LinkedinTryHackme

Skills Assessment

Overview

To keep you sharp, your SOC manager has assigned you the task of analyzing older attack logs and providing answers to specific questions.

Question 1

By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

  • To detect a DLL hijacking, we need to focus on Event Type 7 which corresponds to module loading events.

  • After loading the log file into the "Event Viewer" we apply a filter for Event Type 7

Question 2

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

  • Managed code is not executed directly as an assembly; instead, it is compiled into a bytecode format that the runtime processes and executes. Consequently, a managed process relies on the CLR to execute C# code.

  • We filter for type 7 events and search for clr.dll, which likely returns the managed process.

Question 3

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

Get-WinEvent -Path 'C:\Logs\PowershellExec\*' | Where-Object{$_.ID -like "8"} | Where-Object{$_.Message -like "*Calculator.exe*"} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message

  • We can search for event ID 8 (Powershell Events)

Question 4

By examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe

  • To detect this activity, we can rely on a different Sysmon event. Instead of focusing on DLL loads, we shift our attention to process access events. By checking for Sysmon event ID 10, which represents "ProcessAccess" events, we can identify any suspicious attempts to access LSASS.

  • I filtered for events with ID 10 (ProcessAccess) and searched for entries targeting lsass.exe. While there were several results, only one was launched by a suspicious executable file.

Get-WinEvent -Path 'C:\Logs\Dump\*' | Where-Object{$_.ID -like "10"} | Where-Object{$_.Message -like "*TargetImage*lsass.exe*"} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message

Question 5

By examining the logs located in the "C:\Logs\Dump" directory, determine if an ill-intended login took place after the LSASS dump. Answer format: Yes or No

no

Question 6

By examining the logs located in the "C:\Logs\StrangePPID" directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe

  • Finally, I filtered by events with ID 1 (Process Creation). There were limited results, and only one of them looked suspicious.

PreviousGet-WinEventNextEvent IDs Components

Last updated