Find the room here: https://tryhackme.com/room/supplementalmemory

As a DFIR team member in this room, you are tasked with conducting a memory analysis of a Windows workstation image suspected to have been compromised by a threat actor.

This room is designed for DFIR team members, Threat Hunters, and SOC L2/L3 analysts who want to improve and reinforce their skills in memory analysis during a potential incident in order to understand better the value that memory dump investigation can provide in such scenarios.

Task 1 Introduction

Let's start!

No answer needed

Task 2 TryHatMe Attack Scenario

Are you ready to begin?

No answer needed

Task 3 Lateral Movement and Discovery

The IR team suspects that the threat actor may have performed lateral movement to this host. Which executed process provides evidence of this activity?

wmiprvse.exe

What is the MITRE technique ID associated with the lateral movement method used by the threat actor?

T1021.006

Which other process was executed as part of the lateral movement activity to this host?

TeamsView.exe

What is the Security Identifier (SID) of the user account under which the process was executed on this host?

S-1-5-21-3147497877-3647478928-1701467185-1008

What is the name of the domain-related security group the user account was a member of?

Domain Users

Which processes related to discovery activity were executed by the threat actor on this host? Format: In alphabetical order

ipconfig.exe, systeminfo.exe, whoami.exe

What is the Command and Control IP address that the threat actor connected to from this host as a result of the previously executed actions? Format: IP Address:Port

34.244.169.133:1995

Task 4 Privilege Escalation and Credential Dumping

Conduct a deeper investigation and identify another suspicious process on the host. Provide a full path to the process in your answer.

C:\Windows\Temp\pan.exe

Which account was used to execute this malicious process?

Local System

What was the malicious command line executed by the process?

privilege::debug sekurlsa::logonpasswords

Given the command line from the previous question, which well-known hacker tool is most likely the malicious process?

Mimikatz

Which MITRE ATT&CK technique ID corresponds to the method the attacker employed to evade detection, as identified in the previous steps?

T1036

Task 5 Conclusion

Well Done!

No answer needed

If this story was helpful and you wish to show a little support, you could:

  • Clap 50 times for this story ๐Ÿ‘ ๐Ÿ‘ ๐Ÿ‘
  • Leave a comment telling me what you think
  • Highlight the parts in this story that resonate with you
  • Follow me on Medium

These actions really help me out, and are much appreciated!