In this room we chase a simulated adversary up the Pyramid of Pain until they finally back down? This is a room to test the knowledge gained during the Cyber Defense Frameworks module.
This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/summit
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Task 1: Challenge
After participating in one too many incident response activities, PicoSecure has decided to conduct a threat simulation and detection engineering engagement to bolster its malware detection capabilities. You have been assigned to work with an external penetration tester in an iterative purple-team scenario. The tester will be attempting to execute malware samples on a simulated internal user workstation. At the same time, you will need to configure PicoSecure’s security tools to detect and prevent the malware from executing.
Following the Pyramid of Pain’s ascending priority of indicators, your objective is to increase the simulated adversaries’ cost of operations and chase them away for good. Each level of the pyramid allows you to detect and prevent various indicators of attack.
With the introduction out of the way, let’s start up the Machine and start collecting the 6 flags! Visit the page at https://LAB_WEB_URL.p.thmlabs.com once the machine has been loaded.
Questions
What is the first flag you receive after successfully detecting sample1.exe?
We are met by an application: PicoSecure.
As the correct file is selected, simply press Submit. The results will show up:
There is a lot of malicious and suspicious behavior related to the binary.
We need to make sure to block the binary by going to “Manage Hashes” in the menu.
We can add the following MD5 hash:
cbda8ae000aa9cbe7c8b982bae006c2a
We get the following message:
Nice work! You prevented sample1.exe
from executing by detecting its unique hash value. Check your inbox for the next steps.
A new mail has arrived, together with the flag:
Answer:THM{f3cbf08151a11a6a331db9c6cf5f4fe4}
What is the second flag you receive after successfully detecting sample2.exe?
Besides the previous flag, the mail mentions the following:
Hey again,
Good work. That detection you added blocked my malware from executing. Since file hashes and digests are unique to each file, they are, by far, the highest confidence indicators out there. You can be sure it’s my malware sample the next time you see that hash.
However, by design, that is also one of the significant downfalls of simply relying on hashes for detection mechanisms. Since they are so susceptible to change, I only need to alter a single bit of the file, and the detection rule you added will fail.
In fact, all I did this time was recompile the malware, and I generated a new file hash and executed it without issue. See if you can come up with a new way to detect sample2.exe
!
Sphinx mentions that blocking file hashes is not the best method to defend ourselves, since hashes are so easily changed by simply changing a single bit in the file.
Let’s try and running Sample2.exe in the Malware Sandbox:
We get different results now. We also see some information under Network Activity. As we can see the binary makes a suspicious request to the url with the ip: 154.35.10.113:4444. We should probably block that!
We can do this in the Firewall Rule Manager, again found in the menu!
Press the “Create Firewall Rule” button and you will see the following screen:
Fill out the Destination IP with the IP previously found. The Source IP should be set to Any. The Action is Deny. The Type is more tricky but it should be set on Egress. The definition is as follows:
The main difference between data egress and ingress is the direction of data flow: ingress refers to data entering a system or network, while egress refers to data leaving a system or network.
Save the rule and you should get a message that a new mail has arrived, with the second flag.
Answer:THM{2ff48a3421a938b388418be273f4806d}
What is the third flag you receive after successfully detecting sample3.exe?
A new mail has arrived:
Huh.
It seems like you stopped me again. You must have found the IP address to which my malware sample connected. Clever!
This method isn’t bulletproof, though, as it’s trivial for a motivated adversary to get around it using a new public IP address. I just signed up for a cloud service provider and now have access to many more public IPs!
This time, you’ll need to detect sample3.exe
another way. I already have my server running from a new IP address and have plenty more backups to failover in case they get blocked!
Good luck. 😈
As discussed by Sphinx, an attacker can easily use a new IP address, which will completely render our defenses useless.
Let’s look at sample3.exe by running it through the Malware Sandbox:
Again, a lot of interesting results. The thing that stands out under HTTP Requests, Connections, and DNS requests is the suspicious URL emudyn.bresonicz.info
Luckily, we have access to the DNS Rule Manager in the menu.
Go there now, and press the “Create DNS Rule” button:
Enter your own Rule Name, Set the Category to “Malware”, enter the domain name emudyn.bresonicz.info, and set the Action to Deny.
You should see the rule added to the active rules:
You should also have received a new email with the third flag:
Answer: THM{4eca9e2f61a19ecd5df34c788e7dce16}
What is the fourth flag you receive after successfully detecting sample4.exe?
Let’s move on! The mail mentions the following:
Greetings again,
It looks like you were able to block my domain this time because every new IP address I try gets detected. You’re causing me a bit of trouble now because I have to purchase and register some new domain names and modify DNS records. Some attackers might get mildly annoyed by this and find a new target, but I’m motivated to continue like many.
This time – blocking hashes, IPs, or domains won’t help you. If you want to detect sample4.exe
, consider what artifacts (or changes) my malware leaves on the victim’s host system.
Good luck.
Sphinx mentions that changing a domain name is a bit more annoying for an attacker, but he will keep on trying. This time he advises us to look at the artifacts (or changes) the malware leaves on the host system.
Start by scanning the file:
As hinted, we should probably focus on the Modification events information.
If we look at the sample4.exe binary row, we can see that it writes to a spot in our registry:
sample4.exe | Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection |
Operation: write | Name: DisableRealtimeMonitoring |
This is a type of artifact Sphinx mentioned. Copy the Key value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
Now we have to use the Sigma Rule Builder section, again found in the menu.
Press Create Sigma Rule. On the next screen select Sysmon Event Logs, followed by Registry Modifications.
Proceed by entering the above value. The key, name and value can be found in the scan results. The ATT&CK ID is Defense Evasion as the Malware tries to disable RealtimeMonitoring of Windows Defender.
Create the rule, and you will get a new mail!
Answer:THM{c956f455fc076aea829799c0876ee399}
What is the fifth flag you receive after successfully detecting sample5.exe?
It worked! The new mail contains the following message:
Hey.
I’m not sure what you managed to do this time, but you seriously threw a wrench into my malware sample! I spent ages trying to reconfigure my attack tools and methodologies to get around your detection – SUPER ANNOYING!
Having my team develop new techniques used in my adversary tools was a time-consuming effort and a significant cost. It’s good that we have a substantial budget for this engagement, but many threat actors would have given up and found a new victim by now.
I finally have sample5.exe
for you to detect. Different approach this time. In this sample, all of the “heavy lifting” and instruction occurs on my back-end server, so I can easily change the types of protocols I use and the artifacts I leave on the host. You’ll have to find something unique or abnormal about the behaviour of my tool to detect it.
I attached the logs of the outgoing network connections from the last 12 hours on the victim machine. That may help you correlate something.
I don’t know what to do if you can stop me at this level.
So, we need to look at the logs of the outgoing network connections!
Let’s open the binary in the Attachment Viewer.
A few things stand out. Every half an hour there is an outgoing connection to 51.102.10.19, with a size of 97 byes. In addition, there are 2 connections made to port 80 that look different from the other connections on port 443. As you might know, port 80 is made over HTTP, while port 443 is the more secure HTTPS. But that could just be regular web server requests. So let’s focus on the frequent connections of 97 bytes made every 30 minutes.
It’s time to go to the Sigma Rule Builder again. This time select Sysmon Event Logs, followed by Network Connections.
I started by entering the specific IP and port from the log, but you will get a message saying that the attacker is smart enough now. So set both Remote IP and Remote Port to Any.
The size should be set to 97 byes, the frequency to 1800s (every half hour), and the ATT&CK ID should probably be set to Command and Control (TA0011), as the log seems to imply that the communication is some part of connection to remote host to get instructions.
It succeeds and you will get another mail with the fifth flag!
Answer:THM{46b21c4410e47dc5729ceadef0fc722e}
What is the final flag you receive from Sphinx?
A final challenge from Sphinx:
Hello again,
You managed to detect sample5.exe
! I’m very impressed. But also very annoyed! Because now, I need to go back to the drawing board and create a brand new tool to do what I need to do. If I can’t find another one quickly, this will be another significant investment. Also, I will need to train myself all over again on how to use it!
I can keep this up one or two times, but there’s no way I can continue after this. The reward no longer outweighs the cost, and I would instead find an easier target with detection capabilities much lower on the pyramid.
For my last trick, I have sample6.exe
. This time, you will need more than artifacts or tool detection to help you. You’ll need to focus on something extremely hard for me to change subconsciously – my techniques and procedures.
I’ve attached the recorded command logs from all my previous samples to understand better what actions I tend to perform on my victims to extract info once I have remote access. Good luck!
So, according to Sphinx we need to focus on his techniques and procedures.
You might remember from the Pyramid of Doom room that the final stage of the pyramid is the TTP stage. TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.
We have received a commands.log file:
The log file seems to show a bunch of commands that are run and written to a exfiltration log file called exfiltr8.log.
This sounds like the Automated Exfiltration technique: https://attack.mitre.org/techniques/T1020/
It time for the Sigma Rule Builder again, which should allow us to block the creation of the exfiltration file.
Choose the following options: Sysmon Event Logs > File Creation and Modification:
Then write %temp% as File Path, exfiltr8.log as filename, and Exfiltration (TA0010) as ATT&CK ID.
Validate the rule, and you should get a new mail with the final flag!
Answer:THM{c8951b2ad24bbcbac60c16cf2c83d92c}
And we defeated Sphinx:
Well, that’s it. I have officially given up.
Throughout the engagement, you managed to chase me to the very top of the Pyramid of Pain, and I have to say, it’s not fun up here!
You detected my samples file hashes, IPs, domains, host artifacts, tools, and now my own behavioural techniques! To continue, I have no choice but to completely retrain myself and conduct extensive research to figure out how you’re catching me. And with that, I don’t think you’ll ever see me again. Enjoy the final flag; you’ve earned it!
Congratulations on completing Summit!!!
This was a great room! The past few rooms on the Cyber Defense Frameworks were pretty theoretical, and I found that this room really put the theory into practice.
This made it stick in my head, and I really enjoyed the CTF like challenge, even though I am more used to red-team type CTFs.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: