TryHackMe: Sysinternals Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Sysinternals Room on TryHackMe. In this room we will cover Sysinternals, a essential compilation of tools used to analyze Windows systems or applications.

Sysinternals Banner
Sysinternals Banner

Room URL:
https://tryhackme.com/room/btsysinternalssg

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Table of Contents

Task 1: Introduction

Sysinternals is a collection of 70+ Windows-based tools categorized into file and disk utilities, networking, process management, security, system information, and miscellaneous tools. Created by Mark Russinovich and Bryce Cogswell under Wininternals Software in the late ’90s, Microsoft acquired it in 2006, and Russinovich is now the CTO of Microsoft Azure.

Sysinternals tools gained fame when Russinovich exposed Sony’s rootkit scandal in 2005 and Symantec’s use of rootkit-like technology in 2006. These tools are widely used by IT professionals, red teamers, and adversaries. The goal of this guide is to introduce key Sysinternals tools for further exploration.

Questions

When did Microsoft acquire the Sysinternals tools?

Microsoft bought Wininternals Software in 2006.

Answer: 2006

I deployed the attached virtual machine and I’m ready to move on…

Answer: No answer needed

Task 2: Install the Sysinternals Suite

Sysinternals tools can be run locally or from the web. Users can download the entire suite or individual tools from the Sysinternals Utilities Index or access them by category. Tools can also be downloaded and even run directly from Sysinternals Live.

For local installation, extracting the downloaded files and adding the folder path to environment variables allows command-line execution from any location. Alternatively, PowerShell can install the suite using:
Download-SysInternalsTools C:\Tools\Sysint

Questions

What is the last tool listed within the Sysinternals Suite?

If you look at https://learn.microsoft.com/en-us/sysinternals/downloads/ you will see that the last tool listed is called ZoomIt.

Answer: ZoomIt

Task 3: Using Sysinternals Live

Sysinternals Live allows users to run Sysinternals tools directly from the web without downloading them. However, accessing these tools via \\live.sysinternals.com\tools\<toolname> may fail if the WebDAV client is not running.

Fixing Access Issues:

  1. Ensure WebDAV Client is Running
    • On Windows 10, the client is installed but usually not running. Start it using get-service webclient in PowerShell.
    • On Windows Server 2019, WebDAV Redirector must be installed (Install-WindowsFeature WebDAV-Redirector –Restart).
  2. Enable Network Discovery
    • Access the Network and Sharing Center, turn on Network Discovery for the current profile.

Running Sysinternals Tools:

  1. Command Line Method:
    • Run tools directly using the network path (\\live.sysinternals.com\tools\procmon.exe).
  2. Mapped Drive Method:
    • Map a drive to \\live.sysinternals.com\tools, then run tools from the mapped drive.

Once configured, the Sysinternals tools can be browsed and executed directly from the local machine.

Questions

What service needs to be enabled on the local host to interact with live.sysinternals.com?

To run SysInternals tools live from your local host the webclient service needs to be running:

Downloading webclient
Downloading webclient

Answer: webclient

Task 4: File and Disk Utilities

In this task we cover 3 utilities:

Sigcheck

Sigcheck is a command-line utility that provides details about file versions, timestamps, and digital signatures, including certificate chains. It can also check a file’s status on VirusTotal.

Use Case: Checking for unsigned files in C:\Windows\System32
Command:

sigcheck -u -e C:\Windows\System32
  • -u: Shows unsigned files or those flagged on VirusTotal.
  • -e: Scans only executable files.

Streams (Alternate Data Streams – ADS)

ADS is a feature of the NTFS file system that allows hidden data streams within files. Malware can exploit ADS to hide data, but it is also used for legitimate purposes, such as tagging downloaded files. Windows Explorer does not display ADS, but PowerShell or third-party tools can be used to view them.

SDelete (Secure Delete)

SDelete is a command-line utility for securely deleting files and wiping free space using the DoD 5220.22-M standard. It is associated with MITRE ATT&CK techniques T1485 (Data Destruction) and T1070.004 (File Deletion).

For further exploration, Microsoft provides additional File and Disk Utilities in the Sysinternals Suite:
🔗 Sysinternals File and Disk Utilities

Questions

With the previous tasks out of the way, now it is time for more practical oriented assignments.

There is a txt file on the desktop named file.txt. Using one of the three discussed tools in this task, what is the text within the ADS?

The question mentions Alternate Data Streams (ADS), so this means we need to use the Streams tool. Open up a Command Prompt and run the following command:

streams C:\Users\Administrator\Desktop\file.txt
Streams result
Streams result

I was a bit confused on what this meant, but according to the hint we need to read the hidden file, in this case called ads.txt. We can use the notepad command to read it with the following syntax:

notepad C:\Users\Administrator\Desktop\file.txt:ads.txt
Hidden ads.txt
Hidden ads.txt

Now we see the message.

Answer: I am hiding in the stream.

Task 5: Networking Utilities

TCPView is a Windows program that provides detailed listings of all TCP and UDP endpoints, showing local and remote addresses and TCP connection states. It offers a more user-friendly alternative to Netstat and includes a command-line version called Tcpvcon.

Windows also has a built-in tool called Resource Monitor, which provides similar functionality. It can be accessed via resmon in the command line or from the Performance tab in Task Manager. Expanding the TCP Connections section reveals remote addresses for outbound connections.

In TCPView, users can filter connections by protocol (TCP v4, TCP v6, UDP v4, UDP v6) and apply a States Filter to display specific connection states. Since UDP is connectionless, most filtering options apply only to TCP. The tool allows users to exclude “Listen” state connections and focus on established outbound connections.

For further networking tools, Microsoft’s Sysinternals Networking Utilities are recommended.
More details.

Questions

Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above?

We can use the WHOIS website to find this answer:

https://www.whois.com/whois/52.154.170.73

WHOIS info
WHOIS info

The answer is:

Microsoft Corporation

Answer: Microsoft Corporation

Task 6: Process Utilities

1. Autoruns

Autoruns is a powerful tool that displays programs configured to start during system boot, user login, or when launching Windows applications. It reveals startup folder entries, registry keys, shell extensions, browser helpers, and auto-start services. This tool is useful for detecting persistence mechanisms used by malware.

2. ProcDump

ProcDump is a command-line tool designed to monitor applications for CPU spikes and generate crash dumps. These dumps help diagnose performance issues. Process Explorer can also create Minidumps or Full Dumps for similar analysis.

3. Process Explorer

Process Explorer provides a detailed view of active processes, their associated handles, and DLLs. It allows signature verification, logon startup management, and replacing Task Manager. Users can analyze network connections, open handles, and verify process authenticity using online tools.

4. Process Monitor (ProcMon)

ProcMon is an advanced real-time monitoring tool that logs file system, registry, and process/thread activity. It is useful for troubleshooting and malware analysis. Effective filtering is crucial to manage the high volume of logged events.

5. PsExec

PsExec is a lightweight tool that enables remote process execution without prior installation of client software. It is frequently used in administrative tasks but is also exploited by adversaries for lateral movement. It is associated with MITRE ATT&CK techniques for remote execution.

Additional Notes:

  • These tools are part of the Sysinternals Suite and are essential for system diagnostics, security investigations, and malware analysis.
  • More details and downloads are available at: Sysinternals Process Utilities.

Questions

Run Autoruns and inspect what are the new entries in the Image Hijacks tab compared to the screenshots above.

In the original screenshot there was only iexplore.exe. Clearly, taskmgr.exe is new.

Image Hijacks
Image Hijacks

Answer: No answer needed

 What entry was updated?

As discussed above, taskmgr.exe is the new entry.

Answer: taskmgr.exe

What is the updated value?

The questions expects the image path here, which I guess is the value associated with the autorun entry. In this case it is C:\TOOLS\SYSINT\PROCEXP.exe.

Answer: C:\TOOLS\SYSINT\PROCEXP.exe

Task 7: Security Utilities

Sysmon (System Monitor) is a Windows system service and device driver that logs system activity, including process creations, network connections, and file creation time changes. It persists across reboots and helps detect malicious or anomalous activity by integrating with Windows Event Collection or SIEM tools.

For a deeper understanding, explore the Sysmon room and other security-related Sysinternals tools.

Questions

You will check out the Sysmon room if you haven’t done so already…

Answer: No answer needed.

Task 8: WinObj

WinObj is a 32-bit Windows NT tool that uses the native Windows NT API to display information about the NT Object Manager’s namespace. It helps analyze system sessions, such as Session 0 (OS) and Session 1 (User), and explore objects like mounted network drives and WindowStations.

For deeper insights, compare WinObj data with Process Explorer and explore other Sysinternals System Information tools.

Questions

Moving along…

Answer: No answer needed.

Task 9: Miscellaneous

  1. BgInfo: This tool automatically displays system information on the desktop background, such as computer name, IP address, and service pack version. It’s especially useful for server management, as it shows key details on the wallpaper when a user RDPs into a server.
  2. RegJump: A command-line tool that opens the Windows Registry Editor directly at a specified registry path, saving users the hassle of manually navigating through the registry.
  3. Strings: This utility scans files for Unicode or ASCII strings of three or more characters, making it useful for searching within files, such as binaries. It was used in the AoC2 challenge to inspect a mysterious binary.

Questions

Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?

It is time to use the Strings tool. Before running it move to:

C:\Tools\sysint>

Proceed by running:

strings ZoomIt.exe | findstr /i .pdb

This search for the “.pdb” string on the results of running strings on the ZoomIt executable.

Running Strings on ZoomIt
Running Strings on ZoomIt

You will see the answer on line 1.

Answer: C:\agent_work\112\s\Win32\Release\ZoomIt.pdb

Task 10: Conclusion

Sysinternals tools are not just for troubleshooting—they are essential for roles like Desktop Engineers, Systems Analysts, and Security Engineers.

For example, in a real-world security scenario, tools like ProcExp, ProcMon, and ProcDump were used to diagnose why an agent wasn’t responding on an endpoint. These tools help inspect processes, monitor system activity, and generate dumps for deeper analysis.

Sysinternals knowledge is valuable for security professionals, even becoming part of interview questions when hiring. Adversaries also use these tools, making familiarity crucial for defenders.

For further learning, check out:

Though some resources are outdated, they remain valuable for mastering these tools.

Questions

I will definitely look into Sysinternals more in-depth and add this to my arsenal… 

Answer: No answer needed.

Congratulations on completing Sysinternals!!!

Congratulations on completing Sysinternals!!!
Congratulations on completing Sysinternals!!!

Congratulations on completing the Sysinternals room. This was a very high-level overview of some of the essential tools which are part of the Sysinternals package. To really get to know all these tools I recommend tons of practice!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find more of my walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *


Trending now

Background
Data Fundamentals Part 1: Understanding Roles & Concepts