THREAT INTELLIGENCE -TryHackMe

This is a walk-through of another TryHackeMe’s room name Threat Intelligence.This can be found here:

https://tryhackme.com/room/threatintelligence

Description

This lab will try to walk an SOC Analyst through the steps that they would take to assist in breach mitigation and identifying important data from a Threat Intelligence report.Although this room answers are mostly searching and reading the articles but it teaches about few very good concepts from a SOC analyst point of view and Cyber Security in venereal. They are:

  • Red Team Tools
  • Advanced Persistent Threat(APT)
  • IoT (Internet of Things)
  • Zero-Day Exploit
  • Blue Team

Details of these terms are in the room.

Supply Chain Attack

From WikiPedia:
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

The Focus of this lab is on a recent highly evasive attack which leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor.This attack was detected by a company named FireEye in Dec 2020. Ironically in the same month FireEye was also hacked in which their own Red team tools were stolen.

[Task 3] Analyze Threat Intelligence

It’s time to answer the questions asked.Most of the answers are from this link,unless another link is specified in the answers below :

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

After reading the report what did FireEye name the APT?

Executive Summary section tell us the APT name :UNC2452

FireEye released some information to help security organizations Blue Team to detect the tools which have been leaked. What ‘multiple languages’ can you find the rules? [Ans Format: *****|****|***|****** ]

From this GitHub page: Snort|Yara|IOC|ClamAV

Which dll file was used to create the backdoor?

From Summary->SUNBURST Backdoor Section SolarWinds.Orion.Core.BusinessLayer.dll

What is the MD5 sum of this file?

From In-Depth Malware Analysis Section: b91ce2fa41029f6955bff20079468448

Authorized system administrators commonly perform tasks which ultimately led to how was the malware was delivered and installed into the network. What is the file extension of the software which contains the delivery of the dll file mentioned earlier?

From Delivery and Installation section : msp

A C2 Framework will Beacon out to the botmaster after some amount of time. This particular malware sample was purposely crafted to evade common sandboxing techniques by using a longer than normal time with a large jitter interval as well. How long does the malware stay hidden on infected machines before beginning the beacon? Min Time | Max Time | Unit of Measure for time [Flag Format: **|**|**** ]

From Delivery and Installation section :12|14|days

Can you find the IoCs for host-based and network-based detection of the C2? The flag is the name of the classification which the first 3 network IP address blocks belong to?

This was a tricky one.

From Network Command and Control (C2) section the first 3 network IP address blocks were:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

These are all private address ranges and the name of the classification as given as a hint was bit confusion but after wrapping your head around it the answer was “RFC 1918

In the snort rules you can find a number of messages reffering to Backdoor.SUNBURST and Backdoor.BEACON. Only one of these domains resolves to a fake organization posing as an online college. What is the quoted domain name in the content field for this organization?

From this GitHub link about sunburst snort rules: digitalcollege.org

Steganography was used to obfuscate the commands and data over the network connection to the C2. If I wanted to change registry values on a remote machine which number command would the attacker use?

From Steganography->Supported Commands section->SetRegistryValue to write: 14

How was that payload encoded?

From Network Command and Control (C2) section: base64

What is the name of the program which dispatches the jobs?

From Steganography Section: JobExecutionEngine

How many Mitre Attack techniques were used?

Count from MITRE ATT&CK Techniques Observed section: 17

According to Solarwinds response only a certain number of machines fall vulnerable to this attack. What is the number of potentially affected machines?

From this Wikipedia link->SolarWinds section: 18,000

FireEye recommends a number of items to do immediately if you are an administrator of an affected machine. What is the name of the new recommended patch release?

From Immediate Mitigation Recommendations section: 2020.2.1 HF 1

That’s it. There are few more interesting links for reading in this topic in the “Additional Resources” section. Please also read them specially if you are interested in SOC.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Bypassing Windows User Account Control: Back For More

DeFIL2.0 Weekly Report(11.15–11.21)

Spy-ders on the Web? Tracking the Trackers with Lightbeam for Firefox

How to migrate any Ethereum token to XinFin Network in less than 10 minutes

What Are the Different Types of VPS?

Using the DoD 5220.22-M 3-pass method for securely erasing your drives?💻Use NIST 800–88 instead!🤓

{UPDATE} Word Ranch - Be A Word Search Puzzle Hero Hack Free Resources Generator

The Jamming Dilemma — to jam or not to jam

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Cyber Research #29

CyberSoc | Cyber Detective CTF Write Up — Evidence Investigation

Deep web OSINT

IMPORTANCE OF CYBERSECURITY