If you have been going through the SOC Level 1 Path like me, we have just covered a ton of Threat Intelligence theory and tools, followed by the fun Friday Overtime challenge. Now it is time for another challenge in which we have to use our Cyber Threat Intelligence knowledge and skills to identify a threat based on a report. In this room we will be using a threat advisory report, the MITRE ATT&CK navigator and we also finally get to use the OpenCTI platform.

Trooper Room Banner
Room URL: https://tryhackme.com/r/room/trooper
This room is part of the SOC Level 1 Path.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Task 1: Who’s The Threat?
We will start by reading the introduction on the room page:
A multinational technology company has been the target of several cyber attacks in the past few months. The attackers have been successful in stealing sensitive intellectual property and causing disruptions to the company’s operations. A threat advisory report about similar attacks has been shared, and as a CTI analyst, your task is to identify the Tactics, Techniques, and Procedures (TTPs) being used by the Threat group and gather as much information as possible about their identity and motive. For this task, you will utilise the OpenCTI platform as well as the MITRE ATT&CK navigator, linked to the details below.
Start the virtual machine by clicking on the green “Start Machine” button on the upper right section of this task. Give it about 7 minutes to fully load and use the credentials below to access the platforms via the AttackBox or VPN to conduct your investigations.
Let’s get started! Start up the machine as soon as possible, as it will take some time to start up. While we wait have a look at the report.
Threat advisory report
https://assets.tryhackme.com/additional/trooper-cti/APT_X_USBFerry.pdf
Here is a summary of the report, but I recommend you to read the whole report once or twice:
We should be ready know to start answering some questions.
Questions
What kind of phishing campaign does APT X use as part of their TTPs?
This is found in one of the first line of the report:
APT X, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities.
So the answer is spear-phishing, which is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.
Answer: spear-phishing emails
What is the name of the malware used by APT X?
Another easy one. If you read on you can read about APT X’s latest malware attack:
We found that APT X’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.
So the answer is USBferry.
Answer:USBferry
What is the malware’s STIX ID?
I have to be honest, I forgot what STIX was. But it was VERY shortly covered in Task 4 of the Intro to Cyber Threat Intel room for which I also have a walkthrough: TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)
To remind you all:
STIX (Structured Threat Information Expression) is used in Cyber Threat Intelligence (CTI) to standardize the representation, sharing, and analysis of threat data across organizations. It enables interoperability and improves the efficiency of detecting, preventing, and responding to cyber threats. STIX allows organizations to quickly share detailed, actionable threat information, like malware indicators or attack patterns, in a common format. Think of it like a common language or protocol for sharing detailed information about cyber threats. It ensures that the data—such as attack techniques, indicators, or impacted systems—can be easily understood and acted upon by different tools, teams, and organizations, regardless of the specific tools they use.
Anyway, visit the OpenCTI Dashboard at http://<target ip>:8080. You will be met by a dashboard, and let’s try searching for USBferry through the topright search field:

OpenCTI Dashboard
We get three results:

USBferry results
Any of the entries will give the answer but go ahead and select the bottom one (entity).

USBferry STIX ID
In the top left corner you will see the STIX ID.
Answer:malware–5d0ea014-1ce9-5d5c-bcc7-f625a07907d0
With the use of a USB, what technique did APT X use for initial access?
There are at least two different ways to find the answer.
On the page we just found you can see the external references section:

OpenCTI External References
This link brings us to the ATT&CK page on the USBferry software:
https://attack.mitre.org/software/S0452/
Here you can see all techniques in which the software is used. One of the techniques is Replication Through Removable Media, which sounds like the right answer!
You can read more on the technique here:
Alternatively, you can look at the Knowledge tab of the OpenCTI page on USBferry. Here we can see the ATT&CK Matrix:

OpenCTI ATT&CK Matrix
Here the correct technique is highlighted under Interal-movement.

Replication through removable media
Answer:Replication Through Removable Media
What is the identity of APT X?
This is an easy one, as we already have come across the answer. On a previous screenshot, on the USBFERRY malware detail page, you can see that the identity of APT X is Tropic Trooper, a unaffiliated threat group that has led target campaigns against targets in Taiwan, the Philippines, and Hong Kong.
Answer: Tropic Trooper
On OpenCTI, how many Attack Pattern techniques are associated with the APT?
Note: APT is basicly the same as an Intrusion Set on OpenCTI.
Search for Tropic Trooper on OpenCTI and you will get to the following page:
http://<ip>:8080/dashboard/threats/intrusion_sets/d339751b-accf-4967-95c8-9e6bcf5b7315

Tropic Trooper Intrusion Set
Now, go to the Knowledge tab and you will see the relationships the Intrusion Set (APT) has to other entities, among which 39 Attack Patterns.

Tropic Trooper Relations Distribution
Answer: 39
What is the name of the tool linked to the APT?
Continue where we were. Just click on Tools on the side menu. Here it will list one tool: BITSAdmin.

Tropic Trooper Tools: BITSAdmin
Answer: BITSAdmin
Load up the Navigator. What is the sub-technique used by the APT under Valid Accounts?
Now open up the ATT&CK Navigator, likely at the same IP address and OpenCTI, but running on a different port.
Here we are at the familiar ATT&CK Matrix:

ATT&CK Matrix
Now, the question refers to Valid Accounts. I had trouble finding it as it was not highlighted in red. I have highlighted it with green on the above screenshot. Now, if you press on the right side of the Valid Accounts technique the sub-techniques become visible.

Valid Accounts sub-techniques
The answer is local accounts.
Answer: local accounts
Under what Tactics does the technique above fall?
This question sounds a bit tricky, but it is actually not to bad. There are four different columns (tactics) in which the Valid Accounts technique i used. We just have to write the different tactics (column names) in which Valid Accounts exists. We do this in order left to right. The right order is Initial Access, Persistence, Defense Evasion and Privilege Escalation
Answer:Initial Access, Persistence, Defense Evasion and Privilege Escalation
What technique is the group known for using under the tactic Collection?
Another quick question. Find the Collection column (tactic) and find the highlighted technique.

Technique used under Collection Tactic
Answer: Automated Collection
Congratulations on completing Trooper!!!

Congratulations on completing Trooper
Congratulations on finishing this walkthrough of the amazing TryHackMe: This is probably my favorite room so far in the SOC Level 1 Path, and I really liked mastering the tools that are the ATT&CK matrix and the great OpenCTI Dashboard. If you are following along on the SOC Level 1 Path, it is time to move on to the Network Security and Traffic Analysis section!
I hope you enjoyed this walkthrough. Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: