In this post I’d like to talk a bit about TryHackMe and my experience working through the SOC Level 1 learning path.
TryHackMe is a learning platform that sends users to virtual machines (VM) they can access through their web browser. Extremely low barrier to entry! Absolutely no previous knowledge is required. I’m not sponsored and TryHackMe did not ask me to write this.
I’m a big fan of theirs. I think the learning paths and rooms (think learning modules) are fantastic hands-on learnings! I learned
Cyber Defense Frameworks
Cyber Threat Intelligence
Network Security and Traffic Analysis
Endpoint Security Monitoring
Security Information and Event Management (SIEM)
Digital Forensics and Incident Response
Phishing
Each room walks the learner through hands-on learning. I learned all these tools:
yara
opencti
misp
mitre
cyberkillchain
snort
zeek
brim
wireshark
sysmon
sysinternals
osquery
wazuh
splunk
autopsy
redline
linux (a lot!)
thehive
phishing
And even more! It’s a great platform. As of this writing it is $14 a month. If you’re not going to use it, don’t sign up, but if you really want to learn these tools and more it’s a great place to get started. You can spend as much time as you want learning these tools in real environments. You can’t break anything because it’s all VMs that start fresh each time the are launched. Getting the chance to work on these environments without setting up all these VMs is a huge time savings.
If you want to play around in there for free you can do that too. There is plenty of free content to get started with and see if you want to pay for the premium rooms and features. It’s worth checking out.
Then launch Chrome and click on the short cut under the search bar called Velociraptor
If you get the warning about your connection not being private, click the advanced button, then proceed to 127.0.0.1
Enter the sign-in information given in task 3 instructions.
Once it comes up click on the magnifying glass next to the search bar:
Then this loads…
Boom! Hostname.
Answer:
thm-velociraptor.eu-west-1.compute.internal
Question 2: What is listed as the agent version?
From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.
Answer:
2021-04-11T22:11:10Z
Question 3: In the Collected tab, what was the VQL command to query the client user accounts?
Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:
Answer:
LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()
Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?
If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:
In the screenshot above you can see the column header name is Stdout.
Answer: Stdout
Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?
This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…
Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?
The answer for this is in the screenshots for the instructions:
Answer: Ubuntu on Windows Subsystem for Linux
Question 2: Review the output. How many files were uploaded?
I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:
I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.
Answer: 20
Task 5
Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)
The answer to this is in the documentation. Read the paragraph under VFS accessors.
Answer: ntfs accessor
Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)
This answer is also in the documentation same section.
Answer: registry accessor
Question 3: What is the name of the file in $Recycle.Bin?
Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.
Answer: desktop.ini
Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?
Alright, Click C: again followed by Users > Administrator > Documents.
The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.
Answer: THM{VkVMT0NJUkFQVE9S}
Task 6
Question 1: What is followed after the SELECT keyword in a standard VQL query?
The answer to this question is found in the documentation. Read the Whitespace section.
Answer: Column Selectors
Question 2: What goes after the FROM keyword?
Keep reading same sentence to get the next anwser.
Answer: VQL Plugin
Question 3: What is followed by the WHERE keyword?
Just keep reading.. Just keep reading… next sentence has the next answer.
Answer: filter expression
Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…
After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.
Answer: ?
Question: What plugin would you use to run PowerShell code from Velociraptor?
Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…
Answer: execve()
Task 7
Question 1: What are the arguments for parse_mft()?
It’s in the documentation. Look under time analysis for…
Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)
Replace the **** per the instructions.
Answer:
SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE
Question 3: What is the name of the DLL that was placed by the attacker?
We have to create a notebook and plugin some VQL that we build using the previous answer as a template:
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE
29 rows later, we see a oddly named DLL as the last row…
Answer: nightmare.dll
Question 4: What is the PDB entry?
Once you have the above, just look at the PDB line.
