TryHackMe - First CFT - Promotion Night (medium level )

 

Promotion Night – SOC Investigation Walkthrough

Scenario Overview

During an overnight SOC shift, a critical alert triggered indicating a potential ransomware note on the domain controller DC-01. With no escalation support available, the investigation had to be performed end-to-end by a Level 1 analyst using SIEM telemetry (Splunk).

The objective was to triage the alert, reconstruct the attack chain, and identify the adversary’s actions across discovery, persistence, lateral movement, ransomware deployment, and cloud compromise.

1. Network Share Path Used to Deploy Ransomware

Question:

What was the network share path where ransomware was placed?

Answer:

\\DC-01\SYSVOL\gaze.exe

How it was found:

Splunk logs showed the ransomware binary being written to the SYSVOL share on the domain controller. SYSVOL is commonly abused in domain-wide attacks because it is replicated and accessible to authenticated domain systems.

Key log indicators:

File creation events

UNC paths referencing \\DC-01\SYSVOL

Executable name gaze.exe

2. Registry Value Created for Persistence on Reboot

Question:

What is the value ransomware created to persist on reboot?

Answer:

BabyLockerKZ

How it was found:

Registry modification events revealed a new value added to a Windows Run key, ensuring the ransomware executes after reboot.

Key log indicators:

Registry events (Sysmon Event ID 13)

Run key modifications

Suspicious value name unrelated to legitimate software

3. Most Likely Extension of Encrypted Files

Question:

What was the most likely extension of the encrypted files?

Answer:

.danger17

How it was found:

File rename and encryption activity in the logs showed consistent file name patterns after encryption. This extension was also referenced indirectly in ransomware-related activity.

4. MITRE Technique Used to Deploy Ransomware

Question:

Which MITRE technique ID was used to deploy ransomware?

Answer:

T1047

How it was found:

Ransomware execution was performed via Windows Management Instrumentation (WMI), which maps directly to T1047 – Windows Management Instrumentation.

Key indicators:

WMI-related processes (wmiprvse.exe)

Remote execution without interactive login

5. Ports Successfully Scanned on SRV-ITFS

Question:

What ports of SRV-ITFS did the adversary successfully scan?

Answer:

135, 139, 445, 3389, 5985

How it was found:

Network telemetry showed repeated connections to these ports, all commonly associated with Windows services and lateral movement.

Port significance:

135 – RPC

139 – NetBIOS

445 – SMB

3389 – RDP

5985 – WinRM

6. Malware Used for Discovery

Question:

What is the full path to the malware that performed the Discovery?

Answer:

C:\Windows\System32\fr-FR\ruche.dll

How it was found:

Process and DLL load events revealed a suspicious DLL executed from a non-standard language directory, masquerading as a legitimate Windows component.

7. Persistence Artifact on the Beachhead Host

Question:

Which artifact did the adversary create to persist on the beachhead?

Answer:

LanguageSync

How it was found:

A Scheduled Task creation event (Event ID 4698) showed a task named LanguageSync, clearly created by the adversary to maintain persistence.

8. MD5 Hash of the Embedded Initial Shellcode

Question:

What is the MD5 hash of the embedded initial shellcode?

Answer:

27B0D51406B5360B49D968D69DF0F3E6

How it was found:

Process creation logs contained a Hashes field showing the MD5 hash of shellcode embedded in the initial payload (executed in memory, not dropped as a file).

9. Command and Control Framework Used

Question:

Which C2 framework was used by the adversary in the intrusion?

Answer:

Cobalt Strike

How it was found:

Beacon-like network behavior, process injection patterns, and known Cobalt Strike indicators were observed throughout the intrusion.

10. Hostname Used to Access the Beachhead

Question:

What hostname did the adversary log in from on the beachhead?

Answer:

DESKTOP-J9PR0CO

How it was found:

Authentication and logon events correlated with lateral movement activity showed this source hostname accessing the compromised system.

11. UNC Path Containing AWS Credentials

Question:

What was the UNC path that likely contained AWS credentials?

Answer:

\\SRV-ITFS\Integrations\cloud-keys.csv

How it was found:

File access logs revealed reads of a CSV file explicitly referencing cloud integrations and credentials.

12. Source IP Used to Access AWS

Question:

From which IP address did the adversary access AWS?

Answer:

152.42.128.207

How it was found:

Cloud access logs showed AWS API activity originating from this external IP address.

13. Sensitive Files Exfiltrated from AWS

Question:

Which two sensitive files did the adversary exfiltrate from AWS?

Answer:

beta.tar.gz, latest.tar.gz

How it was found:

S3 access logs indicated download operations for these archives prior to data destruction.

14. File Uploaded to S3 After Data Destruction

Question:

What file did the adversary upload to S3 in place of the wiped ones?

Answer:

YOU-HAVE-BEEN-PWNED.txt

How it was found:

S3 object creation logs showed this file being uploaded after the original data was deleted, serving as a defacement/ransom marker.

Final Thoughts

This investigation demonstrates a full attack lifecycle, from initial access and discovery to ransomware deployment and cloud data exfiltration.

Every answer was derived directly from SIEM telemetry, reinforcing the importance of:

Understanding Windows internals

Knowing where persistence artifacts appear

Mapping activity to MITRE ATT&CK

Correlating on-prem and cloud logs