Jasper Alblas
TryHackMe: Unified Kill Chain Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Unified Kill Chain room on TryHackMe. The Unified Kill Chain framework is a framework which establishes the phases of an attack, and a means of identifying and mitigating risk to IT assets.
This room is part of the SOC Level 1 Path.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/r/room/unifiedkillchain
Table of Contents
Wait…what about the Cyber Kill Chain?
You are right that the Unified Kill Chain sounds very similar to the Cyber Kill Chain, which I covered in a previous article:
https://medium.com/@JAlblas/tryhackme-cyber-kill-chain-walkthrough-soc-level-1-d34199c8e048
The difference between the two is quite subtle. The Cyber Kill Chain is best for organizations starting with threat modeling or needing a simple, high-level framework for analyzing traditional cyberattacks.
The Unified Kill Chain on the other hand is more suitable for mature cybersecurity operations that need a detailed, comprehensive approach to analyze and defend against complex, modern attacks.
Now, let’s move on!
Task 1: Introduction
This task introduces the room. In this room, we will be introduced to the UKC (Unified Kill Chain) framework that is used to help understand how cyber attacks occur. We will learn about the different phases of the UKC, and how the UKC is used to complement other frameworks such as MITRE.
Questions
Let’s proceed with the room!
Answer: No answer needed
Task 2: What is a “Kill Chain”
In cybersecurity, a “Kill Chain” represents the methodology or series of steps attackers, such as hackers or Advanced Persistent Threats (APTs), use to approach and compromise a target system. It outlines the sequential stages of an attack, helping defenders to better understand the tactics and techniques employed by adversaries. The term originates from the military.
For instance, an attacker might:
- Scan a target system to identify vulnerabilities.
- Exploit a web vulnerability to gain unauthorized access.
- Escalate privileges to obtain administrative control.
These stages form a Kill Chain, providing a structured view of an attacker’s actions. Understanding this process is crucial for developing effective defensive strategies. By analyzing an attacker’s Kill Chain, organizations can:
- Implement preemptive protections to address vulnerabilities before they are exploited.
- Identify and disrupt an attack during its execution, preventing further damage.
This systematic approach allows defenders to anticipate, detect, and respond to attacks at each phase of the Kill Chain. We’ll explore these stages in greater detail later, providing insights into how to counteract adversaries at each step.
Questions
Where does the term “Kill Chain” originate from? For this answer, you must fill in the blank!: The ********
The term originates from the military.
Answer: military
Task 4: Introducing the Unified Kill Chain
The Unified Kill Chain, published in 2017, aims to complementother cybersecurity kill chain frameworks, such as Lockheed Martin’s and MITRE’s ATT&CK.
Some large benefits of the UKC over traditional cybersecurity kill chain frameworks include the fact that it is modern and extremely detailed.
The UKC states that there are 18 phases to an attack: Everything from reconnaissance to data exfiltration and understanding an attacker’s motive.
1. Reconnaissance: Researching, identifying, and selecting targets using active or passive reconnaissance.
2. Weaponization: Preparing tools, exploits, or malware for the attack.
3. Delivery: Delivering the weapon (e.g., phishing email, USB drop, malicious link, etc.) to the target.
4. Social Engineering: Techniques aimed at the manipulation of people to perform unsafe actions.
5. Exploitation: Exploiting a vulnerability in the target system to gain an initial foothold.
6. Persistence: Any access, action, or change to a system that gives an attacker persistent presence on the system.
7. Defense Evasion: Techniques an attacker may specifically use for evading detection or avoiding other defenses.
8. Command & Control: Techniques that allow attackers to communicate with controlled systems within a target network.
9. Pivoting: Tunneling traffic through a controlled system to other systems that are not directly accessible.
10. Discovery: Mapping the target environment to understand its architecture and find further attack opportunities.
11. Privilege Escalation: The result of techniques that provide an attacker with higher permissions on a system or network.
12. Execution: Techniques that result in execution of attacker-controlled code on a local or remote system.
13. Credential Access: Techniques resulting in the access of, or control over, system, service, or domain credentials.
14. Lateral Movement: Techniques that enable an adversary to horizontally access and control other remote systems.
15. Collection: Techniques used to identify and gather data from a target network prior to exfiltration.
16. Exfiltration: Techniques that result or aid in an attacker removing data from a target network.
17. Impact: Techniques aimed at manipulating, interrupting, or destroying the target system or data.
18. Objectives: Socio-technical objectives of an attack that are intended to achieve a strategic goal.
To summarize, the UKC is more detailed, modern, realistic, and covers a more complete attack, compared to some of the other frameworks out there.
Questions
In what year was the Unified Kill Chain framework released?
2017. Not much to explain 🙂
Answer: 2017
According to the Unified Kill Chain, how many phases are there to an attack?
As discussed before, there are 18 phases in the UKC.
Answer: 18
What is the name of the attack phase where an attacker employs techniques to evade detection?
The phase names are pretty descriptive. The phase referred to is called the “Defense Evasion” phase.
Answer: Defense Evasion
What is the name of the attack phase where an attacker employs techniques to remove data from a network?
The exfiltration phase covers techniques that result or aid in an attacker removing data from a target network.
Answer: Exfiltration
What is the name of the attack phase where an attacker achieves their objectives?
The name is literally in the question: “objectives”.
Answer: Watering hole attack
Task 5: Phase: In (Initial Foothold)
TryHackMe has decided to group the different UKC phases into three parts, and here we will cover the “In” phase, which focuses on getting into a system. This covers the following UKC phases:
Reconnaissance (MITRE TA0043)
- Goal: Information gathering about the target.
Weaponization (MITRE TA0001)
- Goal: Prepare the infrastructure and tools needed for the attack.
Social Engineering (MITRE TA0001)
- Goal: Manipulate individuals to assist the attacker, either knowingly or unknowingly.
Exploitation (MITRE TA0002)
- Goal: Leverage vulnerabilities to execute malicious code or gain unauthorized access.
Persistence (MITRE TA0003)
- Goal: Ensure ongoing access to the compromised system.
Defense Evasion (MITRE TA0005)
- Goal: Avoid detection by defensive measures.
Command & Control (MITRE TA0011)
- Goal: Establish a communication channel between the attacker and the compromised system.
Pivoting (MITRE TA0008)
- Goal: Move laterally within the network to access otherwise unreachable systems.
Questions
What is an example of a tactic to gain a foothold using emails?
An example of this tactic would be sending out emails with malicious links, in other words phishing attacks. Read more here:
https://attack.mitre.org/tactics/TA0001
Answer: Phishing
Impersonating an employee to request a password reset is a form of what?
Impersonating a employee is called social engineering.
Answer: Social Engineering
An adversary setting up the Command & Control server infrastructure is what phase of the Unified Kill Chain?
You might think that it is part of the C&C phase, but it is actually in the Weaponization phase that we setup the tools to perform a C&C attack.
Answer: Weaponization
Exploiting a vulnerability present on a system is what phase of the Unified Kill Chain?
This one is easier. Exploiting a vulnerability happens in the exploitation phase.
Answer: Exploitation
Moving from one system to another is an example of?
Pivoting is the technique an adversary uses to reach other systems within a network that are not otherwise accessible
Answer: Pivoting
Leaving behind a malicious service that allows the adversary to log back into the target is what?
Persistance is the phase of the UKC which describes the techniques an adversary uses to maintain access to a system they have gained an initial foothold on. This includes add a backdoor to log back into the target.
Answer: Persistance
Task 6: Phase: Through (Network Propagation)
Now that the attacker has access, he would seek to gain additional access and privileges to systems and data to fulfil their goals. The attacker would set up a base on one of the systems to act as their pivot point and use it to gather information about the internal network. The “Through” phase defined by THM covers the following UKC phases:
Pivoting (MITRE Tactic TA0008)
- Goal: Use a compromised system as a springboard to interact with other parts of the network.
Discovery (MITRE Tactic TA0007)
- Goal: Gather intelligence about the compromised system and its surrounding environment.
Privilege Escalation (MITRE Tactic TA0004)
- Goal: Gain higher-level permissions to access sensitive resources or execute privileged commands.
Execution (MITRE Tactic TA0002)
- Goal: Deploy and execute malicious payloads to maintain control and perform actions on objectives.
Credential Access (MITRE Tactic TA0006)
- Goal: Obtain legitimate account credentials to blend in with normal activity and evade detection.
Lateral Movement (MITRE Tactic TA0008)
- Goal: Move through the network to access additional systems and achieve the ultimate objective.
Questions
As a SOC analyst, you pick up numerous alerts pointing to failed login attempts from an administrator account. What stage of the kill chain would an attacker be seeking to achieve?
An attacker trying to get access to the administrator account sounds like someone trying to escalate his privileges.
Answer: Privilege Escalation
Mimikatz, a known attack tool, was detected running on the IT Manager’s computer. What is the mission of the tool?
Mimikatz is a program for extracting passwords, hashes, PINs, and Kerberos tickets from Windows memory. In other words: credential dumping.
Answer: Credential Dumping
Task 7: Phase: Out (Action on Objectives)
In the concluding phases of an adversary’s attack, their actions focus on achieving specific objectives, often compromising the Confidentiality, Integrity, and Availability (CIA) triad. This THM phase covers the following UKC phases:
Collection (MITRE Tactic TA0009)
- Goal: Gather valuable data from compromised systems or networks.
Exfiltration (MITRE Tactic TA0010)
- Goal: Steal data from the victim’s environment while avoiding detection.
Impact (MITRE Tactic TA0040)
- Goal: Disrupt the victim’s operations by compromising data integrity and availability.
Questions
While monitoring the network as a SOC analyst, you realise that there is a spike in the network activity, and all the traffic is outbound to an unknown IP address. What stage could describe this activity?
This sounds like someone trying to exfiltrate date. This is part of the exfiltration phase.
Answer: Exfiltration
Personally identifiable information (PII) has been released to the public by an adversary, and your organisation is facing scrutiny for the breach. What part of the CIA triad would be affected by this action?
The release of Personally Identifiable Information (PII) to the public affects the Confidentiality aspect of the CIA triad. This pillar is focused on protecting sensitive information from unauthorized access or disclosure. When PII is exposed, the confidentiality of that data is compromised, as it is no longer accessible only to authorized individuals or systems.
Answer: Confidentiality
Task 8: Practical
Deploy the static site attached to the task. You will need to match the various actions of an attacker to the correct phase of the Unified Kill Chain framework to reveal the flag.
Questions
The Attacker uses tools to gather information about a system. What phase of the Unified Kill Chain is this?
Answer: Reconnaissance
The Attacker installs a malicious script to allow them remote access at a later date. What phase of the Unified Kill Chain is this?
Answer: Persistance
The hacked machine is being controlled from an Attacker’s own server. What phase of the Unified Kill Chain is this?
Answer: Command and Control
The Attacker uses the hacked machine to access other servers on the same network. What phase of the Unified Kill Chain is this?
Answer: Pivoting
The Attacker steals a database and sells this to a 3rd party. What phase of the Unified Kill Chain is this?
Answer: Action and Objectives
Match the scenario prompt to the correct phase of the Unified Kill Chain to reveal the flag at the end. What is the flag?
Answer: THM{UKC_SCENARIO}
Task 9: Conclusion
Great job on making it through the Unified Kill Chain room. Hopefully, you learned a lot about the importance of Kill Chain frameworks play in identifying threats, and how to mitigate future attacks by understanding the various steps an attacker goes through.
As mentioned before, the UKC is a modern extension of other frameworks, such as Lockheed Martin’s “Cyber Kill Chain” framework.
Questions
Complete this task to finish the room!
Answer: No answer needed
Congratulations on completing Unified Kill Chain!!!
We are done!
This was another great room in which we learned about the methodology of another Kill Chain framework. Great job on following along. Happy hacking!
Find more of my walkthroughs here.
Like my articles?
You are welcome to comment this article, and please share with friends!
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
