Home Sysinternals
Post
Cancel

Sysinternals

Learn to use the Sysinternals tools to analyze Windows systems or applications.

THM Room https://tryhackme.com/room/btsysinternalssg

TASK 1 : Introduction

When did Microsoft acquire the Sysinternals tools?

Answer : 2006

I deployed the attached virtual machine and I’m ready to move on…

No Answer

TASK 2 : Install the Sysinternals Suite

What is the last tool listed within the Sysinternals Suite?

Answer : ZoomIt

TASK 3 : Using Sysinternals Live

What service needs to be enabled on the local host to interact with live.sysinternals.com?

Answer : webclient

TASK 4 : File and Disk Utilities

There is a txt file on the desktop named file.txt. Using one of the three discussed tools in this task, what is the text within the ADS?

1
2
3
4
5
6
7
8
9
10
C:\Users\Administrator\Desktop>streams file.txt -accepteula

streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\Administrator\Desktop\file.txt:
         :ads.txt:$DATA 26

C:\Users\Administrator\Desktop>notepad .\file.txt:ads.txt

file.txt:ads.txt file.txt:ads.txt

Answer : I am hiding in the stream.

TASK 5 : Networking Utilities

Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above?

Using whois or other online tools.

Answer : Microsoft Corporation

TASK 6 : Process Utilities

Run Autoruns and inspect what are the new entries in the Image Hijacks tab compared to the screenshots above.

No Answer

What entry was updated?

Autoruns Autoruns

Answer : taskmgr.exe

What is the updated value?

Answer : c:\tools\sysint\procexp.exe

TASK 7 : Security Utilities

You will check out the Sysmon room if you haven’t done so already…

No Answer

TASK 8 : System Information

Moving along…

No Answer

TASK 9 : Miscellaneous

Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?

1
2
c:\Tools\sysint>strings .\ZoomIt.exe | findstr /i zoomit.pdb*
C:\agent\_work\112\s\Win32\Release\ZoomIt.pdb

Answer : C:\agent_work\112\s\Win32\Release\ZoomIt.pdb

TASK 10 : Conclusion

I will definitely look into Sysinternals more in-depth and add this to my arsenal…

No Answer

This post is licensed under CC BY 4.0 by the author.