Summit — SOC Level 1 -Cyber Defence Frameworks — TryHackMe Challenge Walkthrough

IritT

13 min readSep 26, 2024

Can you chase a simulated adversary up the Pyramid of Pain until they finally back down?

Site Link: https://tryhackme.com/r/room/summit

Task 1 Challenge

Objective

After participating in one too many incident response activities, PicoSecure has decided to conduct a threat simulation and detection engineering engagement to bolster its malware detection capabilities. You have been assigned to work with an external penetration tester in an iterative purple-team scenario. The tester will be attempting to execute malware samples on a simulated internal user workstation. At the same time, you will need to configure PicoSecure’s security tools to detect and prevent the malware from executing.

Following the Pyramid of Pain’s ascending priority of indicators, your objective is to increase the simulated adversaries’ cost of operations and chase them away for good. Each level of the pyramid allows you to detect and prevent various indicators of attack.

Room Prerequisites

Completing the preceding rooms in the Cyber Defence Frameworks module will be beneficial before venturing into this challenge. Specifically, the following:

Connection Details

Please click Start Machine to deploy the application, and navigate to https://LAB_WEB_URL.p.thmlabs.com once the URL has been populated.

Note: It may take a few minutes to deploy the machine entirely. If you receive a “Bad Gateway” response, wait a few minutes and refresh the page.

Here we have the next tabs: Mail, Malware Sandbox, Manage Hashes, Firewall Manager, DNS Filter Manager, and Sigma Rule Builder, these tabs will allow us to do each task, and each task only allows us to use one of these tabs.

1. Mail: Serves as a communication tool within the security environment, used to send alerts or reports to administrators or other stakeholders.

2. Malware Sandbox: A sandbox environment where malware can be analyzed safely without risking the actual system. This feature is used to observe malware behavior in a controlled setting.

3. Manage Hashes: This option is used to manage cryptographic hashes, which could involve verifying file integrity, comparing hash values, or storing known hashes of clean files for future reference.

4. Firewall Manager: A tool to configure and manage firewall rules that control the network traffic flow, ensuring that only authorized traffic is allowed while blocking potentially harmful traffic.

5. DNS Filter: A DNS filtering service that blocks access to harmful or unwanted websites based on their domain names. This is used to prevent users from accessing malicious or non-productive sites.

6. Sigma Rule Builder: Sigma is a generic and open signature format for SIEM (Security Information and Event Management) systems. This tool allows users to create or manage Sigma rules, which are used for detecting specific patterns of behavior or indicators of compromise in logs and alerts.

7. Revert Room: This option allows users to reset the security environment or a specific “room” (a virtualized environment, segment, or scenario) back to its original state, undoing any changes or damage that may have occurred.

First Click on sample1.ex1

Submit for Analysis to get the report

After getting the report impact the information

The file sample1.exe appears to be potentially malicious, given its detection of Metasploit-related behavior, suspicious network connections, and activities that involve reading sensitive information from the system. These actions suggest that the file could be part of a targeted attack or penetration testing scenario, potentially intended to exploit vulnerabilities or gather system information.

Copy the MD5 cbda8ae000aa9cbe7c8b982bae006c2a

Go to Manage Hash

Select MD5 hash Algorithm and paste the MD5 hash at Hash Value onto the Blocklist and Submit it

we can see that the Hash was Blocklist.

Check your inbox for the next steps

We can see the first flag

Answer the questions below

What is the first flag you receive after successfully detecting sample1.exe?

Answer: THM{f3cbf08151a11a6a331db9c6cf5f4fe4}

Next Step: We can see that Sample2.exe is available, click on it

Submit Sample2.exe for Analysis

Scroll down to see the full report

HTTP(S) Requests:

Request 1: The file made a single HTTP GET request to 154.38.10.113:4444, which points to a suspicious URL http://154.38.10.113:8444/sAH7t2. The PID associated with this request is 1927.

Copy the IP address 154.35.10.113 and go to the Firewall Managers

Press on and Create a Firewall Rule.

Type: This dropdown menu allows the user to select between “Ingress” and “Egress” traffic.

Ingress: Refers to incoming network traffic, i.e., traffic that enters the network.
Egress: Refers to outgoing network traffic, i.e., traffic that exits the network.

Source IP: This field allows the user to specify the IP address from which the traffic originates. If left blank or set to “Any,” it applies to all incoming or outgoing traffic.

Destination IP: This field allows the user to specify the IP address to which the traffic is destined. Again, if set to “Any,” it applies to all traffic.

Action: This dropdown allows the user to specify whether to “Allow” or “Deny” the traffic that matches the rule.

Type: Egress (outbound traffic)
Source IP: Any (no restrictions on the source)
Destination IP: suspicious IP
Action: Deny (block the traffic)

After configuring of the rule click on Save Rule

The firewall rule prevented sample2.exe from connecting to the tester’s command-and-control server.

Check your inbox for the next steps

We can see the second flag

2. What is the second flag you receive after successfully detecting sample2.exe?

Answer: THM{2ff48a3421a938b388418be273f4806d}

Next Step: We can see that the Sample3.exe is available, click on it

Submit for Analysis

Scroll down to see the full report

HTTP(S) Requests:

2 Requests: The file made two HTTP GET requests:
To IP address 62.13.98.137 for the URL msntayf.bernosana.info/Backdoor.exe.
To IP address 62.13.98.140 for the URL msntayf.bernosana.info/installer.exe.

Connections:

4 TCP/UDP Connections:
Connections to IP addresses 62.13.98.137 and 62.13.98.140, associated with the domain msntayf.bernosana.info.
A connection to IP address 40.97.134.6, associated with Microsoft.

DNS Requests:

DNS requests to two domains:
services.microsoft.com
msntayf.bernosana.info

we’re going to use the DNS Filter

Create DNS Rule

At the DNS Rule Manger

Rule Name: This field allows the user to assign a name to the DNS rule, making it easier to identify.

Category: A dropdown menu that lets the user categorize the rule.

Domain Name: The specific domain that the rule applies to.

Action: This dropdown allows the user to specify whether to “Allow” or “Deny” access to the domain.

Enter:

Rule Name: backdoor.exe

Category: Malware, to indicate that the rule is related to blocking domains associated with malicious activity.

Domain Name: emudyn.bresonicz.info

Action: Deny so any attempt to access this domain will be blocked.

After configuring the rule click on Save Rule

DNS filter rule prevented sample3.exe from connecting to the tester’s command-and-control server.

Check your inbox for the next steps

We can see the second flag

3. What is the third flag you receive after successfully detecting sample3.exe?

Answer: THM{4eca9e2f61a19ecd5df34c788e7dce16}

Next Step: We can see that the Sample4.exe is available, click on it

Submit for Analysis

Scroll down to see the full report

we see the http://cranes0ft.iniware.xyz/backdoor.exe again and detail the processes that made changes to the Windows Registry, specifying the exact keys modified, the operation performed (write or read), and the values involved.

we can’t use those fire and DNS filters anymore. Will crate Sigma Rule to do that will go to Sigma Rule Builder

create Sigma Rule

Sigma is a generic and open detection rule format for writing and sharing rules for log events.

Choose Sysmon Event Loge

Scroll down to Register Modifications

Need to set Registry Modifications (specific conditions that will trigger an alert when certain registry modifications are detected).

· Registry Key is the location in the Windows registry where settings are stored.

· Registry Name is a specific setting within that key.

· Value is the data that defines the setting’s behavior.

· ATT&CK ID is a reference to a specific technique in the MITRE ATT&CK framework that describes how attackers might use or manipulate these settings for malicious purposes.

We will enter:

Copy the first Registry Key and enter it in the Registry Key field

· Registry Key: HKLM\Software\Microsoft\Windows Defender\Real-Time Protection

HKLM stands for HKEY_LOCAL_MACHINE, which is a root key in the registry.

The rest of the path (Software\Microsoft\Windows Defender\Real-Time Protection) leads to the specific location where settings related to Windows Defender’s real-time protection are stored.

· Registry Name: DisableRealtimeMonitoring

· Value: 1

· ATT&CK ID: T1089 — Defense Evasion

T1089 is the ID for the technique called “Disabling Security Tools”, which falls under the broader category of Defense Evasion. This technique involves disabling or interfering with security tools like antivirus programs to avoid detection.

After configuring the Rule, you need to Validate the Rule

The Rule was Validated

Check your inbox for the next steps

We can see the fourth flag

4. What is the fourth flag you receive after successfully detecting sample4.exe?

Answer: THM{c956f455fc076aea829799c0876ee399}

Next Step: For the fifth flag we see Outgoing_connection.log

Click on it

The network traffic log (outgoing_connections.log) shows outgoing connections from a local IP address 10.10.15.12 to various destination IP addresses on the internet. Key details include:

Timestamp: Each entry logs the date and time of the outgoing connection.
Source IP: All connections originate from the local IP address 10.10.15.12.
Destination IP: Connections are made to various destination IPs on the internet.
Port: The connections use port 443, indicating HTTPS protocol for secure communication.
Traffic Size: The size of the data transferred during each connection is recorded, varying from small to large amounts.

Interpretation:

Consistent Source IP: All traffic originates from the same internal device or server.
Connections to Different IPs: The connections are directed to different IP addresses, some repeating multiple times, which may require further investigation to determine if they are legitimate or malicious.
Use of Port 443: All traffic over HTTPS (port 443) suggests encrypted communication, which could conceal potentially suspicious activity.
Varied Traffic Size: The variation in data size suggests different types of requests or possible file transfers.

Given this log, further investigation of the destination IPs is recommended to ensure there is no suspicious or malicious activity, along with a review of the local system generating these connections.

Will crate one more Sigma Rule to do that will go to Sigma Rule Builder

Create Sigma Rule

Generic signature format for writing rules to detect suspicious activity in logs. It provides a standardized way to describe how to identify attack patterns in logs across various SIEM (Security Information and Event Management) systems.

Chose Application Logs

Scroll down to Network Connection

Will configuration interface for setting up a network monitoring rule

· Remote IP: This field allows you to specify a specific IP address (e.g., 43.104.93.23) or use a wildcard like Any to apply the rule to any remote IP.

· Remote Port: This field is for specifying the port number (e.g., 443 for HTTPS) or using Any to monitor connections on any port.

· Size (bytes): Here, you can set the size threshold in bytes for the network connections you want to monitor (e.g., 2341 bytes). This helps in filtering connections based on the amount of data transferred.

· Frequency (seconds): This field allows you to specify the frequency with which the rule should be checked or applied (e.g., 300s for every 5 minutes).

· ATT&CK ID: This dropdown is likely for associating the rule with a specific MITRE ATT&CK technique ID, which helps in mapping the detection to a known adversary technique.

After configuring the Roul, we need to Validate Roule

The Roule was Validated

Check your inbox for the next steps

We can see the fifth flag

5. What is the fifth flag you receive after successfully detecting sample5.exe?

Answer: THM{46b21c4410e47dc5729ceadef0fc722e}

Next Step: We can see attached commands.log is available, click on it

Commands in the attached log:

dir commands across multiple directories (C:, Documents and Settings, Program Files, D:) to collect file information.
Localgroup administrator to collect group membership.
Systeminfo, ipconfig /all, and netstat -ano to gather system, network configuration, and network connection information.
Net start to check for running services.

copy systeminfo

Will crate one more Sigma Rule to do that will go to Sigma Rule Builder

Create Sigma Rule

step 1 Chose Sysmon Event Logs

Scroll down to File Creation and Modification

step 3

Will configuration interface for setting up a File Creation and Modification rule , after Validate the Rule

File Path: %temp%
This points to the Windows temporary directory, where temporary files are often stored.
File Name: exfiltr8.log
This is the specific file name you are monitoring for creation or modification. In your earlier example, this is the same file name used by the attacker to log exfiltrated data. Monitoring this file can help detect exfiltration activities.
ATT&CK ID: Exfiltration (TA0010)
This is mapped to the MITRE ATT&CK framework under the Exfiltration tactic (TA0010), which refers to adversaries attempting to steal data from a compromised environment.