TryHackMe: PS Eclipse


Overview

PS Eclipse is a medium difficulty challenge hosted by TryHackMe. The challenge utilizes Splunk to determine how a compromise occurred and what actions the attacker took on the device.


Scenario

You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe.

A customer sent an email asking for an analyst to investigate the events that occurred on Keegan’s machine on Monday, May 16th, 2022. The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan’s device.


Q1

A suspicious binary was downloaded to the endpoint. What was the name of the binary?

First, we should check what kind of sources we’re working with. We can find that in Splunk’s Data Summary. Under SourceType we can see Sysmon is listed, so we’ll be able to investigate using Sysmon Event IDs.

Data Summary

We’ll start by checking events with Sysmon EventCode 3 which is used for network connections. From there, we can check interesting fields, like Image and DestinationIp.

EventCode 3, filtered to a table

I filtered the search to include the Image, DestinationIP, and the total number of each unique pair. As we can see, there is an executable named OUTSTANDING_GUTTER.exe that made the majority of network connections.

Let’s check the command history for more evidence.

Searching for PowerShell execution

Immediately we get a red flag, an encoded PowerShell execution. Let’s pop it into CyberChef to decode it.

Decoded PowerShell execution

With the command decoded we can see that the attacker used wget to download the suspicious executable.

Answer OUTSTANDING_GUTTER.exe

Q2

What is the address the binary was downloaded from? Add http:// to your answer & defang the URL.

We already found the address that the executable was downloaded from, so let’s defang it in CyberChef.

Defanged URL

Answer hxxp[://]886e-181–215–214–32[.]ngrok[.]io

Q3

What Windows executable was used to download the suspicious binary? Enter full path.

We know it was downloaded with PowerShell, so we’ll copy the full path.

Answer C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Q4

What command was executed to configure the suspicious binary to run with elevated privileges?

Looking through the decoded PowerShell, we can see that a task was scheduled with the /RU “SYSTEM” switch which will create a scheduled task and run it as SYSTEM.

Of course, we can also filter Splunk to only show us scheduled tasks.

schtask.exe commands, filtered for the CommandLine

Answer “C:\Windows\system32\schtasks.exe” /Create /TN OUTSTANDING_GUTTER.exe /TR C:\Windows\Temp\COUTSTANDING_GUTTER.exe /SC ONEVENT /EC Application /MO *[System/EventID=777] /RU SYSTEM /f

Q5

What permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? (Format: User + ; + CommandLine)

We’ve already gotten this information as well, we know it is running as System and the command is in both the decoded Base64 and the filtered table.

Answer NT AUTHORITY\SYSTEM;”C:\Windows\system32\schtasks.exe” /Run /TN OUTSTANDING_GUTTER.exe

Q6

The suspicious binary connected to a remote server. What address did it connect to? Add http:// to your answer & defang the URL.

We can solve this question by filtering for DNS Queries initiated by the malicious executable.

DNS Queries initiated by OUTSTANDING_GUTTER.exe

Defang in CyberChef as we did before and we’ve got our answer.

Answer hxxp[://]9030–181–215–214–32[.]ngrok[.]io

Q7

A PowerShell script was downloaded to the same location as the suspicious binary. What was the name of the file?

We know that the malicious executable is located in C:\Windows\Temp\ so we’ll limit our search to that directory. We also know we’re looking for a PowerShell script, so we’ll limit our search to ps1 files as well.

Searching for ps1 files in the Temp folder, removing duplicates

As we can see there is only one script located in the Temp folder, as the rest are in subdirectories.

Answer script.ps1

Q8

The malicious script was flagged as malicious. What do you think was the actual name of the malicious script?

Limiting our search to the exact file name, we can check the Hashes field of the results.

Filtering for the malicious script and it's hash value

We’ll take one of these hashes and see what VirusTotal says about the file.

VirusTotal's summary for script.ps1

Some of VirusTotal's details of script.ps1

We can see the name 523.mal and BlackSun.ps1 are associated with this hash. If we google “blacksun malware” we see it is a ransomware strain.

https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html

Answer BlackSun.ps1

Q9

A ransomware note was saved to disk, which can serve as an IOC. What is the full path to which the ransom note was saved?

Doing some research into BlackSun, we find that it saves ransom notes with the name BlackSun_README.txt. Knowing that, we can adjust our previous query.

Searching for files with the name BlackSun_README.txt

Answer C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt

Q10

The script saved an image file to disk to replace the user’s desktop wallpaper, which can also serve as an IOC. What is the full path of the image?

Our research into BlackSun also uncovered that the ransomware changes the user’s wallpaper after it has succeeded in encrypting the data. The image file is named blacksun.jpg, so we’ll repeat the previous query, replacing the name.

Searching for files with the name blacksun.jpg, filtered for name and hashes

Answer C:\Users\Public\Pictures\blacksun.jpg

Conclusion

This was a fun investigation. Splunk made it extremely easy to narrow in on the relevant information and correlate between different events, and those extra queries we did at the start helped to shed light on many of the subsequent questions.

One thing I didn’t include in my screenshots was the date range of each query. Although it wasn’t necessary for this challenge, the question tells us the date that we are investigating, so we should filter our queries to only include events from that time range. In a challenge with a lot of extra data, this would speed up the queries and weed out many unrelated entries.