TryHackMe | Boogeyman 3 (2024)

Table of Contents
Answer: “C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat Answer: “C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer Answer: Review Answer: 165.232.170.151:80 Answer: fodhelper.exe Answer: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2 Answer: IT_Automation.ps1 Answer: QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987 Answer: WKSTN-1327 Answer: wsmprovhost.exe Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec Answer: backupda We see here the flow of attack performed by the attacker. After passing the hash of the Administrator, the attacker performed a few commands and the conducted a DCSYN attack against the user Administrator. References
TryHackMe | Boogeyman 3 (2)

This room challenged me to analyze the tactics, techniques, and procedures (TTPs) of a sophisticated threat actor known as Boogeyman. The complex hands-on exercise walks through tracing the full attack chain, from the CEO falling prey to a phishing email, to weaponized payload execution, credential theft, lateral traversal and attempted ransomware deployment.

Room link: https://tryhackme.com/room/boogeyman3

Due to the previous attacks of Boogeyman, Quick Logistics LLC hired a managed security service provider to handle its Security Operations Center. Little did they know, the Boogeyman was still lurking and waiting for the right moment to return.

In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.

This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.

Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. The provided virtual machine runs an Elastic Stack (ELK), which contains the logs that will be used throughout the room.

Once the machine is up, access the Kibana console (via the AttackBox or VPN) using the credentials below.

URLhttp://MACHINE_IPUsernameelasticPasswordelastic

Note: The Kibana instance may take 3–5 minutes to initialise.

Answer the questions below

Let’s end this Boogeyman incident!

Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.

TryHackMe | Boogeyman 3 (3)

The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.

Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.

TryHackMe | Boogeyman 3 (4)

In addition, the security team also observed a file inside the ISO payload, as shown in the image below.

TryHackMe | Boogeyman 3 (5)

Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.

Given the initial findings, you are tasked to analyse and assess the impact of the compromise.

Before answering the question, set the time time filter to the date of the incident.

TryHackMe | Boogeyman 3 (6)
TryHackMe | Boogeyman 3 (7)

I also turned the KQL off.

TryHackMe | Boogeyman 3 (8)

Answer: 6392

See Also
Who is Tony Ferguson? Meet the iconic UFC fighter who redefined what it meant to be a 'Boogeyman'

Filter events that contain files with html extension and events related to the malicious file attachment.

".html" OR "ProjectFinancialSumary_Q3.pdf"

Select the fields as seen in the image below to display their values. It is seen in the field “process.command_line” the command that executed the malicious file. Displayed as well is its process ID.

TryHackMe | Boogeyman 3 (9)

Answer: “C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat

Edit the search query to filter events related to the malicious file attachment.

ProjectFinancialSummary_Q3.pdf*

We can see that after the first payload is executed, another process is started that copies the file “review.dat” to the “TEMP” directory.

TryHackMe | Boogeyman 3 (10)

Answer: “C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer

Following the series of events taking place, rundll32.exe is used to execute the file “review.dat” to register a DLL.

TryHackMe | Boogeyman 3 (11)

Answer: Review

In continuation, a PowerShell command was issued to create a scheduled task to execute the DLL that was created by the previous process or event. The scheduled task is registered as “Review”.

TryHackMe | Boogeyman 3 (12)

Answer: 165.232.170.151:80

Filter events that triggered network connection. This event is Sysmon refers to Event ID 3.

TryHackMe | Boogeyman 3 (13)

Select only the interesting fields to display and we can see the C2 connection established.

TryHackMe | Boogeyman 3 (14)

Answer: fodhelper.exe

Filter events related to the malicious file that was executed and created a DLL file. Sort @timestamp to ascending.

We see command executed to enumerate users and groups in the machine.

TryHackMe | Boogeyman 3 (15)

Scrolling up, we see the attacker enumerating the groups the user is part of.

TryHackMe | Boogeyman 3 (16)

After which the attacker executed a command. Googling about it, it turns out that it is a trusted binary in Windows which can be utilized for elevating privileges by bypassing the UAC prompt.

TryHackMe | Boogeyman 3 (17)
TryHackMe | Boogeyman 3 (18)

Answer: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

Filter events that contains the keyword “github” with event code of 1 for process creation.

TryHackMe | Boogeyman 3 (19)

A very popular tool used for enumeration is seen being downloaded as “mimi.zip”

TryHackMe | Boogeyman 3 (20)

Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2

Filter events that contains the keyword “mimi*”, referring to the tool that was downloaded.

After dumping the logon passwords, the tool was also used for lateral movement, accessing machines the user has access to.

TryHackMe | Boogeyman 3 (21)

Answer: IT_Automation.ps1

Scrolling down, we can see that the attacker utilized another popular PowerShell script for finding file shares in the machine. It was also able to read the contents of it.

TryHackMe | Boogeyman 3 (22)

Answer: QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987

Using the credentials obtained from reading a file, the attacker then uses the credentials to execute commands remotely to “WKSTN-1327”. The last command was to move laterally to the target machine.

TryHackMe | Boogeyman 3 (23)

If we decode the payload in cyberchef, we see an interesting domain.

TryHackMe | Boogeyman 3 (24)
TryHackMe | Boogeyman 3 (25)

Answer: WKSTN-1327

We were able to identify that from the previous question.

Answer: wsmprovhost.exe

Filter events with Event ID of 1 and with the host name of “WKSTN-1327”.

TryHackMe | Boogeyman 3 (26)

We can see that the command issued to move laterally was a child process of another process.

TryHackMe | Boogeyman 3 (27)

Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec

Scrolling down from the filtered events, the attacker downloaded mimikatz, enumerated the machine, then passed the hash of user for lateral movement.

TryHackMe | Boogeyman 3 (28)

Answer: backupda

We see here the flow of attack performed by the attacker. After passing the hash of the Administrator, the attacker performed a few commands and the conducted a DCSYN attack against the user Administrator.

TryHackMe | Boogeyman 3 (29)

If we edit the filter to the hostname of the DC machine, we can see the other account where the DCSYNC attack was performed.

TryHackMe | Boogeyman 3 (30)
TryHackMe | Boogeyman 3 (31)

Answer: http://ff.sillytechninja.io/ransomboogey.exe

Scrolling down, we see the URL where a file was downloaded from.

TryHackMe | Boogeyman 3 (32)

Thank you for reading. Until next time. :-)

TryHackMe | Boogeyman 3 (2024)

References

Top Articles
Dragon Age: Inquisition - Should You Side With The Mages Or Templars?
Dragon Age: 5 Ways Templars Are In The Right (& 5 Ways The Mages Are)
Consignment Shops Milford Ct
Ray Romano Made a Movie for Sports Parents Everywhere
Latina Webcam Lesbian
Use Caution: Herds of wild horses escaping Davis Fire spotted evacuating up Geiger Grade
Wharton County Busted Newspaper
North Station To Lowell Schedule
Pierced Universe Coupon
Ts Egypt Dmarco
Rogers Breece Obituaries
Big Lots $99 Fireplace
Mhgu Bealite Ore
Shs Games 1V1 Lol
O'reilly's Iron Mountain Michigan
Busse Bladeforums
Razwan Ali ⇒ Free Company Director Check
Duen Boobs
9294027542
Erj Phone Number
Palmer Santin Funeral Home Fullerton Nebraska Obituaries
Emuaid Lawsuit
Nickelodeon Home Media
Wall Street Journal Currency Exchange Rates Historical
Lily Spa Roanoke Rapids Reviews
Enter Cautiously Nyt Crossword
Walmart Car Service Near Me
Mula Pelada
Envision Okta Sign In
Issue November 5, 1949 - The Hockey News
Autozone Cercano
Babbychula
Bfri Forum
Alt J Artist Presale Code
Limestone Bank Hillview
Wiki Jfk Film
Myusu Canvas
SP 800-153 Guidelines for Securing WLANs
Borderlands 2 Mechromancer Leveling Build
Travelvids October 2022
Mystery Mini Icon Box
Delta Rastrear Vuelo
Oxford House Peoria Il
Gotham Chess Twitter
Ups Carrier Locations Near Me
Panguitch Lake Webcam
Greythr Hexaware Bps
The Swarthmorean, 1932-05 | TriCollege Libraries Digital Collections
Lubbock Avalanche Journal Newspaper Obituaries
Baja Boats For Sale On Craigslist
Gulfstream Park Entries And Results
Latest Posts
Cygans Guide - Der Magier
Dragon Age: Inquisition - Should You Side With The Mages Or Templars?
Article information

Author: Arielle Torp

Last Updated:

Views: 5466

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.