Jasper Alblas

 

TryHackMe: OpenCTI Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Open CTI Room on TryHackMe. In this room we will learn about the concepts and usage of OpenCTI, an open-source threat intelligence platform.

OpenCTI room details
OpenCTI room details

Room URL: https://tryhackme.com/r/room/opencti

This room is part of the SOC Level 1 Path.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Task 1: Room Overview

This room will cover the concepts and usage of OpenCTI, an open-source threat intelligence platform. The room will help you understand and answer the following questions:

  • What is OpenCTI and how is it used?
  • How would I navigate through the platform?
  • What functionalities will be important during a security threat analysis?

Prior to going through this room, we recommend checking out these rooms as prerequisites:

Questions

Read the above.

Answer: No answer needed

Task 2: Introduction to OpenCTI

OpenCTI is an open-source platform designed for managing Cyber Threat Intelligence (CTI). It enables organizations to store, analyze, visualize, and present information on threat campaigns, malware, and Indicators of Compromise (IOCs).

Key Features:

  • Developed by the French National Cybersecurity Agency (ANSSI).
  • Facilitates the connection of technical and non-technical data with their sources.
  • Utilizes the MITRE ATT&CK framework for data structuring.
  • Supports integration with other tools like MISP and TheHive for enhanced functionality.

Questions

Read the above.

Answer: No answer needed

Task 3: OpenCTI Data Model

Data Model:
OpenCTI adopts the STIX2 standards (Structured Threat Information Expression) as its primary schema for structuring data. STIX standardizes threat intelligence into entities and relationships, making it easier to trace the origins of information.

Architecture Overview:
The platform integrates a range of services and components to support its operations:

  • GraphQL API: Connects clients to the database and messaging system for data access.
  • Write Workers: Python processes that handle asynchronous write queries from the RabbitMQ messaging system.
  • Connectors: Python processes that ingest, enrich, and export data, linking the platform to external systems and enhancing threat intelligence capabilities.

Connector Classes:

  1. External Input Connector: Ingests data from external sources (e.g., CVE, MISP, TheHive, MITRE).
  2. Stream Connector: Processes platform data streams (e.g., History, Tanium).
  3. Internal Enrichment Connector: Enriches entities within OpenCTI based on user requests (e.g., Observables enrichment).
  4. Internal Import File Connector: Extracts data from uploaded reports (e.g., PDFs, STIX2).
  5. Internal Export File Connector: Exports data into various formats (e.g., CSV, STIX2, PDF).

For more details on configuring connectors and the data schema, refer to the OpenCTI documentation.

Questions

I’ve read about the OpenCTI Data Model

Answer: No answer needed.

Task 4: OpenCTI Dashboard 1

With the introduction and data model theory out of the way, it is time for some practical experience. Yay!

Follow along with the task by launching the attached machine and using the credentials provided; log in to the OpenCTI Dashboard via the AttackBox attached to the room.

Username: info@tryhack.io

Password: TryHackMe1234

Dashboard:
The OpenCTI dashboard displays visual widgets summarizing ingested threat data. It highlights the total number of entities, relationships, reports, and observables, as well as 24-hour changes, providing an overview of the platform’s current state.

OpenCTI Dashboard
OpenCTI Dashboard

Key Tabs and Features:

  1. Activities & Knowledge:
    • Activities: Focuses on security incidents presented as reports, simplifying the investigation process for analysts.
    • Knowledge: Links data related to adversary tools, victim profiles, threat actors, and campaigns.
  2. Analysis:
    • Central hub for reports that contain threat knowledge.
    • Analysts can trace the source of information, add investigation notes, and enrich knowledge using external references.
  3. Events:
    • Records suspicious and malicious activities.
    • Analysts can create associations for incidents to enrich threat intelligence.
  4. Observations:
    • Lists technical elements, detection rules, and artefacts discovered during attacks.
    • Supports threat mapping and correlation with intel feeds.
  5. Threats:
    • Categorizes information threatening to the organization:
      • Threat Actors: Individuals or groups performing malicious activities.
      • Intrusion Sets: TTPs, tools, and malware used by threat actors against specific targets.
      • Campaigns: Coordinated attacks with specific objectives by APTs or threat groups.
  6. Arsenal:
    • Details items and tools used in attacks:
      • Malware: Identifies known malware and associated intel.
      • Attack Patterns: Explores TTPs used by adversaries, such as Command-Line Interface attacks.
      • Courses of Action (CoA): Defensive measures against specific TTPs.
      • Tools: Lists legitimate and misused tools, like CMD for attack execution.
      • Vulnerabilities: Known weaknesses (e.g., CVEs) that attackers exploit.
  7. Entities:
    • Organizes entities by sectors, countries, organizations, and individuals for enriched knowledge on attacks and intrusion sets.

OpenCTI’s structured design and robust categorization streamline the analysis and investigation of threat intelligence for cybersecurity professionals.

Questions

Before moving on, make sure to login into the OpenCTI Dashboard with the provided credentials:

OpenCTI Dashboard login
OpenCTI Dashboard login

What is the name of the group that uses the 4H RAT malware?

Go into the Arsenal tab under the Knowledge section. This tab lists all items related to an attack and any legitimate tools identified from the entities.
After making sure that you have Malware selected at the top, try searching for 4H RAT, and result number 2 lists the answer: Putter Panda.

4H Rat
4H Rat

You can read more on the group here:

https://attack.mitre.org/groups/G0024

Answer: Putter Panda

What kill-chain phase is linked with the Command-Line Interface Attack Pattern?

This time, look at the Attack Patterns screen of the Arsenal section. Here we can search for Command-Line Interface:

Command line interface
Command line interface

This finds T0807, which is a ATT&CK technique: https://attack.mitre.org/techniques/T0807/

If you click into the search result, you will find the previously shown result. In the top rights is the kill chain phase.

Answer: execution-ics

Within the Activities category, which tab would house the Indicators?

Go into Activities, and have a look around. You will end up finding Indicators of Compromise under the Observations tab, and more specifically in the Indicators view.

Indicators
Indicators

They ask for the tab, which means the answer is Observations.

Answer: Observations

Task 5: General Tabs Navigation

1. Overview Tab

  • Purpose: Provides a high-level summary of the selected entity.
  • Features:
    • Entity ID and confidence level.
    • Description of the threat.
    • Relationships to threats, intrusion sets, and attack patterns.
    • Reports mentioning the entity.
    • External references.

2. Knowledge Tab

  • Purpose: Shows interconnected information for the entity.
  • Features:
    • Associated reports, indicators, and relations.
    • Attack pattern timelines.
    • Detailed insights into threats, attack vectors, events, and observables.

3. Analysis Tab

  • Purpose: Lists reports where the entity appears.
  • Features:
    • Usable threat insights to guide investigation tasks.

4. Indicators Tab

  • Purpose: Displays Indicators of Compromise (IOC) for threats and entities.
  • Features:
    • Centralized IOC tracking for actionable intelligence.

5. Data Tab

  • Purpose: Stores files related to the entity for export or reference.
  • Features:
    • Includes technical and non-technical documents to support investigations.

6. History Tab

  • Purpose: Tracks changes made to the entity.
  • Features:
    • Records updates to attributes, relationships, and overall entity configuration.

Questions

What Intrusion sets are associated with the Cobalt Strike malware with a Good confidence level? (Intrusion1, Intrusion2)

As before, go into the the Knowledge menu, and option the Arsenal tab. Here you can search for the Cobalt Strike malware.

Cobalt Strike Search
Cobalt Strike Search

Click on the result and you will go into the Overview tab of the Malware detail page.

Cobalt Strike
Cobalt Strike

To answer the question we need to find info on intrusion sets.

An Intrusion Set refers to a grouping of consistent malicious activities, based on shared tactics, techniques, and objectives.

We can find the information we need under the Knowledge tab, followed by clicking on Intrusion sets in the right menu.

Intrusion Sets
Intrusion Sets

Here we find a all the intrusion sets related to Cobalt Strike. Only two have a “Good” confidence: CopyKittens and FIN7.

Answer: CopyKittens, FIN7

Who is the author of the entity?

An easy one. This one is found under the basic information in the Overview tab. The answer is The MITRE Corporation.

Answer: The MITRE Corporation

Task 6: Investigative Scenario

Time for a scenario. Let’s have fun!

As a SOC analyst, you have been tasked with investigations on malware and APT groups rampaging through the world. Your assignment is to look into the CaddyWiper malware and APT37 group. Gather information from OpenCTI to answer the following questions.

Questions

What is the earliest date recorded related to CaddyWiper?  Format: YYYY/MM/DD

Go to the Arsenal Tab under Knowledge, and search for CaddyWiper:

Click on the search result. Now go into the Analysis view and you will find different date entries:

CaddyWiper dates
CaddyWiper dates

2022/03/15 was the first date where CaddyWiper was reported on.

Answer: 2022/03/15

Which Attack technique is used by the malware for execution?

If you go back to the Overview view, and scroll a bit down, you come across a variety of Attack Patterns which are related to CaddyWiper. One of them is Native API.

Attack Techniques
Attack Techniques

Note: You could also have seen this answer by pressing “Attack Patterns” on the right menu.

Answer: Native API

How many malware relations are linked to this Attack technique?

Continue by clicking on the Native API Attack Pattern, which brings us to the detail page on this attack technique.

Native API
Native API

Now move into the Knowledge view by clicking on the button in the top menu.

Native API Knowledge
Native API Knowledge

Here you can read that the technique is related to 113 types of Malware.

Answer: 113

Which 3 tools were used by the Attack Technique in 2016? (Ans: Tool1, Tool2, Tool3)

This question can be answered by clicking on Tools in the right menu.

Native API tool use
Native API tool use

You will see all the tools which have used the Native API technique. Three of them were used in 2016. ShimRatReporter, BloodHound and Empire.

Answer: BloodHound, Empire, ShimRatReporter

What country is APT37 associated with?

The room earlier mentioned that APTs are found under Threats > Intrusions Sets.

Intrusion Sets: An array of TTPs, tools, malware and infrastructure used by a threat actor against targets who share some attributes. APTs and threat groups are listed under this category on the platform due to their known pattern of actions.

Click on the Threats tab under Knowledge, and search for APT37 while on the Intrusion Sets view.

APT37
APT37

APT37 is shown, and in the description we can see the group is North Korean.

Answer: North Korea

Which Attack techniques are used by the group for initial access? (Ans: Technique1, Technique2)

Click on the group and press Attack patterns in the right menu. We get shown at ATT&CK matrix which the different techniques used in each step of the attack chain.

APT37 attack techniques
APT37 attack techniques

Two of them are highlighted for APT37 under Initial Access: Drive-by-Compromise and Phishing. Click on each and you will find the ATT&CK IDs for each technique: T1189 for Drive-by-Compromise and T1566 for Phishing.

Phishing ATT&CK ID
Phishing ATT&CK ID

Answer: T1189, T1566

Task 7: Room Conclusion

Fantastic work on going through and completing the OpenCTI room.

In this room, we looked at the use of the OpenCTI platform when it comes to processing threat intel and assisting analysts in investigating incidents. Check out the documentation linked within the room to get more information about OpenCTI and the different tools and frameworks used.

Questions

Completed the OpenCTI Room

Answer: No answer needed

Congratulations on completing OpenCTI!!!

OpenCTI completed
OpenCTI completed

Good job on finishing this room. I actually had a lot of fun making this walkthrough, and solving the questions. OpenMTI is a great tool that I am sure we will use a lot in the future!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.

Like my articles?

You are welcome to comment this post, and please share with friends  🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Snort Logo
TryHackMe: Snort Walkthrough (SOC Level 1)
Snort Logo
TryHackMe: Snort Challenge – The Basics Walkthrough (SOC Level 1)
TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)
TryHackMe: Metasploit: Exploitation - Walkthrough