TL;DR walkthrough of one way to complete the osquery room on TryHackMe, part of the Cyber Defense pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Much like the ZeroLogon room, we did not find the answers the way TryHackMe intended. I messed around with osquery just enough to get a feel for it, but I wanted to query the raw data so to speak and see where osquery was getting its answers.
One has to use PowerShell to run osqueryi, it did not function in PowerShell_ISE. Along with PowerCat.ps1 and Invoke-PowerShellTcp.ps1, osqueryi is one of the very few things I have tried out in the lab like this.
As always, we start by connecting to the VM with xfreerdp:
xfreerdp /v:10.10.176.143 /u:James /p:thm_4n6 /dynamic-resolution
— Task 3 —
How many tables are returned when we query “table process” in the interactive mode of Osquery?
.table process
3
Looking at the schema of the processes table, which column displays the process id for the particular process?
.schema process
PID
Examine the .help command, how many output display modes are available for the .mode command?
.help
.mode MODE
— Task 4 —
All Task 4 answers are found on https://osquery.io/schema/5.5.1/
In Osquery version 5.5.1, how many common tables are returned, when we select both Linux and Window Operating system?
56
In Osquery version 5.5.1, how many tables for MAC OS are available?
180
In the Windows Operating system, which table is used to display the installed programs?
programs
In Windows Operating system, which column contains the registry value within the registry table?
Data
— Task 5 —
I only used osquery to find the answer to one of these.
Using Osquery, how many programs are installed on this host?
PS C:\Users\James> (Get-Package | Where-Object {($_.ProviderName -eq “Programs”) -or ($_.ProviderName -eq “msi”)}).Count
19
Using Osquery, what is the description for the user James?
PS C:\Users\James> (Get-LocalUser James).Description
Creative Artist
When we run the following search query, what is the full SID of the user with RID ‘1009’?
PS C:\Users\James> (Get-LocalUser | Where-Object {$_.SID -like “*1009”}).SID.Value
S-1–5–21–1966530601–3185510712–10604624–1009
Alt:
PS C:\Users\James> (Get-ChildItem “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” | Where-Object {$_.Name -like “*1009”}).Name.Split(“\”)[6]
S-1–5–21–1966530601–3185510712–10604624–1009
When we run the following search query, what is the Internet Explorer browser extension installed on this machine?
osquieryi
select * from ie_extensions;
C:\Windows\System32\ieframe.dll
Alt:
PS C:\Users\James> Get-ItemProperty "Registry::HKEY_USERS\S-1–5–21–1966530601–3185510712–10604624–1009\Software\Classes\Local Settings\MuiCache\70\52C64B7E" | Out-File Testing.txt
PS C:\Users\James> Get-Content .\Testing.txt | Select-String "Internet Explorer" -Context 1
@C:\Windows\System32\ie4uinit.exe,-731 : Internet Explorer
@C:\Windows\System32\ieframe.dll,-55175 : Internet Explorer
This seems to be where osquery is getting it from. This one was tricky to find as I don’t use Internet Explorer anymore and hadn’t tried to query its extensions. I was curious where osquery was getting its data though.
After running the following query, what is the full name of the program returned?
Query: select name,install_location from programs where name LIKE ‘%wireshark%’;
PS C:\Users\James> (Get-Package | Where-Object {$_.Name -like “*wireshark*”}).Meta.Attributes.Values[0]
Wireshark 3.6.8 64-bit
— Task 6 —
Which table stores the evidence of process execution in Windows OS?
This one is found on https://osquery.io/schema/5.5.1/ , just like Task 4’s questions.
userassist
One of the users seems to have executed a program to remove traces from the disk; what is the name of that program?
I couldn’t find this one in the Application log. In the end I gave up and did it the osquery way.
osquery way:
select sid,path from userassist where sid=’S-1–5–21–1966530601–3185510712–10604624–1009';
DiskWipe.exe
PowerShell way:
Get-Childitem –Path C:\Users\James -Include “*.exe” -File -Recurse -ErrorAction SilentlyContinue
Both methods make an educated guess that the user is James as that is the user who is in all the other questions. I didn’t think to just check James’s user folder for any *.exe files until after I gave up checking the logs and tried osquery. Had I simply checked their folder I would have found this one in seconds. Live and learn.
Create a search query to identify the VPN installed on this host. What is name of the software?
PS C:\Windows\system32> (Get-Package | Where-Object {($_.Name -like “*VPN*”) -and ($_.ProviderName -eq “Programs”)}).Name
ProtonVPN
How many services are running on this host?
TryHackMe kinda made an error on this one, much like their booboo regarding the “local admin” on a DC in the ZeroLogon room. It’s all good though, I learned more in the process.
PS C:\Windows\system32> (Get-Service | Where-Object {$_.Status -eq “Running”}).Count
73
PS C:\Windows\system32> (Get-Service).Count
214
TryHackMe wants 214, the question is poorly worded. Luckily their answer boxes let you know how many characters the answer should have.
A table autoexec contains the list of executables that are automatically executed on the target machine. There seems to be a batch file that runs automatically. What is the name of that batch file (with the extension .bat)?
PS C:\Windows\system32> wmic startup get caption,command
batstartup.bat
What is the full path of the batch file found in the above question? (Last in the List)
Get-Childitem –Path C:\ -Include *batstartup.bat* -File -Recurse -ErrorAction SilentlyContinue
Directory: C:\AtomicRedTeam\atomics\T1547.001\src
There’s another copy in:
Directory: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
TryHackMe wants the second copy that’s in James’ folder. In fact, all the questions regarding a given user were about James. Hence I simply used Explorer to search their folder on this one.
Summary
Just in case anyone was curious like I was, the content of the *.bat file was
TryHackMe put some other legacy file types in there that attackers like to use as well with the same content.
I have nothing against osquery, I was just curious where it was pulling the data from. Hence I ran almost all the queries to find the answers in this room without using osquery.
There are numerous other walkthroughs for this room already out there on Google, however the ones I saw either didn’t show their work or only used osquery, so I figured I’d post my notes on how we found the answers using builtin PowerShell.
References
Good writeup that used osquery: https://classroom.anir0y.in/post/tryhackme-osquerythebasics/
Find installed programs: https://devblogs.microsoft.com/scripting/use-powershell-to-quickly-find-installed-software/
Show startup programs: https://www.online-tech-tips.com/computer-tips/list-windows-startup-programs/
Find a file: https://devblogs.microsoft.com/scripting/use-windows-powershell-to-search-for-files/