Jasper Alblas
TryHackMe: Cyber Kill Chain Walkthrough (SOC Level 1)
Today we will have a look at the Cyber Kill Chain room on TryHackMe. The Cyber Kill Chain framework is designed for identification and prevention of the network intrusions. We will learn what the adversaries need to do in order to achieve their goals. This room is part of the SOC Level 1 Path.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/r/room/cyberkillchainzmt
Table of Contents
Task 1: Introduction
This task introduces the room. The Cyber Kill Chain can help us understand and protect against ransomware attacks, security breaches as well as Advanced Persistent Threats (APTs). You can use the Cyber Kill Chain to assess your network and system security by identifying missing security controls and closing certain security gaps based on your company’s infrastructure.
The following attack phases will be covered:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command & Control
- Actions on Objectives
Questions
Nothing else to discuss here, so let’s move on!
Answer: No answer needed
Task 2: Reconnaissance
This task covers Reconnaissance. Reconnaissance is the first step in a cyberattack where attackers gather information about their target to plan the attack. This includes using OSINT (Open-Source Intelligence) to collect data like company size, email addresses, and phone numbers from public sources.
For example, email harvesting — collecting email addresses — can help attackers launch phishing attacks. Tools like theHarvester, Hunter.io, and the OSINT Framework are commonly used, alongside social media platforms like LinkedIn or Facebook, to gather valuable details about companies or individuals.
Questions
What is the name of the Intel Gathering Tool that is a web-based interface to the common tools and resources for open-source intelligence?
Of the three tools mentioned in the task that are used for intelligence gathering, OSINT Framework is the tool which is a collection of a ton of OSINT tools.
Answer: OSINT Framework
What is the definition for the email gathering process during the stage of reconnaissance?
We call this email gathering process email harvesting.
Answer: email harvesting
Task 3: Weaponization
That was it for reconnaissance. Let’s move on to the next phase: Weaponization. After enough information is gathered the attacker creates or acquires tools to deliver a malicious payload without directly engaging the victim.
Key terms:
- Malware: a program or software that is designed to damage, disrupt, or gain unauthorized access to a computer.
- Exploit: Code that uses system vulnerabilities.
- Payload: Malicious code executed on the target system.
Examples of Weaponization:
- Embedding malicious macros or VBA scripts into Microsoft Office documents.
- Using USB drives to spread infected payloads.
- Leveraging Command and Control (C2) techniques to execute commands or deliver further payloads remotely.
- Employing backdoors to bypass security and maintain system access.
Questions
This term is referred to as a group of commands that perform a specific task. You can think of them as subroutines or functions that contain the code that most users use to automate routine tasks. But malicious actors tend to use them for malicious purposes and include them in Microsoft Office documents. Can you provide the term for it?
Well, this is very specific to Microsoft Office documents, but if you have some basic experience with these tools, you probably know the answer: macro.
Answer: Macro
Task 4: Delivery
Delivery is all about deciding the method for transmitting the payload or the malware
Common methods include:
- Phishing Emails: Crafting fake emails to trick victims into opening malicious attachments or links.
- Infected USB Drives: Leaving malware-laden USBs in public areas or mailing them with a company logo to look legitimate, tricking employees into using them.
- Watering Hole Attacks: Compromising a website frequently visited by the target group, redirecting visitors to malicious sites. Victims unknowingly download malware through fake pop-ups or malicious browser extensions, known as drive-by downloads.
These strategies allow attackers to deliver their payloads discreetly, setting the stage for further exploitation.
Questions
What is the name of the attack when it is performed against a specific group of people, and the attacker seeks to infect the website that the mentioned group of people is constantly visiting.
As discussed earlier, the type of attack described is called a watering hole attack.
Answer: Watering hole attack
Task 5: Exploitation
To gain access to the system, an attacker needs to exploit the vulnerability. Once inside the system, the attacker can exploit vulnerabilities to escalate privileges or move laterally through the network to access more sensitive data. Lateral movement refers to techniques that allow the attacker to expand their control within the network.
A Zero-day Exploit may also be used at this stage. This is an unknown vulnerability that attackers can exploit before it is detected or patched. The attacker could target software, hardware, or even human vulnerabilities to continue the attack, such as using a zero-day exploit or exploiting server-based weaknesses.
Questions
Can you provide the name for a cyberattack targeting a software vulnerability that is unknown to the antivirus or software vendors?
Another easy one which we have just covered before. We will a vulnerability which has exist in a piece of software without it being know to the antivirus or software vendors a zero-day vulnerability.
Answer: Zero-day
Task 6: Installation
In the Persistence phase, after gaining access to a system, an attacker probably will install a persistent backdoor to maintain access even if the connection is lost, the system is patched, or the attacker is detected and removed. This ensures continued access in the future.
Persistence can be achieved through several techniques:
- Web Shells: Malicious scripts (e.g., ASP, PHP, JSP) placed on web servers to maintain access. These scripts can be hard to detect due to their file types and simplicity.
- Backdoors on Victim Machines: Tools like Meterpreter (from the Metasploit Framework) allow attackers to maintain an interactive shell and remotely execute malicious code.
- Modifying Windows Services: Attackers can create or alter services to run malicious scripts or payloads regularly. Tools like sc.exe and Reg are used to manipulate service configurations.
- Registry/Startup Folder Persistence: By adding the malicious payload to the Windows Registry or Startup Folder, the attacker ensures it runs each time the victim logs in.
To avoid detection, attackers may use the Timestomping technique, modifying the timestamps of files to make them appear legitimate and evade forensic analysis.
Questions
Can you provide the technique used to modify file time attributes to hide new or changes to existing files?
This technique is called Timestomping. This is used to evade forensic analysis.
Answer: Timestomping
Can you name the malicious script planted by an attacker on the webserver to maintain access to the compromised system and enables the webserver to be accessed remotely?
A web shell is a malicious script written in web development programming languages such as ASP, PHP, or JSP used by an attacker to maintain access to the compromised system.
Answer: Web shell
Task 7: Command & Control
In the C2 (Command and Control) phase, “Megatron” establishes a communication channel with the victim’s system to remotely control it. This process is known as C2 Beaconing, where the infected machine consistently communicates with the attacker’s C2 server, allowing full control of the compromised system.
Traditional C2 channels like IRC are now largely replaced due to their easy detection by security systems. More common modern C2 channels include:
- HTTP (port 80) and HTTPS (port 443): These protocols blend malicious traffic with legitimate traffic, helping the attacker evade firewalls.
- DNS (Domain Name System): The compromised machine sends frequent DNS requests to a DNS server controlled by the attacker, a method also known as DNS Tunneling.
Important to note that an adversary or another compromised host can be the owner of the C2 infrastructure.
Questions
What is the C2 communication where the victim makes regular DNS requests to a DNS server and domain which belong to an attacker.
The process where the victim makes regular DNS requests to a DNS server controlled by the attacker is called DNS Tunneling. The DNS server is used to control the compromised host.
Answer: DNS Tunneling
Task 8: Actions on Objectives (Exfiltration)
This phase allows the attacker to fulfill their objectives and ensure maximum disruption or data theft. Examples of this are:
- Collecting credentials from users to gain further access.
- Performing privilege escalation to gain elevated access, such as domain administrator privileges, often by exploiting misconfigurations.
- Internal reconnaissance to interact with internal software and find vulnerabilities.
- Lateral movement to expand control within the company’s network.
- Collecting and exfiltrating sensitive data, which could include intellectual property or personal information.
- Deleting backups and shadow copies (backup snapshots created by Microsoft technologies), which would hinder the company’s ability to recover.
- Overwriting or corrupting data to cause further damage or prevent recovery.
Questions
Can you provide a technology included in Microsoft Windows that can create backup copies or snapshots of files or volumes on the computer, even when they are in use?
Shadow copies are backup snapshots created in Microsoft Windows.
Answer: Shadow Copy
Task 9: Practice Analysis
The infamous Target cyber-attack, which led to one of the largest data breaches in history took place on November 27, 2013.
On December 19th, 2013, Target released a statement confirming the breach, stating that approximately 40 million credit and debit card accounts were impacted between Nov. 27 and Dec. 15, 2013. Target had to pay the fine of $18.5 million under the terms of the multistate settlement agreement. This is considered to be the largest data-breach settlement in history.
Deploy the static site attached to this task and apply your new skills.
The assignment is to add each item on the following list to the correct Kill Chain phase.
Exploit public-facing application (Exploitation Phase)
Exploiting a public-facing application is part of the Exploitation phase ( laptop icon). This does not require more explanation.
Data from local system (Exfiltration Phase)
Exfiltration of data from the local system is one of the possible goals of the attacker, and therefore part of the Exfiltration phase, represented by the target icon.
Powershell (Weaponization Phase)
This fits into the weaponization phase (the ladybug icon). I suppose it refers to malware that is delivered with a Powershell payload exploiting a vulnerability in the target system.
Dynamic linker hijacking (Installation Phase)
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. This is a permanent backdoor installed to regain access to the compromised system. This is part of the installation phase, represented by the opened box icon.
Spearphishing attachment (Delivery Phase)
“Spear phishing” is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents. This is the method of delivery and therefore part of the delivery phase (the box icon).
Fallback channels (Command & Control Phase)
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control. This is part of the Command & Control phase, represented by the megaphone icon.
Questions
What is the flag after you complete the static site?
To summarize, the correct answers are as follows:
The flag get shown as soon as you submit the answers.
Answer: THM{7HR347_1N73L_12_4w35om3}
Task 10: Conclusion
The Cyber Kill Chain is a valuable tool for improving network defense, but it is not perfect and should not be the only tool relied upon. Here’s why:
- Outdated Framework: The traditional Cyber Kill Chain, developed by Lockheed Martin in 2011, hasn’t seen significant updates. As a result, it can create security gaps, as the threats and tactics used by adversaries have evolved substantially.
- Limited Scope: The traditional Kill Chain was primarily designed to secure the network perimeter and defend against malware threats. However, modern cybersecurity threats have become more complex, with adversaries often combining multiple TTPs (tactics, techniques, and procedures) to achieve their objectives. This makes the original framework less effective against evolving threats.
- Adversaries Evolving: Attackers can bypass traditional defenses by modifying file hashes or IP addresses, rendering some traditional threat detection systems ineffective. To counter this, AI and new algorithms are being developed to detect even the slightest suspicious changes.
- Insider Threats: The traditional Cyber Kill Chain is not well-equipped to handle Insider Threats, which can be difficult to detect as they involve individuals who already have authorized access to an organization’s systems. According to the CISA, insider threats involve using authorized access to harm the organization, and this doesn’t fit into the traditional Kill Chain model.
To create a more robust defense strategy, it is advisable to integrate the traditional Cyber Kill Chain with other models, such as:
- MITRE ATT&CK, which provides a comprehensive mapping of adversary behavior and tactics across all stages of an attack.
- The Unified Kill Chain, which expands upon the traditional framework and is better suited to deal with modern threats, including insider threats.
By combining multiple frameworks, organizations can ensure a more holistic and adaptive approach to cybersecurity.
Questions
Read the above.
Answer: No answer needed
Congratulations on completing Cyber Kill Chain!!!
We are done. Great job!
This was another great room to learn about some of the methodology related to the work of a SOC Analyst. Great job on following along. Happy hacking!
Find more of my walkthroughs here.
Like my articles?
You are welcome to share my article with a friend or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
