TryHackMe: Pyramid Of Pain Walkthrough (SOC Level 1)

December 14, 2024 Jasper

It is time to look at the Pyramid of Pain Room on TryHackMe, a room in which we learn about this hierarchical model that illustrates the types of indicators and behaviors associated with cybersecurity threats, ranked by the difficulty attackers face in altering them to evade detection

Pyramid of Pain Room

Pyramid of Pain Room

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Room URL: https://tryhackme.com/r/room/pyramidofpainax

Task 1: Introduction

Before moving on it is important to note that we start moving through the pyramid moving upwards. In the lower levels, which we cover first, we cover elements of the attack which are easy for the attacker to change. As we move upwards though the attacker will have more difficulties altering their attack to avoid detection. This will make more sense soon.

Nothing else to discuss here, so let’s move on!

Questions

Answer: No answer needed


Task 2: Hash Values (Trivial)

Some quick theory here on a variety of hashing algorithms . The thing to remember here is that a hash value is the result of a hashing algorithm and consists of a numeric value of a fixed length that uniquely identifies data.

There are a large number of algorithms, and the more bits the hash value has the more safe the algorithm is against brute force attacks.

For this section, it is all about the uniquely identifying of a file, artifacts etc.

Questions

Analyse the report associated with the hash “b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d” here. What is the filename of the sample?

The questions links to a report generated by VirusTotal. The file name is nearly at the top.

Finding the filename

Finding the filename

Answer: Sales_Receipt 5606.xls


Task 3: IP Address (Easy)

This task covers IP Addresses, which identify a mchine that is connected to a network. IP adresses are important from a SOC perspective, as a common defense tactic is to block, drop, or deny inbound requests from IP addresses on your parameter or external firewall. It is easy for an attacker to change its IP address though, so alternative defenses are needed.

Questions

Read the following report to answer this question. What is the first IP address the malicious process (PID 1632) attempts to communicate with?

The report from Any.run covers the Sodinokibi malware. The first half of the report covers a lot of informtion about the type of malware, but it gets interesting for us in the middle.

The is a section concerning network activity, and there we see the different type of connections made. Simply look at the row for PID 1632 to answer the two questions.

PID 1632 communicates with the following IP

PID 1632 communicates with the following IP

Answer: 50.87.136.52

Read the following report to answer this question. What is the first domain name the malicious process ((PID 1632) attempts to communicate with?

Answer: craftingalegacy.com


Task 4: Domain Names (Simple)

This task is all about domain names. Domain Names can be thought as simply mapping an IP address to a string of text. This ensures that we do not have to remember IP addresses of web pages, but can simply communicate with a DNS server by giving a domain name, and it will automatically point to the correct IP address.

The room then discusses punycode, which is a special encoding used to convert Unicode characters to ASCII, which is a smaller, restricted character set. This is used used by the attackers to redirect users to a malicious domain that seems legitimate at first glance.

Furthermore, attackers can hide malicious domains using URL Shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL.

Luckily we can use services such as Any.run (a sandboxing service) to investigate malware and review any connections such as HTTP requests, DNS requests or processes communicating with an IP address.

Questions

Go to this report on app.any.run and provide the first suspicious domain request you are seeing, you will be using this report to answer the remaining questions of this task

Visit the report, and look at the tabs in the bottom of the screen. One of them should say DNS Request, and here you will find the domain request to craftingalegacy.com. This domain name was also mentioned in the previous task in relation to the Sodinokibi malware.

Suspicious domain request

Suspicious domain request

Answer: craftingalegacy.com

What term refers to an address used to access websites?

This is an easy one. Domain name is the answer.

Answer: domain name

What type of attack uses Unicode characters in the domain name to imitate the a known domain?

We covered this earlier. Punyode attack is the answer here.

Answer: Punycode attack

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

To find the redirected website, write the tinyurl in your browser and add a ‘+’:

Tinyurl redirect

Tinyurl redirect

It is redirecting to tryhackme!

Answer: https://tryhackme.com/


Task 5: Host Artifacts (Annoying)

Not much theory to cover in this task. Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.

As we have moved higher up the pyramid it is becoming more complicated for the attacker to circle back at this detection level and change his attack tools and methodologies

Questions

A security vendor has analysed the malicious sample for us. Review the report here to answer the following questions.

Answer: No answer needed.

A process named regidle.exe makes a POST request to an IP address based in the United States (US) on port 8080. What is the IP address?

As before, look into the report and scroll down to the Network activity section. Here you will find that the regidle.exe makes a POST request to the following US IP:

Network activity to the US

Network activity to the US

Answer: 96.126.101.6

The actor drops a malicious executable (EXE). What is the name of this executable?

Just before the network section, there is a section on files activity. Here you will find the malicious executable G_jugk.exe that is being dropped. There is a Powershell.exe file as well, but I think that just means that the malware runs powershell, so the other file is the answer.

Malicious executable found, G_jugk.exe!

Malicious executable found, G_jugk.exe!

Answer: G_jugk.exe

Look at this report by Virustotal. How many vendors determine this host to be malicious?

Open the Virustotal report on the earlier found ip address. You will quickly find the number of hosts that determine the host to be malicious:

Vendors identifying the host malicious

Vendors identifying the host malicious

Answer: 9


Task 6: Network Artifacts (Annoying)

This task is about network artifacts, which are also in the yellow zone of the pyramid. This means that if you detected an attacker, the attacker would need quite some time to change tactics and tools.

Network artifacts are observable elements within network traffic that can indicate malicious activity. Examples include user-agent strings, command-and-control (C2) communication details, or specific URI patterns associated with HTTP POST requests. These artifacts can provide valuable clues for identifying and investigating potential threats.

For instance, an attacker might use a user-agent string that is not typically seen in your environment or appears anomalous. The user-agent string, as defined by RFC2616, is a request-header field in HTTP traffic that conveys information about the client application making the request (e.g., a web browser, script, or custom tool). An unusual or inconsistent user-agent string can serve as a red flag for suspicious activity.

To detect network artifacts, tools like Wireshark or TShark (a command-line network protocol analyzer) can be used to analyze packet capture (PCAP) files, which store raw network traffic data. Additionally, artifacts can be identified by examining logs from Intrusion Detection Systems (IDS) such as Snort. For example, Snort rules can help flag specific patterns or anomalies in network traffic, allowing analysts to focus on potentially harmful activities. By combining packet analysis and IDS logs, security teams can build a clearer picture of an attack and trace its origins or objectives.

Questions

What browser uses the User-Agent string shown in the screenshot above?

As you can see in the screenshot, the user-agent string starts with Mozilla/ 4.0. I first though the answer would be Firefox, but apparently it is related to Internet Explorer due to historical reasons:

Some quick googling led to to find out why it might be associated with Microsoft:

In the early days of the web, Netscape was the dominant browser, and many websites were optimized for it. To ensure compatibility, other browsers started including “Mozilla” in their user agent strings to mimic Netscape.

Microsoft adopted the Mozilla/4.0 string for Internet Explorer (IE), starting with version 4. The 4.0 referred to the version of the browser’s rendering engine (Trident).

Answer: Internet Explorer

How many POST requests are in the screenshot from the pcap file?

The screenshot referred to is the following:

Count those POST requests :)

Count those POST requests 🙂

Well, we can simply count them? The answer is 6.

Answer: 6


Task 7: Tools (Challenging)

Attackers use tools to create malicious macro documents (maldocs) for spearphishing attempts, a backdoor that can be used to establish C2 (Command and Control Infrastructure), any custom .EXE, and .DLL files, payloads, or password crackers.

Antivirus signatures, detection rules, and YARA rules can be great weapons for you to use against attackers at this stage.

Fuzzy hashing can also be a great weapon against the attacker’s tools. Fuzzy hashing helps you to perform similarity analysis — match two files with minor differences based on the fuzzy hash values. Regular cryptographic hash functions cannot be used for determining if a file is similar to a known file, because one of the requirements of a cryptographic hash function is that a small change to the input should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value.

Questions

Provide the method used to determine similarity between the files

As discussed before, fuzzy hashing can be use to perform similarity analysis.

Answer: Fuzzy Hashing

Provide the alternative name for fuzzy hashes without the abbreviation

I had to google around to find this one, but apparantely the longer name for fuzzy hashes is context-triggered piecewise hashes.

Answer: context-triggered piecewise hashes


Task 8: TTPs (Tough)

We made it to the final stage of the Pyramid of Pain!

TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.

If you can detect and respond to the TTPs quickly, you leave the adversaries almost no chance to fight back.

Questions

Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?

If you visit the ATT&CK webpage, you will find a table with a bunch of different categories. Underneath Exfiltration you will find the following list with 9 techniques.

Exfiltration techniques

Answer: 9

Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

Click on the “Exfiltration Over C2 Channel” technique. This will bring you to the following page:

https://attack.mitre.org/techniques/T1041/

Now search on the page for Chimera, and you can read about Cobalt Strike.

Chimera used Cobalt Strike

Chimera used Cobalt Strike

This is the answer, and if you want to read more you can visit the following page:

https://attack.mitre.org/software/S0154/

Answer: Cobalt Strike


Task 9: Practical: The Pyramid of Pain

In this task we have to deploy the static site to find the flag. Let’s get going.

Questions

Complete the static site. What is the flag?

We are met with the following landing page:

Pyramid instructions

Pyramid instructions

Press continue, and then we are met with instructions. We have to match each description with the correct level of the Pyramid of Pain.

The questions to be answered

The questions to be answered

Let’s take a description at a time:

The attacker has utilised these to accomplish their objective.

Well, I guess this could relate to each level of the pyramid, but the obvious answer is Tools.

The attackers plans and objectives.

The answer here is TTP, since this level cover Tactics, Techniques & Procedures.

These signatures can be used to attribute payloads and artefacts to an actor.

Payloads and artefacts can be attributed to an actor by the use of hash values.

An attacker has purchased this and used it in a typo-squatting campaign.

Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites. This must therefore related to Domain Names.

These addresses can be used to identify the infrastructure an attacker is using for their campaign.

This one is easy. The addresses mentioned must be IP addresses.

These artefacts can present themselves as C2 traffic for example.

Command and control attacks, also known as C2 and C&C attacks, are a form of cyber attack in which a cybercriminal uses a rogue server to deliver orders to computers compromised by malware via a network and to receive data stolen from the target network.

The artefacts are covered by the Network level.

You should get the flag now.

Answer: THM{PYRAMIDS_COMPLETE}


Task 10: Conclusion

Read the text on THMs page and press the final button to complete the room!

Questions

Read the above.

Answer: No answer needed


This was a great room to learn about some of the methodology related to the work of a SOC Analyst. Great job on following along. Happy hacking!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Leave a Reply

Your email address will not be published. Required fields are marked *