Investigating Windows 3.x - TryHackMe Walkthrough

Introduction:- Find the artifacts resident on the endpoint and sift through captured data to determine what type attack occurred on the endpoint. Chapters:- 0:00 - Intro to InvestigatingWindows3.x 1:36 - Autoruns - Log File Analysis 3:14 - Sysmon - Cheatsheet and Log Forensics 7:37 - CyberChef - Payload Decoding 10:43 - Print Spooler Service - Event Log 12:22 - Sysmon - Event Log Analysis 13:46 - Procmon - Log File Examination 17:42 - Empire - Powershell based Attack Framework 22:18 - Procmon Log Analysis - C2 server & Process Injection 37:16 - Powershell Transcription Log Analysis 37:49 - MITRE ATTACK Mapping Topics Covered:- Incident investigation via logs of sysmon, procmon and autoruns Detailed command line forensics and process forensics Mapping of cyberattack with MITRE ATTACK framework Process injection via create remote thread ID and correlating it in sysmon/ procmon logs Tools Used:- #procmon #autoruns #sysmon #eventviewer #eventlogs #regedit #cyberchef #base64 decode #mitre Room Link:- https://tryhackme.com/room/investigatingwindows3 Resources/ Helpful Material:- https://gchq.github.io/CyberChef/ (#CyberChef) https://github.com/EmpireProject/Empire (#Powershell #Empire) https://mitre-attack.github.io/attack-navigator/ (#MITRE Navigator) https://github.com/olafhartong/sysmon-cheatsheet (#sysmon cheetsheet)