Eviction— SOC Level 1 -Cyber Defence Frameworks — TryHackMe Challenge Walkthrough
Site Link: https://tryhackme.com/r/room/eviction
Task 1
Understand the adversary
Sunny is a SOC analyst at E-corp, which manufactures rare earth metals for government and non-government clients. She receives a classified intelligence report that informs her that an APT group (APT28) might be trying to attack organizations similar to E-corp. To act on this intelligence, she must use the MITRE ATT&CK Navigator to identify the TTPs used by the APT group, to ensure it has not already intruded into the network, and to stop it if it has.
Please visit this link (https://static-labs.tryhackme.cloud/sites/eviction/)
to check out the MITRE ATT&CK Navigator layer for the APT group and answer the questions below.
Answer the questions below
- What is a technique used by the APT to both perform recon and gain initial access?
Expand the view to see the technique
APT28 often uses Spearphishing Attachment to conduct recon and gain initial access simultaneously. They send carefully crafted emails with malicious attachments to target employees, gaining access when the target opens the attachment.
Answer: Spearphishing Link
2. Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?
Because it Spearphishing the accounts that might the APT compromise while developing resources
Answer: Email Account
3. E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: <technique 1> and <technique 2>)
The two techniques of user execution should Sunny look out for is
The first one is the Malicious File
The second one is Malicious Link
These interpreters are commonly abused by attackers for code execution once the initial compromise occurs.
Answer: Malicious File and Malicuious Link
4. If the above technique was successful, which scripting interpreters should Sunny search for to identify successful execution? (Answer format: <technique 1> and <technique 2>)
The scripting interpreters should Sunny search for to identify successful execution
the first one
The second one
Answer: PowerShell and Windowes Command Shell
5. While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes? (Question Hint Use the exact text from the ATT&CK Navigator.
Now we at the Persistence Stage
The registry keys that Sunny should observe to track these changes is
Answer: Registry Run Keys
6. Sunny identified that the APT executes system binaries to evade defences. Which system binary’s execution should Sunny scrutinize for proxy execution?
Sunny should scrutinize rundll32.exe This system binary is commonly used by attackers to proxy the execution of other malicious code, helping them evade defenses.
Answer: Rundll32
7. Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?
The presence of tcpdump on the host could indicate the use of Network Sniffing. This technique allows the attacker to capture network traffic and gather valuable information about the internal network.
Answer: Network Sniffing
8. It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?
APT28 may exploit SMB/Windows Admin Shares
Answer: SMB/Windows Admin Shares
9. It looked like the primary goal of the APT was to steal intellectual property from E-corp’s information repositories. Which information repository can be the likely target of the APT?
Answer: Sharepoint
10. Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: <technique 1> and <technique 2>)
Answer: External Proxy and Multi-hop Proxy
11. Congratulations! You have helped Sunny successfully thwart the APT’s nefarious designs by stopping it from achieving its goal of stealing the IP of E-corp.
