> For the complete documentation index, see [llms.txt](https://faresbltagy.gitbook.io/footprintinglabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-1/boogeyman-3.md).

# Boogeyman 3

Due to the previous attacks of Boogeyman, Quick Logistics LLC hired a managed security service provider to handle its Security Operations Center. Little did they know, the Boogeyman was still lurking and waiting for the right moment to return.

#### Prerequisites

This room may require the combined knowledge gained from the [SOC L1](https://tryhackme.com/path-action/soclevel1/join) Path. We recommend going through the following rooms before attempting this challenge.

* [Sysmon](https://tryhackme.com/room/sysmon)
* [ItsyBitsy](https://tryhackme.com/room/itsybitsy)
* [Investigating with ELK](https://tryhackme.com/room/investigatingwithelk101)
* [Boogeyman 1](https://tryhackme.com/room/boogeyman1)
* [Boogeyman 2](https://tryhackme.com/room/boogeyman2)

Investigation Platform

Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. The provided virtual machine runs an Elastic Stack (ELK), which contains the logs that will be used throughout the room.

Once the machine is up, access the Kibana console (via the AttackBox or VPN) using the credentials below.

### Lurking in the Dark

Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.

<figure><img src="/files/wBLDEUglwvPkC8qfBczd" alt=""><figcaption></figcaption></figure>

The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.

### Initial Investigation

Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.

<figure><img src="/files/gyEyryiVErZJ7t45ZERT" alt=""><figcaption></figcaption></figure>

In addition, the security team also observed a file inside the ISO payload, as shown in the image below.

<figure><img src="/files/ZMHDDXG0Eg234fKMZ5up" alt=""><figcaption></figcaption></figure>

Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.

Given the initial findings, you are tasked to analyse and assess the impact of the compromise.

1\) What is the PID of the process that executed the initial stage 1 payload?

First, I changed the date from August 29, 2023, to August 30, 2034.

<figure><img src="/files/6QotCPEkt4YNKow9DWW0" alt=""><figcaption></figcaption></figure>

I then applied a filter to get events containing the malicious PDF attachment "ProjectFinancialSummary\_Q3.pdf".

<figure><img src="/files/maLzTNqbdgJ7VcTZgotA" alt=""><figcaption></figcaption></figure>

I then filtered the results to show only processes associated with mshta.exe, which provided the corresponding Process ID (PID).

<figure><img src="/files/N7wphKeH91XtkZfzM3nl" alt=""><figcaption></figcaption></figure>

Answer: 6392

2\) The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?

Answer:  C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review\.dat C:\Users\EVAN\~1.HUT\AppData\Local\Temp\review\.dat

3\) The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?

<figure><img src="/files/D7H3h8ibxewdLtfTCDpO" alt=""><figcaption></figcaption></figure>

In context, this command is trying to register a DLL named `review.dat` by calling its `DllRegisterServer` function.

4\) The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?

<figure><img src="/files/njPlMdtr8EjkV7i3YAsc" alt=""><figcaption></figcaption></figure>

The command sets up a daily scheduled task at 6:00 AM to execute `rundll32.exe` with `review.dat,DllRegisterServer` using PowerShell.

Answer:  Review

5\) The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)

Filter results to display Event Code 3 (Network Connection).

<figure><img src="/files/YnMjR7Rd97LvJfxW6kEO" alt=""><figcaption></figcaption></figure>

Answer:  165.232.170.151:80

6\) The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?

<figure><img src="/files/Rn5cAf7NwHwkq1ggWueB" alt=""><figcaption></figcaption></figure>

`fodhelper.exe` is used by the Windows operating system to manage optional features, allowing users to enable or disable certain functionalities.

Attackers exploit `fodhelper.exe` because it is a trusted Microsoft binary and it automatically runs with elevated privileges without prompting for UAC when invoked from a standard user context.

Answer: fodhelper.exe

7\) Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?

<figure><img src="/files/hdHY6cIA3LWcjKUHm1nM" alt=""><figcaption></figcaption></figure>

Answer:  <https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz\\_trunk.zip>

8\) After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)

<figure><img src="/files/iDXUMaphAl5IXQIYmM1I" alt=""><figcaption></figcaption></figure>

Answer:  itadmin:F84769D250EB95EB2D7D8B4A1C5613F2

9\) Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?

<figure><img src="/files/fO1vzKDDCTNoZfrkqOmP" alt=""><figcaption></figcaption></figure>

Answer:  IT\_Automation.ps1

10\) What is the hostname of the attacker's target machine for its lateral movement attempt?

<figure><img src="/files/jbtPrxG8RbnaMzmIx7ze" alt=""><figcaption></figcaption></figure>

Answer:  WKSTN-1327

11\) Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?

```
host.hostname: "WKSTN-1327" and event.code: 1 and   "powershell.exe"
```

<figure><img src="/files/g6Eyj9r7PpEgJeOeNbJH" alt=""><figcaption></figcaption></figure>

12\) The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)

I filtered by the target hostname where the attacker dumped the hashes.

```
*mimi* and host.hostname: "WKSTN-1327" 
```

<figure><img src="/files/3N07pOQTaHuUdGjjkOnz" alt=""><figcaption></figcaption></figure>

Answer:  administrator:00f80f2538dcb54e7adc715c0e7091ec

13\) After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?

<figure><img src="/files/i8wmFc5iikLt8N15yJYQ" alt=""><figcaption></figcaption></figure>

Answer:  backupda

14\) After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?

The attacker is now on the domain controller, so let's filter by the DC01 hostname.

<figure><img src="/files/9zqO9r4Cs7Xp0JA8Dcph" alt=""><figcaption></figcaption></figure>

Answer:  <http://ff.sillytechninja.io/ransomboogey.exe>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-1/boogeyman-3.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
