Retracted TryHackMe Walkthrough
TL;DR walkthrough of the TryHackMe room Retracted, part of the SOC Level 1 pathway.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I had only used Sysmon once, during a room in the Cyber Defense Pathway here. I put a cheatsheet of Sysmon Event Ids in that walkthrough and referenced it heavily during this room. Hence I will copy/paste it here so readers don’t have to chase links just to find it.
+----+----------------------------------------+
| # | Sysmon Event |
+----+----------------------------------------+
| 1 | Process creation |
| 3 | Network connection |
| 5 | Process terminated |
| 7 | Image loaded |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | RegistryEvent (Object create & delete) |
| 13 | RegistryEvent (Value Set) |
| 14 | RegistryEvent (Key & Value Rename) |
| 15 | FileCreateStreamHash |
| 22 | DNSEvent (DNS query) |
+----+----------------------------------------+Much like the previous Sysmon room, and many [most?] other’s walkthroughs of Windows logs in general, TryHackMe itself and most of the walkthroughs you will find on Google stick to using Event Viewer in the GUI.
Personally I prefer the command line. TryHackMe didn’t ask in this room, but for example let’s say you needed to find a list of all files that were encrypted by the malware in this room. I have no idea how to even go about doing that in the GUI, but it’s trivial in PowerShell.
$Events = Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "11") -and ($_.Message -like "*antivirus.exe*")}
ForEach($Event in $Events)
{
$Event.Properties[5].Value
}
On a sidenote, if you do know how to query that in the GUI then feel free to let me know in the comments.
For each question I put how I queried the entire Event in the logs, and how to pull just the specific value we are looking for below that.
Well without further ado, let’s get into how to query Sysmon logs and find the answers.
— — Task 1 — -
I’ll handle it, Mom.
No answer needed
— — Task 2 — -
What is the full path of the text file containing the “message”?
xfreerdp /v:10.10.19.221 /u:sophie /p:fluffy19601234\! /dynamic-resolutionThis is on the Desktop, simply look at it and find:
C:\Users\Sophie\Desktop\SOPHIE.txt
What program was used to create the text file?
This is also found by simply looking at the file’s properties.
notepad.exe
What is the time of execution of the process that created the text file? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)
TryHackMe’s hint led me astray here. We are looking for Sysmon Event Id 1, not 11.
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "1") -and ($_.Message -like "*sophie.txt*")} | Select-Object *Get exact answer:
(Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "1") -and ($_.Message -like "*sophie.txt*")}).TimeCreatedTimeCreated : 1/8/2024 2:25:30 PM
The answer in the format that TryHackMe wants is:
2024–01–08 14:25:30
— — Task 3 — -
“I swear something went wrong with my computer when I ran the installer. Suddenly, my files could not be opened, and the wallpaper changed, telling me to pay.”
“Wait, are you telling me that the file I downloaded is a virus? But I downloaded it from Google!”
Answer the questions below
What is the filename of this “installer”? (Including the file extension)
I simply looked in Sophie’s Download folder and found:
antivirus.exe
What is the download location of this installer?
C:\Users\Sophie\download
The installer encrypts files and then adds a file extension to the end of the file name. What is this file extension?
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "11") -and ($_.Message -like "*antivirus.exe*")} | Select-Object -First 1 | Select-Object *Alt, get the exact value:
$Event = Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "11") -and ($_.Message -like "*antivirus.exe*")} | Select-Object -First 1 | Select-Object *
$Event.Properties[5].Value*.dmp
The installer reached out to an IP. What is this IP?
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "3") -and ($_.Message -like "*antivirus.exe*")} | Select-Object *Alt, get the exact value
(Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "3") -and ($_.Message -like "*antivirus.exe*")} | Select-Object *).Properties[14].Value10.10.8.111
— — Task 4 — -
“So what happened to the virus? It does seem to be gone since all my files are back.”
Answer the questions below
The threat actor logged in via RDP right after the “installer” was downloaded. What is the source IP?
Remember to screen out RDP events in 2025 as these belong to those of us doing the TryHackeMe room currently.
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "3") -and ($_.Message -like "*RDP*") -and ($_.TimeCreated -like "*2024*")} | Select-Object -First 1 | Select-Object *Alt, query the exact value:
$Event = Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "3") -and ($_.Message -like "*RDP*") -and ($_.TimeCreated -like "*2024*")} | Select-Object -First 1 | Select-Object *
$Event.Properties[9].Value10.11.27.46
This other person downloaded a file and ran it. When was this file run? Timezone UTC (Format YYYY-MM-DD hh:mm:ss)
We already know the file name, it’s in Sophie’s downloads: decryptor.exe
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "1") -and ($_.Message -like "*decryptor.exe*")} | Select-Object *1/8/2024 2:24:18 PM
#Alt, query the exact value
(Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {($_.Id -eq "1") -and ($_.Message -like "*decryptor.exe*")} | Select-Object *).TimeCreatedMonday, January 8, 2024 2:24:18 PM
The answer in the format that TryHackme wants is:
2024–01–08 14:24:18
— — Task 5 — -
“So you’re telling me that someone accessed my computer and changed my files but later undid the changes?”
“That doesn’t make any sense. Why infect my machine and clean it afterwards?”
“Can you help me make sense of this?”
Arrange the following events in sequential order from 1 to 7, based on the timeline in which they occurred.
Answer the questions below [i.e. label each event in chronological order from 1 to 7]
After seeing the ransomware note, Sophie ran out and reached out to you for help.
3
Sophie downloaded the malware and ran it.
1
After all the files are restored, the intruder left the desktop telling Sophie to check her Bitcoin.
6
The intruder realized he infected a charity organization. He then downloaded a decryptor and decrypted all the files.
5
The downloaded malware encrypted the files on the computer and showed a ransomware note.
2
While Sophie was away, an intruder logged into Sophie’s machine via RDP and started looking around.
4
Sophie and I arrive on the scene to investigate. At this point, the intruder was gone.
7
— — Task 6 — -
“Adelle from Finance just called me. She says that someone just donated a huge amount of bitcoin to our charity’s account!”
“Could this be our intruder? His malware accidentally infected our systems, found the mistake, and retracted all the changes?”
“Maybe he had a change of heart?”
Answer the questions below
Yeah, possibly.
No answer needed
Summary
This room was a good refresher on Sysmon and good practice querying Windows logs. The room author also wrote a nifty back story that we had to re-construct by querying the logs and finding out what happened and at what time. Good job arebel!
On a sidenote, ForEach loops have been my tried and true ‘go to’ for querying all sorts of information and putting it into an Excel spreadsheet so leadership can skim the results. If readers have any questions regarding PowerShell syntax or why I tend to write queries the way I do then feel free to ask!
I tend to just blow through, find the answer, and copy/paste the query I used without explaining it. This is because myself in a year or two in the future is my intended audience when I write these, if I’m being completely honest. I don’t memorize this stuff, hell I solved this room by going back and checking my notes on Sysmon here from 1 ½ years ago.
I post my notes publicly because I have found that I take better notes if I know that others might read them someday. If any of this helps anyone else then I am flattered and happy I could help.
