TryHackMe: Eviction Walkthrough (SOC Level 1)

December 29, 2024 Jasper
Welcome to this walkthrough of the Eviction Room on TryHackMe.

 In this room we unearth the monster from under your bed? This is a room to test the knowledge gained during the Cyber Defense Frameworks module.

This room is part of the SOC Level 1 Path.

TryHackMe Eviction Room

TryHackMe Eviction Room

Room URL: https://tryhackme.com/r/room/eviction

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Understand the adversary

Sunny is a SOC analyst at E-corp, which manufactures rare earth metals for government and non-government clients. She receives a classified intelligence report that informs her that an APT group (APT28) might be trying to attack organizations similar to E-corp. To act on this intelligence, she must use the MITRE ATT&CK Navigator to identify the TTPs used by the APT group, to ensure it has not already intruded into the network, and to stop it if it has.

Please visit this link to check out the MITRE ATT&CK Navigator layer for the APT group and answer the questions below.


Questions

What is a technique used by the APT to both perform recon and gain initial access?

Before we get started,  APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, This group has been active since at least 2004.

Open the link to the MITRE ATT&CK Navigator layer for the APT group found here:

https://static-labs.tryhackme.cloud/sites/eviction/

If you look at the Reconnaissance column (Tactic) and the Initial Access column (Tactic),  one technique is shared by the two columns: Spearphishing link.

Read more about this technique here:

https://attack.mitre.org/techniques/T1598/003/

Answer: Spearphishing link

Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?

The question refers to the Resource Development Tactic. If we look at that column in the ATT&CK Navigator one of the technique involves Email Accounts, which is the anwer.

Read more about this technique here:

https://attack.mitre.org/techniques/T1586/002/

Answer: Email accounts

E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: <technique 1> and <technique 2>)

The question refers to the Execution Tactic. Now we have to find two different techniques related to social engineering. You will probably quickly figure that Malicious File and Malicious Link are techniques related to social engineering, which can be used to make the user execute code for the threat actor.

Read more about the techniques here:

https://attack.mitre.org/techniques/T1204/002/

https://attack.mitre.org/techniques/T1204/001/

Answer:Malicious File and Malicious Link

If the above technique was successful, which scripting interpreters should Sunny search for to identify successful execution? (Answer format: <technique 1> and <technique 2>)

We are still in the Execution Tactic for now. We need to look for two types of scripting languages. They are highlighted in blue so the question is easy to answer: Powershell and Windows Command Shell.

Read more about the techniques here:

https://attack.mitre.org/techniques/T1059/001/

https://attack.mitre.org/techniques/T1059/003/

Answer: Powershell and Windows Command shell

While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes?

The questions mentions that the chances are for maintaining persistence, which means we are moving into the Persistence tactic now. The only technique which is highlighted referring to registry keys is Registry Run Keys.

Read more about this technique here:

https://attack.mitre.org/techniques/T1547/001/

Answer:Registry run keys

Sunny identified that the APT executes system binaries to evade defences. Which system binary’s execution should Sunny scrutinize for proxy execution?

This time the questions mention evading defenses, which means we should look at the Defense Evasion column (Tactic). Now we have to look for something related to a system binary,

This one is a bit more difficult, but if you look at the relevant techniques you will come across Rundll32 in the near bottom of the column. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads

Read more about this technique here:

https://attack.mitre.org/techniques/T1218/011/

Answer: Rundll32

Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

Since we are talking about discovery here, we should look at the Discovery Tactic. The relevant technique here is network sniffing, as tcpdump can be used to discover other devices on the network by looking at network traffic.

Read more about this technique here:

https://attack.mitre.org/techniques/T1040/

Answer: Network sniffing

It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?

Once more, look at the correct Tactic, this time the Lateral Movement one.

Lateral Movement Techniques

Lateral Movement Techniques

Luckily, there are only 3 relevant techniques here

The first one applies to remote services: SMB/Windows Admin Shares.

Read more about this technique here:

https://attack.mitre.org/techniques/T1021/002/

Answer: TSMB/Windows Admin Shares

It looked like the primary goal of the APT was to steal intellectual property from E-corp’s information repositories. Which information repository can be the likely target of the APT?

This time look into the Collection Tactic column. The relevant technique here is the Sharepoint one, and APT28 has previously collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia)

Read more about this technique here:

https://attack.mitre.org/techniques/T1213/002/

Answer:THM{c8951b2ad24bbcbac60c16cf2c83d92c}

Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: <technique 1> and <technique 2>)

This time look at the Command And Control column of the ATT&CK Navigator.

In the lower part of the list we will see the following 2 relevant techniques:

Proxy hopping!

Proxy hopping!

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. They have also routed traffic over Tor and VPN servers to obfuscate their activities.

Answer: External Proxy and Multi-hop Proxy

Congratulations! You have helped Sunny successfully thwart the APT’s nefarious designs by stopping it from achieving its goal of stealing the IP of E-corp.

Answer: No answer needed

 


Congratulations on completing Eviction!!!

Eviction Done!

Eviction Done!

This was a great conclusion to learning about MITREs ATT&CK Framework, although I like the previous Summit room a bit more because it was more practical. But covering all the types of framework has been pretty theoretical, and I found that this room also helped put the theory into practice.
Great job for following along!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Leave a Reply

Your email address will not be published. Required fields are marked *