So Atomic Bird Goes Purple #1 is box within Soc L2 Path but it is quite old I believe. Not sure about the age of the room.
Link to the room:: https://tryhackme.com/room/atomicbirdone
Difficulty:: Medium
Tags:: Atomic, AtomicRedTeam, PurpleTeam, Purple
Let’s dive right into it shall we :)
Task 1 — Introduction
— — — — — — — — — — — — — — — — — — — — — — —
Threat Emulation Module Recap
The bottom line of the activities found in this room is to enhance the impact of the Purple Team, Threat Emulation and Detection Engineering exercises by going beyond the defaults and basics. In this room, you will work on real-life scenarios using the outcomes you gained during the threat emulation module. You will emulate and hunt adversarial tactics and experience purple teaming exercises.
Learning Objectivities
- Gain hands-on threat emulation experience.
- Familiarise yourself with artefacts created by adversary tactics and techniques.
- Experience emulation and detection to improve your overall security defences.
Room Prerequisites
- Windows Event Logs (Room)
- Sigma (Room)
- Sysmon (Room)
- Aurora EDR (Room)
- Hacking with PowerShell (Room)
- Windows Fundamentals (Module)
- Threat Emulation Module (Module)
Before proceeding to the next task, let’s start the Virtual Machine by pressing the Start Machine button at the top of this task. The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.
Question:: Start the attached VM and proceed to the next task.
Answer:: No answer needed!!
Task 2 — Getting Started With Custom Exercises and Investigation Process
— — — — — — — — — — — — — — — — — — — — — — —
Threat Emulation and Custom Exercises
The importance of Threat Emulation is invaluable when it comes to enhancing an organisation’s cyber security posture or security team’s capability. Threat Emulation is the process of simulating and replicating the tactics, techniques and procedures (TTPs) of selected threats (according to the organisation/team’s needs and current status) in a controlled environment. This includes recreating attack scenarios as detailed as possible to focus on each step of the attack chain for improving detection abilities, revealing gaps and weaknesses, and testing the effectiveness of the implemented security controls.
This process can be done through various methods, including red teaming activities, penetration testing, and the use of tools. This room uses the Atomic Red Team project to simulate attacks. The room contains a customised version of atomic tests to help you grasp implementing Purple Team exercises with atomic tests and familiarise yourself with sample attack chains.
A high-level mapping of the custom tests is listed below. Each task also shares the basic techniques and storyline of the planned custom actions.
Investigation Process and Mindset
A well-configured endpoint will generate sufficient log files for threat emulation tests. Additional detection tools also increase visibility, and various options exist. This room uses Aurora EDR and Sysmon to increase the visibility of each test and enrich the logs. The purpose of the exercises is to view the results of the tests as they are and to observe the activity details and artefacts, which are crucial for detection.
You are expected to execute given custom tests and then investigate logs and system activities for each test. The most important outcome of the exercise is executing a test and following up on the actions right after it. This includes log, directory and registry investigation. You must consider everything from both Red and Blue perspectives to go Purple!
Note: Finding source code to analyse malicious files or attackers’ tactics and techniques is not always possible. Experimental testing is one of the most common methods to overcome this challenge. Therefore, some atomics are not provided in cleartext, but task descriptions and event logs provide sufficient information to understand what to expect from each test.
Question:: Read this task and proceed to the next one.
Answer:: No answer needed!!
Task 3 — Toolset and Hints
— — — — — — — — — — — — — — — — — — — — — — —
Toolset and Hints
- Windows Event Viewer
- Windows Registry Editor
- Custom Atomic Red Team Module
- “THM-Utils” Powershell module
- PowerShell
Hint: Atomic tests are based on PowerShell, so each time you execute a test or use a module, the system will generate a considerable amount of logs. You can clear the log files before each test so that the log files are not cluttered throughout the exercise. Thusly, it will be easier to investigate the logs and detect test results.
# THM-Utils usage
_____________________________________________________________________________________________
| THM-Utils Commands | Result |
|___________________________________________|_________________________________________________|
| THM-LogClear-All ---------------------> Clears all logs in the system. |
| THM-LogStats-All ---------------------> Application, Security, System, PowerShell, |
| |contd --------------> PowerShell Operational and Sysmon logs stats |
| THM-LogStats-Application --------------> Summary of Application logs. (NO Aurora!) |
| THM-LogStats-Aurora -------------------> Summary of Aurora agent logs. |
| THM-LogStats-Flag --------------------> Gives the flag for the question. |
| THM-LogStats-PowerShell --------------> Summary of PowerShell logs. |
| THM-LogStats-Powershell-Operational ---> Summary of PowerShell Operational logs. |
| THM-LogStats-Security -----------------> Summary of Security logs. |
| THM-LogStats-Sysmon -------------------> Summary of Sysmon logs. |
| THM-LogStats-System -------------------> Summary of System logs. |
|_____________________________________________________________________________________________|
# Atomic Red Team usage
_______________________________________________________________________________________________________________________
| Atomic Red Team Command | Result |
|________________________________________________|______________________________________________________________________|
| help Invoke-AtomicTest ------------------------> Shows the default help page. |
| Invoke-AtomicTest All -ShowDetailsBrief ---------> Lists all tests. |
| Invoke-AtomicTest T0000-1 ----------------------> Executes 1st test case of the T0000-1 technique. |
| Invoke-AtomicTest T0000-1 -Cleanup --------------> Removes the artefacts and restores the modified files (if any!). |
|_______________________________________________________________________________________________________________________|
Note: The Powershell profile is customised to load required modules and provides atomic usage hints, as shown below. The THM-Utils module helps summarise important log files by grouping each event log based on four categories: Sum (Count), Event ID, Task Category and Event Provider.
# Hints
Atomic Hint -> Show help: help Invoke-AtomicTest
Atomic Hint -> List all tests: Invoke-AtomicTest All -ShowDetailsBrief
Atomic Hint -> Execute test: Invoke-AtomicTest TXXX-1
Atomic Hint -> Cleanup artefacts: Invoke-AtomicTest TXXX-1 -Cleanup
PS C:\Users\Administrator> THM-LogStats-All|#|#|#|#|#| Important Log Statistics |#|#|#|#|#|LogName RecordCount
------- -----------
Application 286
Security 26564
System 737
Windows PowerShell 682
Microsoft-Windows-PowerShell/Operational 23975
Microsoft-Windows-Sysmon/Operational 1922PS C:\Users\Administrator> THM-LogStats-Application|#|#|#|#|#| APPLICATION Log Statistics (WITHOUT AURORA!) |#|#|#|#|#|Count Event ID Task Category Provider
----- -------- ------------- --------
15 0 gupdate
8 16394 Microsoft-Windows-Security-SPP
1 301 Logging/Recovery ESENT
1 300 Logging/Recovery ESENT
1 102 General ESENT
...
Question:: Use the required PowerShell command to retrieve the flag.
What is the flag?
For this we just use open up a PS shell within the attached box first.
Once open we need to use one of the THM-Utils module command.
Also THM gives us some runable commands within during the task.
Lets utilize the relevant command for the question :D It is very obvious but keep reading if unsure :)
Use the command below
PS C:\Users\Administrator> THM-LogStats-Flag
|#|#|#|#|#| THM{Emulation_is_fun_but_needs_focus_and_exploration} |#|#|#|#|#|
Answer:: THM{Emulation_is_fun_but_needs_focus_and_exploration}
Question:: What is the required command to clear all generated artefacts and restore the affected files from test T0123–4?
So to answer this question we need to asess the Atomic Red Team module commands a little.
Anything here you find fit for the job? Yeah I knew you know it.
The command “ Invoke-AtomicTest T0000–1 -Cleanup” looks good but we need to tailor it a little to fit the purpose of the question.
Answer:: Invoke-AtomicTest T0123–4 -Cleanup
Task 4 — Execute, Investigate, Detect
— — — — — — — — — — — — — — — — — — — — — — —
Case: Execute, Investigate, Detect
The planned tests for this case are listed below.
# Planned tests
T0004-1 TASK-4.1 Initial Enumeration Emulation
T0004-2 TASK-4.2 Credential Prompt Emulation
T0004-3 TASK-4.3 Failed command emulation
NOTE: You can revert the system modification and file change activities by using the cleanup command of the executed technique!
Question:: Execute test T0004–1 and open the document created on the Desktop. What is the OS Build info?
For these we have the test process given task 1–2 and 3. For this we need to run the first test case of the T0004 case.
For this we need to use the command “Invoke-AtomicTest T….”
Invoke-AtomicTest T0004-1
PS C:\Users\Administrator> Invoke-AtomicTest T0004-1
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
Executing test: T0004-1 TASK-4.1 Initial Enumeration Emulation
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
WARNING: The names of some imported commands from the module 'THM-Utils' include unapproved verbs that might make them
parameter. For a list of approved verbs, type Get-Verb.
less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose
WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & -
/ \ $ ^ ; : " ' < > | ? @ ` * % + = ~
Atomic Hint -> Show help: help Invoke-AtomicTest
Atomic Hint -> List all tests: Invoke-AtomicTest All -ShowDetailsBrief
Atomic Hint -> Execute test: Invoke-AtomicTest TXXX-1
Atomic Hint -> Cleanup artefacts: Invoke-AtomicTest TXXX-1 -Cleanup
THM-Util Module Hint -> Cleanup Logs: THM-LogClear-All
Done executing test: T0004-1 TASK-4.1 Initial Enumeration Emulation
PS C:\Users\Administrator>
Once it runs it prompts at the end the following
Done executing test: T0004-1 TASK-4.1 Initial Enumeration Emulation
It also creates a txt file on the desktop.
Let’s open the task results seen below.
And from here we can answer this question.
Answer:: 10.0.17763 N/A Build 17763
Question:: Execute test T0004–2. What is the flag?
Same like the previous question we need to tailor the command just a little bit.
Invoke-AtomicTest T0004-2
Lets run it shall we? :)
NOTE: You might need to run it twice if it times out. If not you should receive the following prompt pop up.
And we have the flag
Answer:: THM{THM_Emulation_Room}
Question:: Execute test T0004–3. Examine the logs; what is the failed command?
Same like before except we need to add a little switch at the end for the command
Invoke-AtomicTest T0004-3 -ShowDetails
Once we run it we get the following
From here we can state the failed command.
Answer:: <!bin/bash>
Task 5 — Universal Suspicious Share
— — — — — — — — — — — — — — — — — — — — — — —
Case: Universal Suspicious Share
The planned test for this case is listed below.
# Planned tests
T0005-1 TASK-5 Universal Suspicious Share
NOTE: You can revert the system modification and file change activities by using the cleanup command of the executed technique!
Question:: Navigate the disk and drives, and open the shared folder. What is the SHA256 value of the “.txt” document?
So we open a file manager and select S:\ drive for the shares.
No we know we have to deal with that txt doc called “Donation_call.txt”
So we call the hash value of this easily from PS.
We just need to modify the following PS command.
Get-FileHash -Path c:\Users\YourUserName\Desktop\yourfile.exe -Algorithm SHA256
Just like so below.
# Script to execute within PS
Get-FileHash -Path S:\Donation_call.txt -Algorithm SHA256
# Execution and return
PS C:\Users\Administrator> Get-FileHash -Path S:\Donation_call.txt -Algorithm SHA256
Algorithm Hash Path
--------- ---- ----
SHA256 3CA9FB42ACF0A347BDFDC78E0435331BC458194E4BC7FBFFB255BC4CF02CDC1A S:\Donation_call.txt
PS C:\Users\Administrator>
Answer:: 3CA9FB42ACF0A347BDFDC78E0435331BC458194E4BC7FBFFB255BC4CF02CDC1A
Question:: Execute the test T0005–1. Re-calculate the SHA256 value of the document. What is the hash value?
Now this is simple again lets Invoke the test T0005 case 1 the re use the previous algorithm.
Commands to execute in order.
Invoke_AtomicTest T0005-1
Get-FileHash -Path S:\Donation_call.txt -Algorithm SHA256
Here you will see the outputs of each command.
# Execution of Invoke-AtomicTest command
PS C:\Users\Administrator> Invoke-AtomicTest T0005-1
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
Executing test: T0005-1 TASK-5 Universal Suspicious Share
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
WARNING: The names of some imported commands from the module 'THM-Utils' include unapproved verbs that might make them
less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose
parameter. For a list of approved verbs, type Get-Verb.
# WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & -
# / \ $ ^ ; : " ' < > | ? @ ` * % + = ~
Atomic Hint -> Show help: help Invoke-AtomicTest
Atomic Hint -> List all tests: Invoke-AtomicTest All -ShowDetailsBrief
Atomic Hint -> Execute test: Invoke-AtomicTest TXXX-1
Atomic Hint -> Cleanup artefacts: Invoke-AtomicTest TXXX-1 -Cleanup
THM-Util Module Hint -> Cleanup Logs: THM-LogClear-All
Done executing test: T0005-1 TASK-5 Universal Suspicious Share
PS C:\Users\Administrator>
............
# Execution of SHA256 hash generation
PS C:\Users\Administrator> Get-FileHash -Path S:\Donation_call.txt -Algorithm SHA256
Algorithm Hash Path
--------- ---- ----
SHA256 626DBB861DCFF600DABEFCE7BF93F2C72C0F6462CC5729B963FC8242D7D43990 S:\Donation_call.txt
PS C:\Users\Administrator>
Answer:: 626DBB861DCFF600DABEFCE7BF93F2C72C0F6462CC5729B963FC8242D7D43990
Task 6— Dump and Go
— — — — — — — — — — — — — — — — — — — — — — —
Case: Dump and Go
The planned tests for this case are listed below.
# Planned tests
T0006-1 TASK-6.1 History dump
T0006-2 TASK-6.2 SystemFile modification for exfiltration
NOTE: You can revert the system modification and file change activities by using the cleanup command of the executed technique!
Question:: Execute test T0006–1.
Find the malicious history dump file. What is the flag?
For clarity lets clear all logs first with the “THM-LogClear-All” command then from EventViewer clear all Sysmon and Security Logs.
I wont go in details in this one its fairly straigt forward.
Now execute the test by running the following below.
PS C:\Users\Administrator> Invoke-AtomicTest T0006-1
So because of the task something had to be changed within the system therefore lets go to the sysmon logs.
So I went through and unfortunately it did not result in any findings :) happens.
Then one other thing we can do to go over to the Security logs.
Here we need to find the correct log with file touch or modification
So what I did was to sort the logs here by Task Category
Reason is because we are looking for a file not a process in particular so we need the “File System” logs.
Here we see EventID 4663 which is meaning that an attempt was made to access an object.
I got curious so lets print the content of that file.
PS C:\Users\Administrator> type C:\Users\Administrator\AppData\SpcTmp\analytics.txt
And we have a winner :)
Dont forget to clean up the logs before the next task.
# Clean up after yourself
THM-LogClear-All
&&
Clear Security and sysmon logs from eventviewer
Answer:: THM{THM_analytics_to_exfiltration_with_NexGenHunt}
Question:: Execute test T0006–2.
Find the malicious system file modification activity. What is the flag?
Lets execute the test. By now I am sure you all know the command :)
PS C:\Users\Administrator> Invoke-AtomicTest T0006-2
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
Executing test: T0006-2 TASK-6.2 SystemFile modification for exfiltration
So the process is the same as before :)
I learnet about my mistake so I went straight to security logs.
We need to check the same type of logs like earlier EventID 4663.
We can see there are only 2 logs related to that.
Within we see the following.
So it is the etc/hosts messed with.
Lets type that out
type C:\Windows\System32\drivers\etc\hosts
PS C:\Users\Administrator> type C:\Windows\System32\drivers\etc\hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
THM.10.10.JHN THM{NextGenHunt.thm.jhn} # NextGenHunt analytics
Answer:: THM{NextGenHunt.thm.jhn}
Task 7— Conclusion
— — — — — — — — — — — — — — — — — — — — — — —
Congratulations!
You just finished the Atomic Bird Goes Purple #1 room.
In this room, we covered the implementation of custom atomic tests and detection for Purple Team, Threat Emulation and Detection Engineering exercises. Are you ready for the second round? Then, continue with Atomic Bird Goes Purple #2 room for more purple madness challenges!
Question:: Proceed to Atomic Bird Goes Purple #2 room!
Answer:: No answer needed!!