Jasper Alblas
TryHackMe: Pyramid Of Pain Walkthrough (SOC Level 1)
It is time to look at the Pyramid of Pain Room on TryHackMe, a room in which we learn about this hierarchical model that illustrates the types of indicators and behaviors associated with cybersecurity threats, ranked by the difficulty attackers face in altering them to evade detection
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/r/room/pyramidofpainax
Table of Contents
Task 1: Introduction
This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises.
Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.
Before moving on it is important to note that we start moving through the pyramid moving upwards. In the lower levels, which we cover first, we cover elements of the attack which are easy for the attacker to change. As we move upwards though the attacker will have more difficulties altering their attack to avoid detection. This will make more sense soon.
Nothing else to discuss here, so let’s move on!
Questions
Read the above.
Answer: No answer needed
Task 2: Hash Values (Trivial)
A hash value is a fixed‑length numeric string generated by a hashing algorithm. It uniquely identifies data and is widely used in security for file verification and malware analysis. If two different files produce the same hash (a collision), the algorithm is not considered cryptographically secure.
Common Hashing Algorithms
- MD5 (1992, RFC 1321)
- Produces a 128‑bit hash.
- Widely used but not secure due to collisions.
- Deprecated by IETF in RFC 6151 (2011).
- SHA‑1 (1995, RFC 3174)
- Produces a 160‑bit hash (40‑digit hex).
- Deprecated by NIST in 2011; banned for digital signatures in 2013.
- Vulnerable to brute‑force and collision attacks.
- SHA‑2 (2001)
- Designed by NIST & NSA to replace SHA‑1.
- Multiple variants; most common is SHA‑256.
- Produces a 256‑bit hash (64‑digit hex).
- Considered secure and widely used today.
Security Use Cases
- Hashes are used to:
- Identify malware samples.
- Track suspicious files.
- Reference malicious artifacts in reports.
- Example: Ransomware reports often list file hashes for detection and sharing with SOC teams.
Tools for Hash Lookups
Metadefender Cloud (OPSWAT) → Provides multi‑engine scanning and hash reputation checks.
VirusTotal → Aggregates antivirus and threat intelligence results for file hashes.
There thing to remember here is that hashes are very easy to change for an attacker. This make threat hunting on a specfic hash value relatively difficult. This is also why is is at the bottom of the pyramid!
Questions
Analyse the report associated with the hash “b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d” here. What is the filename of the sample?
The questions links to a report generated by VirusTotal. The file name is nearly at the top.
Answer: Sales_Receipt 5606.xls
Task 3: IP Address (Easy)
IP Addresses in the Pyramid of Pain
- IP addresses identify devices on a network (computers, servers, cameras, etc.).
- In the Pyramid of Pain, they are marked green, meaning they are the easiest indicators for defenders to act on.
- Defense tactic: block or deny inbound requests from known malicious IPs at the firewall.
- Limitation: attackers can easily evade by switching to new public IPs, making IP blocking only partially effective.
Fast Flux Technique
- Definition: A DNS technique used by botnets to hide malicious activity.
- How it works: Associates a domain name with multiple IP addresses that change rapidly.
- Purpose:
- Conceals phishing sites, malware delivery, and command‑and‑control (C&C) servers.
- Makes detection and takedown by defenders much harder.
- Effect: Even if defenders block one IP, the domain quickly resolves to another, keeping the malicious infrastructure resilient.
Key Takeaway
Techniques like Fast Flux make IP blocking even less reliable, forcing defenders to rely on stronger indicators (domains, file hashes, behaviors) higher up in the Pyramid of Pain.
IP addresses are useful indicators but weak for long‑term defense because attackers can rotate them easily.
Questions
Read the following report to answer this question. What is the first IP address the malicious process (PID 1632) attempts to communicate with?
The report from Any.run covers the Sodinokibi malware. The first half of the report covers a lot of information about the type of malware, but it gets interesting for us in the middle.
The is a section concerning network activity, and there we see the different type of connections made. Simply look at the row for PID 1632 to answer the two questions.
Answer: 50.87.136.52
Read the following report to answer this question. What is the first domain name the malicious process ((PID 1632) attempts to communicate with?
This answer is also found in the above image. Look at the domain field.
Answer: craftingalegacy.com
Task 4: Domain Names (Simple)
Domain Names in the Pyramid of Pain
- Definition: Domain names map IP addresses to human‑readable text (e.g.,
evilcorp.com,tryhackme.evilcorp.com). - Attacker challenge: Harder to change than IPs since domains must be purchased, registered, and DNS records updated.
- Defender challenge: Many DNS providers have loose standards and APIs that make domain changes easier for attackers.
Punycode Attacks
- Punycode: Converts non‑ASCII characters into Unicode ASCII encoding.
- Example:
adıdas.de→http://xn--addas-o4a.de/. - Attackers use this to create domains that look legitimate but redirect to malicious sites.
- Modern browsers (Chrome, Edge, Safari, IE) can translate obfuscated characters into full Punycode names.
Detecting Malicious Domains
- Logs: Proxy logs and web server logs can reveal suspicious domain activity.
- URL Shorteners: Attackers often hide malicious domains behind shortened links (
bit.ly,goo.gl,tinyurl.com, etc.).- Trick: Append
+to shortened URLs in a browser to preview the redirect destination.
- Trick: Append
Viewing Connections in Any.run
- Any.run is a sandboxing service that safely executes malware samples for analysis.
- Analysts can review network activity generated by the sample in the Networking tab.
Here we can look at different kind of connections:
DNS Requests → Reveals domains queried by malware, often used to check internet connectivity or contact command‑and‑control servers.
HTTP Requests → Shows resources retrieved from web servers (e.g., droppers, callbacks).
Connections → Displays communications with other hosts (e.g., C2 traffic, file transfers).
Questions
Go to this report on app.any.run and provide the first suspicious domain request you are seeing, you will be using this report to answer the remaining questions of this task
Visit the report, and look at the tabs in the bottom of the screen. One of them should say DNS Request, and here you will find the domain request to craftingalegacy.com. This domain name was also mentioned in the previous task in relation to the Sodinokibi malware.
Answer: craftingalegacy.com
What term refers to an address used to access websites?
This is an easy one. Domain name is the answer.
Answer: domain name
What type of attack uses Unicode characters in the domain name to imitate the a known domain?
We covered this earlier. Punyode attack is the answer here.
Answer: Punycode attack
Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u
To find the redirected website, write the tinyurl in your browser and add a ‘+’:
It is redirecting to tryhackme!
Answer: https://tryhackme.com/
Task 5: Host Artifacts (Annoying)
Good job on following along so far on the Pyramid of Pain room. There isn’t much theory to cover in this task. Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.
As we have moved higher up the pyramid it is becoming more complicated for the attacker to circle back at this detection level and change his attack tools and methodologies. This is very time-consuming for the attacker, and probably, he will need to spend more resources on his adversary tools.
Questions
A security vendor has analysed the malicious sample for us. Review the report here to answer the following questions.
Answer: No answer needed.
A process named regidle.exe makes a POST request to an IP address based in the United States (US) on port 8080. What is the IP address?
As before, look into the report and scroll down to the Network activity section. Here you will find that the regidle.exe makes a POST request to the following US IP:
Answer: 96.126.101.6
The actor drops a malicious executable (EXE). What is the name of this executable?
Just before the network section, there is a section on files activity. Here you will find the malicious executable G_jugk.exe that is being dropped. There is a Powershell.exe file as well, but I think that just means that the malware runs powershell, so the other file is the answer.
Answer: G_jugk.exe
Look at this report by Virustotal. How many vendors determine this host to be malicious?
Open the Virustotal report on the earlier found ip address. You will quickly find the number of hosts that determine the host to be malicious:
Answer: 9
Task 6: Network Artifacts (Annoying)
This task is about network artifacts, which are also in the yellow zone of the pyramid. This means that if you detected an attacker, the attacker would need quite some time to change tactics and tools.
Network artifacts are observable elements within network traffic that can indicate malicious activity. Examples include user-agent strings, command-and-control (C2) communication details, or specific URI patterns associated with HTTP POST requests. These artifacts can provide valuable clues for identifying and investigating potential threats.
For instance, an attacker might use a user-agent string that is not typically seen in your environment or appears anomalous. The user-agent string, as defined by RFC2616, is a request-header field in HTTP traffic that conveys information about the client application making the request (e.g., a web browser, script, or custom tool). An unusual or inconsistent user-agent string can serve as a red flag for suspicious activity.
To detect network artifacts, tools like Wireshark or TShark (a command-line network protocol analyzer) can be used to analyze packet capture (PCAP) files, which store raw network traffic data. Additionally, artifacts can be identified by examining logs from Intrusion Detection Systems (IDS) such as Snort. For example, Snort rules can help flag specific patterns or anomalies in network traffic, allowing analysts to focus on potentially harmful activities. By combining packet analysis and IDS logs, security teams can build a clearer picture of an attack and trace its origins or objectives.
Questions
What browser uses the User-Agent string shown in the screenshot above?
As you can see in the screenshot, the user-agent string starts with Mozilla/ 4.0. I first though the answer would be Firefox, but apparently it is related to Internet Explorer due to historical reasons:
Some quick googling led to to find out why it might be associated with Microsoft:
In the early days of the web, Netscape was the dominant browser, and many websites were optimized for it. To ensure compatibility, other browsers started including “Mozilla” in their user agent strings to mimic Netscape.
Microsoft adopted the Mozilla/4.0 string for Internet Explorer (IE), starting with version 4. The 4.0 referred to the version of the browser’s rendering engine (Trident).
Answer: Internet Explorer
How many POST requests are in the screenshot from the pcap file?
The screenshot referred to is the following:
Well, we can simply count them? The answer is 6.
Answer: 6
Task 7: Tools (Challenging)
At this stage, we have levelled up our detection capabilities against the artifacts. The attacker would most likely give up trying to break into your network or go back and try to create a new tool that serves the same purpose. It will be a game over for the attackers as they would need to invest some money into building a new tool (if they are capable of doing so), find the tool that has the same potential, or even gets some training to learn how to be proficient in a certain tool.
Attackers use tools to create malicious macro documents (maldocs) for spearphishing attempts, a backdoor that can be used to establish C2 (Command and Control Infrastructure), any custom .EXE, and .DLL files, payloads, or password crackers.
Antivirus signatures, detection rules, and YARA rules can be great weapons for you to use against attackers at this stage.
Fuzzy hashing can also be a great weapon against the attacker’s tools. Fuzzy hashing helps you to perform similarity analysis — match two files with minor differences based on the fuzzy hash values. Regular cryptographic hash functions cannot be used for determining if a file is similar to a known file, because one of the requirements of a cryptographic hash function is that a small change to the input should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value.
Questions
Provide the method used to determine similarity between the files
As discussed before, fuzzy hashing can be use to perform similarity analysis.
Answer: Fuzzy Hashing
Provide the alternative name for fuzzy hashes without the abbreviation
I had to google around to find this one, but apparantely the longer name for fuzzy hashes is context-triggered piecewise hashes.
Answer: context-triggered piecewise hashes
Task 8: TTPs (Tough)
We made it to the final stage of the Pyramid of Pain!
TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.
If you can detect and respond to the TTPs quickly, you leave the adversaries almost no chance to fight back. This means they either have to do more research and reconfigure their tools, or give up!
Questions
Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?
If you visit the ATT&CK webpage, you will find a table with a bunch of different categories. Underneath Exfiltration you will find the following list with 9 techniques.
Answer: 9
Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?
Click on the “Exfiltration Over C2 Channel” technique. This will bring you to the following page:
https://attack.mitre.org/techniques/T1041
Now search on the page for Chimera, and you can read about Cobalt Strike.
This is the answer, and if you want to read more you can visit the following page:
https://attack.mitre.org/software/S0154
Answer: Cobalt Strike
Task 9: Practical: The Pyramid of Pain
In this task we have to deploy the static site to find the flag. Let’s get going.
Questions
Complete the static site. What is the flag?
We are met with the following landing page:
Press continue, and then we are met with instructions. We have to match each description with the correct level of the Pyramid of Pain.
Let’s take a description at a time:
The attacker has utilised these to accomplish their objective.
Well, I guess this could relate to each level of the pyramid, but the obvious answer is Tools.
The attackers plans and objectives.
The answer here is TTP, since this level cover Tactics, Techniques & Procedures.
These signatures can be used to attribute payloads and artefacts to an actor.
Payloads and artefacts can be attributed to an actor by the use of hash values.
An attacker has purchased this and used it in a typo-squatting campaign.
Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites. This must therefore related to Domain Names.
These addresses can be used to identify the infrastructure an attacker is using for their campaign.
This one is easy. The addresses mentioned must be IP addresses.
These artefacts can present themselves as C2 traffic for example.
Command and control attacks, also known as C2 and C&C attacks, are a form of cyber attack in which a cybercriminal uses a rogue server to deliver orders to computers compromised by malware via a network and to receive data stolen from the target network.
The artefacts are covered by the Network level.
You should get the flag now.
Answer: THM{PYRAMIDS_COMPLETE}
Task 10: Conclusion
Now you have learned the concept of the Pyramid of Pain. Maybe it is time to apply this in practice. Please, navigate to the Static Site to perform the exercise.
You can pick any APT (Advanced Persistent Threat Groups) as another exercise. A good place to look at would be Rapid7 Advanced Persistent Threat Groups. When you have determined the APT Group you want to research – find their indicators and ask yourself: ” What can I do or what detection rules and approach can I create to detect the adversary’s activity?”, and “Where does this activity or detection fall on the Pyramid of Pain?”
As David Bianco states, “the amount of pain you cause an adversary depends on the types of indicators you are able to make use of“.
Questions
Read the above.
Answer: No answer needed
Congratulations
Congratulations on finishing the Pyramid of Pain room on TryHackMe. This was a great room to learn about some of the methodology related to the work of a SOC Analyst. Great job on following along. Happy hacking!
Find my other walkthroughs of the SOC Level 1 Path here.
You can find my other walkthroughs here.
Like my articles?
You are welcome to comment this port, and please do share with friends 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] TryHackMe: Pyramid Of Pain Walkthrough (SOC Level 1) […]