TryHackMe Pyramid Of Pain — Task 5 Host Artifacts (Annoying) & Task 6 Network Artifacts (Annoying)
If you haven’t done task 3 & 4 yet, here is the link to my write-up it: Task 3 IP Address (Easy) & Task 4 Domain Names (Simple).
Task 5 Host Artifacts (Annoying)
Let’s take another step up to the yellow zone.
On this level, the attacker will feel a little more annoyed and frustrated if you can detect the attack. The attacker would need to circle back at this detection level and change his attack tools and methodologies. This is very time-consuming for the attacker, and probably, he will need to spend more resources on his adversary tools.
Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.
Suspicious process execution from Word:
Suspicious events followed by opening a malicious application:
The files modified/dropped by the malicious actor:
Answer the questions below
What is the suspicious IP the victim machine tried to connect to in the screenshot above?
The answer can be found in the screenshot of the Suspicious events followed by opening a malicious application. In the screenshot, you will see two IP address that end with port numbers. The IP address starting with 192 is the end user’s system, the other IP address is the Malicious IP address and answer to this question. Type the answer into the TryHackMe answer field, then click submit.
Use the tools introduced in task 2 and provide the name of the malware associated with the IP address
You can either go back to task two, then click on one of the two links given to you. VirusTotal or MetaDefender Cloud. Since MetaDefender Cloud gave a little more info on the name of the ransomware from Task 2 we should start with that (but I provided the links to bot in the previous sentence). Go back to the previous TryHackMe answer field, highlight, then keyboard shortcut ctrl + c to copy the IP address.
Now that you have the IP address copied, use one of the links above to go to MetaDefender Cloud. When the page loads, click on the input field in the middle of the screen, then use the keyboard shortcut ctrl + v to paste the IP address into the input field.
Now click the blue Process button at the right of the input field.
This time, as we can see, no dice!! Not detecting anything. This is why we check more than one of these repositories.
Click on the VirusTotal link above to be taken to the Virustotal site. Once you are there, click on the Search button to the right of the middle of the screen.
When the page loads you will see an input field, click on it, then paste the IP address into it again, then press enter to search it through VirusTotal.
So on VirusTotal we can see that it looks clean but at the top we see that 10+ detected files communicating with this IP address. That is interesting, so let us click on RELATIONS to see what it could be related too.
Scroll down till you see Communicating Files, look in the Name column. You should see the name of a famous piece of Malware, this is the answer. Copy the answer and paste it in the TryHackMe Answer field, then click submit.
Answer: emotet
Using your OSINT skills, what is the name of the malicious document associated with the dropped binary?
Since the answers can be found above, I won’t be posting it. You can follow along to learn and discover where they are located.
In the question it talks about dropped binary, what it means is what the threat actor put on the victim's device, specifically for this question an executable. So knowing this, we can look at the screenshot above to find the answer. Use the first screenshot and compare it to the second screenshot. You will see a file on both, you will see it several more times on the first screenshot. Type the answer into the TryHackMe answer field, then click submit.
Use your OSINT skills and provide the name of the malicious document associated with the dropped binary
In the question it talks about dropped binary, what it means is what the threat actor put on the victim’s device, specifically for this question a document file. Both of these questions next to each other are very confusing and took me way longer than I care to admit figuring out. I even had to phone a friend to point me in the right direction. So knowing we need to look for a doc file and knowing that it isn’t in the screenshots above, time to go to our second-best friend Google. A piece of info we have from above is the file path, so let us search that Users\admin\Jehhzda\Ben14fr\ . You will get many results, but the one we are looking for is the any.run instance. Make sure it is the one from at least Feb 9, 2022. Click on the link.
You will be greeted to a lot of info, but you want to scroll down the page.
Till you come to File Activity, once you reach here you will notice a couple of things. The biggest thing is one text file, which is what we are trying to look for. Once you find the text file name you can highlight it, copy it with the keyboard shortcut ctrl + c, then paste (click the answer field, use shortcut ctrl +v) it over in the TryHackMe answer field, and click submit.
Answer: CMO-100120 CDW-102220.doc
Task 6 Network Artifacts (Annoying)
Network Artifacts also belong to the yellow zone in the Pyramid of Pain. This means if you can detect and respond to the threat, the attacker would need more time to go back and change his tactics or modify the tools, which gives you more time to respond and detect the upcoming threats or remediate the existing ones.
A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests.An attacker might use a User-Agent string that hasn’t been observed in your environment before or seems out of the ordinary. The User-Agent is defined by RFC2616 as the request-header field that contains the information about the user agent originating the request.
Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort.
HTTP POST requests containing suspicious strings:
Let’s use TShark to filter out the User-Agent strings by using the following command: tshark --Y http.request -T fields -e http.host -e http.user_agent -r analysis_file.pcap
These are the most common User-Agent strings found for the Emotet Downloader Trojan
If you can detect the custom User-Agent strings that the attacker is using, you might be able to block them, creating more obstacles and making their attempt to compromise the network more annoying.
Answer the questions below
What browser uses the User-Agent string shown in the screenshot above?
Look at the Tshark output from the screenshot above it will show us the User-Agent string. I did you a favor and typed it out for you already. Mozilla/4.0 (compatible; MSIE 7.0: Windows NT 6.1: Trident/7.0; SLCC2; .NET CLR 2.0.5727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Now we have to decode this, to do so there are website that can do this. One of these websites is called WhatIsMyBrowser (link provided). Use the link provided to go to the WhatIsMyBrowser site, once it loads you will see a blue box in the middle of the website.
Now either copy (ctrl + c) the User-Agent String and paste (ctrl + v) it into Parse a User agent field, or type it out in the Parse a User agent field. Then click the dark blue Parse this user agent button.
After the page load, the answer will be shown in the bottom blue box. Now highlight the answer, copy it with the keyboard shortcut ctrl + c, then paste (click the answer field, use shortcut ctrl +v) it over in the TryHackMe answer field, and click submit.
How many POST requests are in the screenshot from the pcap file?
Since the answers can be found above, I won’t be posting it. You can follow along to learn and discover where they are located.
This answer is as simple as counting the number of times POST from the screenshot. Count them and put the number in TryHackMe answer field, then click submit.
You have finished up this task, you can now move onto Task 7 Tools (Challenging) & Task 8 TTPs (Tough).
