Jasper Alblas
TryHackMe: Intro to Endpoint Security Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Intro to Endpoint Security Room on TryHackMe. In this room we learn about fundamentals, methodology, and tooling for endpoint security monitoring.
Room URL:
https://tryhackme.com/room/introtoendpointsecurity
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Table of Contents
Task 1: Room Introduction
In this room, we will introduce the fundamentals of endpoint security monitoring, essential tools, and high-level methodology. This room gives an overview of determining a malicious activity from an endpoint and mapping its related events.
To start with, we will tackle the following topics to build a stepping stone on how to deal with Endpoint Security Monitoring.
- Endpoint Security Fundamentals
- Endpoint Logging and Monitoring
- Endpoint Log Analysis
At the end of this room, we will have a threat simulation wherein you need to investigate and remediate the infected machines. This activity may require you first to understand the fundamentals of endpoint security monitoring to complete it.
Now, let’s deep-dive into the basics of Endpoint Security!
Questions
I have read the introduction task.
Answer: No answer needed
Task 2: Endpoint Security Fundamentals
Understanding Core Windows Processes is essential for analyzing endpoint logs effectively. Task Manager, a built-in Windows utility, helps in monitoring active processes, system performance, and resource usage. Some key Windows processes include:
- System
smss.exe(Session Manager)csrss.exe(Client/Server Runtime)wininit.exe(Windows Initialization) →services.exe→svchost.exelsass.exe(Local Security Authority)winlogon.exe(Handles user logins)explorer.exe(Windows Explorer/UI process)
Processes without a parent-child relationship should not have a parent process, except for System, which should only have System Idle Process (0) as its parent.
Sysinternals Tools
Sysinternals is a suite of over 70 tools for Windows system analysis. Two key tools used in endpoint investigations are:
- TCPView (Networking Utility)
- Displays TCP/UDP connections, local and remote addresses, and process associations.
- More user-friendly than
netstat.
- Process Explorer (Process Utility)
- Provides a detailed view of running processes.
- Shows associated services, network traffic, open handles, DLLs, and memory-mapped files.
Questions
What is the normal parent process of services.exe?
As discussed in the theory, the parent process of services.exe is wininit.exe.
Answer: wininit.exe
What is the name of the network utility tool introduced in this task?
Nothing else to mention here than TCPView.
Answer: TCPView
Task 3: Endpoint Logging and Monitoring
Windows Event Logs
Windows Event Logs store system and application events in a proprietary binary format (.evt/.evtx) located in C:\Windows\System32\winevt\Logs. Logs can be accessed using:
- Event Viewer (GUI-based)
- Wevtutil.exe (Command-line)
- Get-WinEvent (PowerShell cmdlet)
Sysmon (System Monitor)
- A Windows Sysinternals tool that enhances event logging with detailed process monitoring.
- Used for anomaly detection and security monitoring within SIEM systems.
- Supports 27 Event IDs for granular logging control.
OSQuery
- Open-source SQL-based endpoint query tool (developed by Facebook).
- Enables security analysts to retrieve system information via SQL queries.
- Can query local events or multiple endpoints using Kolide Fleet.
Wazuh (Open-source EDR)
- An Endpoint Detection and Response (EDR) solution for threat monitoring.
- Uses a manager-agent model for large-scale monitoring.
- Features:
- Vulnerability auditing
- Threat detection (e.g., unauthorized logins, privilege escalation)
- Anomaly detection
- Data visualization
Questions
Where do the Windows Event logs (.evtx files) typically reside?
Answer: C:\Windows\System32\winevt\Logs
Provide the command used to enter OSQuery CLI.
We use the osqueryi command to enter the OSQuery CLI.
Answer: osqueryi
What does EDR mean? Provide the answer in lowercase.
Endpoint detection and response (EDR) are tools and applications that monitor devices for an activity that could indicate a threat or security breach.
Answer: Endpoint detection and response
Task 4: Endpoint Log Analysis
Event Correlation
Event correlation identifies relationships between logs from different sources (e.g., application, endpoint, and network logs) to connect related artifacts. For instance, network connection data may appear in both Sysmon and firewall logs, each providing different details such as IP addresses, ports, protocols, user accounts, and processes. By correlating these logs, investigators can reconstruct events and gain a clearer understanding of security incidents.
Baselining
Baselining establishes what is considered normal activity within an organization’s environment by analyzing user behavior, network traffic, and running processes. This helps in identifying anomalies that may indicate security threats. For example, if employees typically work from London during business hours, a VPN login from Singapore at 3 AM would be flagged as unusual. Comparing expected and unusual activities helps in detecting potential security incidents effectively.
Questions
Click on the green View Site button in this task to open the Static Site Lab and start investigating the threat by following the provided instructions.
Go ahead and open the site. You are met by a Windows Desktop screen:
Go ahead and start the investigation by pressing on Start investigation. You are met by a window showing the running processes:
To help us identify the abnormal process, we can press on the Baseline document link.
If you compare the two windows, you will notice that beacon.exe is missing on the baseline processes. This makes it very suspicious! Click on it and. you will get new instructions:
Once again, we can click on beacon.exe. Now put the IP address from your notes in the search input field:
Four systems are found that are affected:
Go ahead and eradicate the threat on all four computers by pressing Remediate on each.
All that is left is to click the flag on the Desktop.
Answer: No answer needed.
Provide the flag for the simulated investigation activity.
Answer: THM{3ndp01nt_s3cur1ty!}$
Task 5: Conclusion
Congratulations! You have completed the investigation task.
In the simulated threat investigation activity, we have learned the following:
- Having a baseline document aids you in differentiating malicious events from benign ones.
- Event correlation provides a deeper understanding of the concurrent events triggered by the malicious activity.
- Taking note of each significant artefact is crucial in the investigation.
- Other potentially affected assets should be inspected and remediated using the collected malicious artefacts.
In conclusion, we covered the basic concepts of Endpoint Security Monitoring:
- Endpoint Security Fundamentals tackled Core Windows Processes and Sysinternals.
- Endpoint Logging and Monitoring introduced logging functionalities such as Windows Event Logging and Sysmon and monitoring/investigation tools such as OSQuery and Wazuh.
- Endpoint Log Analysis highlighted the importance of having a methodology such as baselining and event correlation.
You are now ready to deep-dive into the Endpoint Security Monitoring Module. To continue this path, you may refer to the list of rooms mentioned in the previous tasks:
Questions
I have completed the Introduction to Endpoint Security Monitoring room.
Answer: No answer needed.
Congratulations on completing Intro to Endpoint Security!!!
Congratulations on completing Intro to Endpoint Security!!! This was a sweet and short room, but a great introduction to Endpoint Security. And I love these little Static site assignments! Thanks for reading!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Read more of my walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] TryHackMe: Intro to Endpoint Security Walkthrough (SOC Level 1) […]