected, the command, which executes the payload, shows up: 
15. Decode the payload. What is the a visible partial path?
I copy the payload from the previous question to a file named enc.txt and decrypt it as done in question 6:
1
$payload = Get-Content .\enc.txt
1
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($payload)) | Out-File -Encoding "ASCII" decoded.txt
16. What attack framework was used? What is the name of the variable?
Because of the question is not very specific and to “open-ended”, I started by searching for the partial path on google. This may be some pattern for specific frameworks.
So we are dealing with Empire. The question but, is not only asking for the framework, but also for the variable. Whatever this means.
I visited the quickstart page of the empire project and while scrolling and reading, something caught my attention:
Without being sure, what the question actually want, I put in the two findings:
- Empire as the framework
- The name of the variable in the screenshot
Gladly it was right, because I don’t understand the question this way or in any other and would run out of ideas then.
17. What other file paths are you likely to find in the logs?
The answer to this question lays in the same screenshot as the answer before. There are two other paths beside /admin/get.php.
18. What is the MITRE ATT&CK URI for the attack framework?
Done by just google search for “MITRE ATT&CK” and “empire”.
19. What was the FQDN of the attacker machine that the suspicious process connected to?
I took a look at network connections events in to the sysmon file. Keep in mind that there is a Sysmon-Cheatsheet.pdf which helps to find the EventID for each event type.
I run this command:
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/EventID=3' -Oldest -MaxEvent 1 | fl
And also use nslookup to show the FQDN of the IP revealed:
20. What other process connected to the attacker machine?
I just searched for the destination IP:
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/EventData/Data[@Name="DestinationIp"] = "34.245.128.161"' | fl
21. What is the PID for this process?
The answer is in the same output: 
22. What was the path for the first image loaded for the process identified in Q’s 19 & 20?
I wasted way more time than I’m willing to admit, on trying to find the answer by using sysmon. After a while I look at the Process Monitor app and filtered it to get the first loaded image:
23. What Sysmon event was generated between these 2 processes? What is its associated Event ID?
I had to know the timespan in question. If we think about the whole situation, the first event is the creation of the payload in the registry. The second is the execution of the payload from the registry.
23.a Timestamp for key creation
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/EventID=13' | Where-Object {$_.Message -like "*enc*"} | fl
23.b Timestamp for execution
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/EventID=1' | Where-Object {$_.Message -like "*enc*"} | fl
23.c Get the event now
With both timestamps 1/21/2021 5:05:45 PM and 1/21/2021 5:08:13 PM, I know now what to look at. Just display all events between the timestamps:
1
2
3
$stTime = Get-Date -Date "1/21/2021 5:05:45 PM"
$enTime = Get-Date -Date "1/21/2021 5:08:13 PM"
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/*' | Where-Object {$_.TimeCreated -ge $stTime -and $_.TimeCreated -le $enTime}
By looking at the results, there is an event type which sticks out. 
To answer the question this is enough. Provide the Message displayed followed by the Id.
24. What is the UTC time for the first event between these 2 processes?
To have a easy time answering this question, I run this command:
1
Get-WinEvent -Path .\sysmon.evtx -FilterXPath '*/System/EventID=8' -Oldest | Where-Object {$_.TimeCreated -ge $stTime} | Select-Object -First 1 | fl
25. What is the first operation listed by the 2nd process starting with the Date and Time from Q25?
I had to look again into the Process Monitor app for this. Just a simple filter by the PID from the question before.
26. What is the full registry path that was queried by the attacker to get information about the victim?
I look into the Process Monitor app and filtered my way out. Because this question was again a little too open-ended. I used everything to get the output as short as possible:
PIDof the process in question- Registry path where most of the system informations lays
- And the operation type
I still had to try and error many paths until I found that one I needed: 
27. What is the name of the last module in the stack from this event which had a successful result?
I double clicked one of the three founding from the previous question and select the last tab into the properties menu:
28. Most likely what module within the attack framework was used between the 2 processes?
I was searching around on google until I remember question 23. On that question I already have named the event action. So just use that as keyword to search and a good hint jumps right into my eyes:
I start another search on top of that, with the phrase “process injection powershell empire” and this leads me to the Process Injection Module of empire. Which offers the answer to the question.
29. What is the MITRE ID for this technique?
This one is straight forward. Do what I’ve done at question 3.
Good luck! :)
