Sysinternals Tryhackme Writeup
By Shamsher khna This is a Writeup of Tryhackme room “Sysinternals”
Room link: https://tryhackme.com/room/btsysinternalssg
Note: This room is for Premium Members Only. who purchased THM premium membership.
Here i am Use Tryhackme Attach-box
Task 1. Introduction
What are the tools known as Sysinternals?
The Sysinternals tools is a compilation of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:
- File and Disk Utilities
- Networking Utilities
- Process Utilities
- Security Utilities
- System Information
- Miscellaneous
The Sysinternals tools and its website (sysinternals.com) were created by Mark Russinovich back in the late ’90s, along with an individual named Bryce Cogswell under the company Wininternals Software.
In 2005, Microsoft acquired Wininternals Software, and Mark Russinovich joined Microsoft. Today he is the CTO of Microsoft Azure
Question 1. When did Microsoft acquire the Sysinternals tools?
Answer: 2005
Task 2. Install the Sysinternals Suite
Time to get our hands dirty with Sysinternals.
The Sysinternals tool(s) can be downloaded and run from the local system, or the tool(s) can be run from the web.
Regarding local install/run, you can download the entire suite or just the tool(s) you need.
If you wish to download a tool or two but not the entire suite, you can navigate to the Sysinternals Utilities Index page, https://docs.microsoft.com/en-us/sysinternals/downloads/, and download the tool(s). If you know which tool you want to download, then this is fine. The tools are listed in alphabetical order are not separated by categories.
Alternatively, you can use the category links to find and download the tool(s). This route is better since there are so many tools you can focus on all the tools of interest instead of the entire index.
For example, let’s say you need tools to inspect Windows processes; then, you can navigate to the Process Utilities page, https://docs.microsoft.com/en-us/sysinternals/downloads/process-utilities/, for all the tools that fall under this category.
Notice that you are conveniently supplied with a brief explanation for each tool.
Lastly, you can do the same from the Sysinternals Live URL, https://live.sysinternals.com/. This is the same URL to use if you wish to run the tool from the web. We will look at how to accomplish this in the next section.
If you chose to download from this page, it is similar to the Sysinternals Utilities Index page. The tools are listed in alphabetical order and are not separated by categories.
If you wish to download the Sysinternals Suite, you can download the zip file from here.
The suite has a select number of Sysinternal tools. See below for a rundown of the tools included in the suite.
After you download the zip file, you need to extract the files. After the files are extracted, the extra step, which is by choice, is to add the folder path to the environment variables. By doing so, you can launch the tools via the command line without navigating to the directory the tools reside in.
Environment Variables can be edited from System Properties.
The System Properties can be launched via the command line by running sysdm.cpl . Click on the Advanced tab.
Select Path under System Variables and select Edit… then OK.
In the next screen select New and enter the folder path where the Sysinternals Suite was extracted to. Press OK to confirm the changes.
Open a new command prompt (elevated) to confirm that the Sysinternals Suite can be executed from any location.
A local copy of the Sysinternals Suite is located in C:\Tools\Sysint.
Alternatively, a PowerShell module can download and install all of the Sysinternals tools.
- PowerShell command: Download-SysInternalsTools C:\Tools\Sysint
Now let’s look at how to run the Sysinternals tools from the web.
Question 2. What is the last tool listed within the Sysinternals Suite?
Answer: zoomIt
Task 3. Using Sysinternals Live
Per the Sysinternals website, “Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.”
Let’s take a look at how we can do this.
Based on the instructions, to launch Process Monitor from the web the syntax is \\live.sysinternals.com\tools\procmon.exe.
And it fails.
To resolve this issue the WebDAV client must be installed and running on the machine. The WebDAV protocol is what allows a local machine to access a remote machine running a WebDAV share and perform actions in it.
On a Windows 10 client, the WebDAV client is installed but the client is most likely not running. If you try to run a Sysinternals tool it will fail with a message “The network path was not found.”
The service needs to be started before attempting to call any Sysinternals tool in this fashion.
Verify it’s running before proceeding.
Also, Network Discovery needs to be enabled as well. This setting can be enabled in the Network and Sharing Center.
There are a few ways to open the Network and Sharing Center. Here is a neat command line to launch it.
Click on Change advanced sharing settings and select Turn on network discovery for your current network profile.
The attached VM is a Windows Server 2019 edition. The WebDAV client is not installed by default.
The feature to install on Windows Server is WebDAV Redirector. This feature can be installed via Server Manager or using PowerShell.
To install with PowerShell, Install-WindowsFeature WebDAV-Redirector –Restart. The server needs to reboot for the installation to complete.
After reboot, the installation can be verified with the following PowerShell command, Get-WindowsFeature WebDAV-Redirector | Format-Table –Autosize.
The same process as with a Windows 10 client applies from this point:
- Make sure the WebClient service is running
- Make sure Network Discovery is enabled
Now with all the necessary components installed and enabled the local machine is ready to run Sysinternals tools from the web.
There are 2 ways the tools can be run:
- Run the tool from the command line (as shown above from the Windows 10 machine)
- Create a network drive and run the tool from the mapped drive
Method 1 — Run tool from command line
Method 2 — Run tool from a mapped drive
Note: The asterick will auto-assign a drive letter. The asterick can be replaced with an actual drive letter instead.
The website is now browsable within the local machine.
Now that we got that out of the way time to start exploring some of these tools.
Question 3. What service needs to be enabled on the local host to interact with live.sysinternals.com?
Answer: webclient
Task 4. File and Disk Utilities
Streams
“The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file’s main unnamed data stream, but by using the syntax ‘file:stream’, you are able to read and write to alternates.” (official definition)
Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System). Every file has at least one data stream ($DATA) and ADS allows files to contain more than one stream of data. Natively Window Explorer doesn’t display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.
Malware writers have used ADS to hide data in an endpoint, but not all its uses are malicious. When you download a file from the Internet unto an endpoint, there are identifiers written to ADS to identify that it was downloaded from the Internet.
Question 3. There is a txt file on the desktop named file.txt. What is the text within the ADS?
Answer: i am hidding in the stream.
Question 4. Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots below?
ip=52.154.170.73
Answer: Microsoft Corporation
Task 6. Process Utilities
Run Autoruns and inspect what are the new entries in the Image Hijacks tab compared to the screenshots above.
Question 1. What entry was updated?
Answer: taskmgr.exe
Question 2. What is the updated value?
Right click on taskmgr.exe to jump to entry now right click on debugger and modify
Answer: C:\TOOLS\SYSINT\PROCEXP.EXE
Question 1. Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?
Answer: C:\agent\_work\112\s\Win32\Release\ZoomIt.pdb
When you read the Sysinternals documentation, it might hint these tools are for troubleshooting purposes only, but that is not entirely the case.
You should know or be familiar with the Sysinternals tools whether you’re a Desktop Engineer, Systems Analyst, or Security Engineer.
Real-world scenario: As a security engineer, I had to work with vendors to troubleshoot why an agent wasn’t responding on an endpoint — the tools used were ProcExp, ProcMon, and ProcDump.
- ProcExp = to inspect the agent process, its properties, and associated threads and handles.
- ProcMon = to investigate if there were any indicators on why the agent was not operating as it should.
- ProcDump = to create a dump of the agent process to send to the vendor for further analysis.
And guess what? Asking questions about Sysinternals became part of the interview questions when hiring additional staff.
Remember, red teamers and adversaries even use these tools.
Below are some additional links to further your knowledge on how to use these tools as a Security Analyst, Security Engineer, or even an Incident Responder:
- Mark’s Blog — https://docs.microsoft.com/en-us/archive/blogs/markrussinovich/
- Windows Blog Archive — https://techcommunity.microsoft.com/t5/windows-blog-archive/bg-p/Windows-Blog-Archive/label-name/Mark%20Russinovich
- License to Kill: Malware Hunting with Sysinternals Tools — https://www.youtube.com/watch?v=A_TPZxuTzBU
- Malware Hunting with Mark Russinovich and the Sysinternals Tools — https://www.youtube.com/watch?v=vW8eAqZyWeo
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
