TryHackMe Elevating Movement - Full Walkthrough 2025

🎯 Investigate the second, Windows part of the Honeynet Collapse! 🏷️🏷️ Room Link: https://tryhackme.com/room/elevatingmovement In this room attacker was able to get access using RDP, replaced a binary with backdoor Meterpreter type malware for persistence and privesc, dump lsass[.]exe process, downloaded dump to offline analysis, then later attacker used PsExec for lateral movement. ✅ Task 1: Introduction ✅ 🐯 Meet DeceptiTech 🐯 DeceptiTech is a fast-growing cyber security company specializing in honeypot development and deception technologies. At the heart of their success are DeceptiPots - lightweight, powerful, and configurable honeypots that you can install on any OS and capture every malicious action! 🐯 Elevating Movement 🐯 One ordinary morning, DeceptiTech's entire network collapsed. Within minutes, all critical on-premises systems were locked down and encrypted. The IT department hurried to restore backups, while the security team rushed to their SIEM - only to find the backups corrupted and all SIEM data wiped clean. This room is about the second attack stage (#2 on the network diagram). As part of an external DFIR unit, can you help DeceptiTech perform a full-scope investigation and explain how the attack continued? ✅ Task 2: The Challenge ✅ 🎯 Elevating Movement 🎯 Hey Emily, when you are done with DeceptiPot deployment, can you take a look at SRV-IT-QA? It became unstable after we replaced the motherboard, so maybe you can debug what's going on there. ~ Matthew While Emily worked on the issue from a local admin account, the threat actor continued the attack. With the entry point secured and Emily's domain credentials stolen, they now wanted to explore opportunities for privilege escalation. Leveraging your knowledge of Windows forensics, can you uncover the elevating movement? 🎯 Answer the questions below 🎯 📌 When did the attacker perform RDP login on the server? 📌 What is the full path to the binary that was replaced for persistence and privesc? 📌 What is the type or malware family of the replaced binary? Which full command line was used to dump the OS credentials? 📌 Using the stolen credentials, when did the attacker perform lateral movement? 📌 What is the NTLM hash of matthew.collins' domain password? 🎯 Websites Links from the video: 🎯 📌 Windows RDP-Related Event Logs: Identification, Tracking, and Investigation: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ 📌 Detecting PsExec lateral movements: 4 artifacts to sniff out intruders: https://www.hackthebox.com/blog/how-to-detect-psexec-and-lateral-movements 📌 Any Run Malware report for binary Coreinfo64[.]exe: https://any.run/report/3ae834b3d24e56a5216ca69f8210c4ba92f4315197babeb6e34eacf06952c7de/10aa15c3-5587-4ec0-83ff-8f1db7d42418 📌 pypykatz: https://github.com/skelsec/pypykatz ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. Don't forget to 👍 LIKE and 🔔 SUBSCRIBE for more cybersecurity tutorials! #tryhackme #Honeynet