This room challenged me to analyze the tactics, techniques, and procedures (TTPs) of a sophisticated threat actor known as Boogeyman. The complex hands-on exercise walks through tracing the full attack chain, from the CEO falling prey to a phishing email, to weaponized payload execution, credential theft, lateral traversal and attempted ransomware deployment.
Room link: https://tryhackme.com/room/boogeyman3
Due to the previous attacks of Boogeyman, Quick Logistics LLC hired a managed security service provider to handle its Security Operations Center. Little did they know, the Boogeyman was still lurking and waiting for the right moment to return.
In this room, you will be tasked to analyse the new tactics, techniques, and procedures (TTPs) of the threat group named Boogeyman.
This room may require the combined knowledge gained from the SOC L1 Path. We recommend going through the following rooms before attempting this challenge.
Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. The provided virtual machine runs an Elastic Stack (ELK), which contains the logs that will be used throughout the room.
Once the machine is up, access the Kibana console (via the AttackBox or VPN) using the credentials below.
URLhttp://MACHINE_IPUsernameelasticPasswordelastic
Note: The Kibana instance may take 3–5 minutes to initialise.
Answer the questions below
Let’s end this Boogeyman incident!
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
In addition, the security team also observed a file inside the ISO payload, as shown in the image below.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
Given the initial findings, you are tasked to analyse and assess the impact of the compromise.
Before answering the question, set the time time filter to the date of the incident.
I also turned the KQL off.
Answer: 6392
Filter events that contain files with html extension and events related to the malicious file attachment.
".html" OR "ProjectFinancialSumary_Q3.pdf"Select the fields as seen in the image below to display their values. It is seen in the field “process.command_line” the command that executed the malicious file. Displayed as well is its process ID.
Answer: “C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
Edit the search query to filter events related to the malicious file attachment.
ProjectFinancialSummary_Q3.pdf*We can see that after the first payload is executed, another process is started that copies the file “review.dat” to the “TEMP” directory.
Answer: “C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer
Following the series of events taking place, rundll32.exe is used to execute the file “review.dat” to register a DLL.
Answer: Review
In continuation, a PowerShell command was issued to create a scheduled task to execute the DLL that was created by the previous process or event. The scheduled task is registered as “Review”.
Answer: 165.232.170.151:80
Filter events that triggered network connection. This event is Sysmon refers to Event ID 3.
Select only the interesting fields to display and we can see the C2 connection established.
Answer: fodhelper.exe
Filter events related to the malicious file that was executed and created a DLL file. Sort @timestamp to ascending.
We see command executed to enumerate users and groups in the machine.
Scrolling up, we see the attacker enumerating the groups the user is part of.
After which the attacker executed a command. Googling about it, it turns out that it is a trusted binary in Windows which can be utilized for elevating privileges by bypassing the UAC prompt.
Answer: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Filter events that contains the keyword “github” with event code of 1 for process creation.
A very popular tool used for enumeration is seen being downloaded as “mimi.zip”
Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
Filter events that contains the keyword “mimi*”, referring to the tool that was downloaded.
After dumping the logon passwords, the tool was also used for lateral movement, accessing machines the user has access to.
Answer: IT_Automation.ps1
Scrolling down, we can see that the attacker utilized another popular PowerShell script for finding file shares in the machine. It was also able to read the contents of it.
Answer: QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987
Using the credentials obtained from reading a file, the attacker then uses the credentials to execute commands remotely to “WKSTN-1327”. The last command was to move laterally to the target machine.
If we decode the payload in cyberchef, we see an interesting domain.
Answer: WKSTN-1327
We were able to identify that from the previous question.
Answer: wsmprovhost.exe
Filter events with Event ID of 1 and with the host name of “WKSTN-1327”.
We can see that the command issued to move laterally was a child process of another process.
Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec
Scrolling down from the filtered events, the attacker downloaded mimikatz, enumerated the machine, then passed the hash of user for lateral movement.
Answer: backupda
We see here the flow of attack performed by the attacker. After passing the hash of the Administrator, the attacker performed a few commands and the conducted a DCSYN attack against the user Administrator.
If we edit the filter to the hostname of the DC machine, we can see the other account where the DCSYNC attack was performed.
Answer: http://ff.sillytechninja.io/ransomboogey.exe
Scrolling down, we see the URL where a file was downloaded from.
Thank you for reading. Until next time. :-)
