THREAT INTELLIGENCE -TryHackMe
This is a walk-through of another TryHackeMe’s room name Threat Intelligence.This can be found here:
This lab will try to walk an SOC Analyst through the steps that they would take to assist in breach mitigation and identifying important data from a Threat Intelligence report.Although this room answers are mostly searching and reading the articles but it teaches about few very good concepts from a SOC analyst point of view and Cyber Security in venereal. They are:
- Red Team Tools
- Advanced Persistent Threat(APT)
- IoT (Internet of Things)
- Zero-Day Exploit
- Blue Team
Details of these terms are in the room.
Supply Chain Attack
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
The Focus of this lab is on a recent highly evasive attack which leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor.This attack was detected by a company named FireEye in Dec 2020. Ironically in the same month FireEye was also hacked in which their own Red team tools were stolen.
[Task 3] Analyze Threat Intelligence
It’s time to answer the questions asked.Most of the answers are from this link,unless another link is specified in the answers below :
After reading the report what did FireEye name the APT?
Executive Summary section tell us the APT name :UNC2452
FireEye released some information to help security organizations Blue Team to detect the tools which have been leaked. What ‘multiple languages’ can you find the rules? [Ans Format: *****|****|***|****** ]
From this GitHub page: Snort|Yara|IOC|ClamAV
Which dll file was used to create the backdoor?
From Summary->SUNBURST Backdoor Section SolarWinds.Orion.Core.BusinessLayer.dll
What is the MD5 sum of this file?
From In-Depth Malware Analysis Section: b91ce2fa41029f6955bff20079468448
Authorized system administrators commonly perform tasks which ultimately led to how was the malware was delivered and installed into the network. What is the file extension of the software which contains the delivery of the dll file mentioned earlier?
From Delivery and Installation section : msp
A C2 Framework will Beacon out to the botmaster after some amount of time. This particular malware sample was purposely crafted to evade common sandboxing techniques by using a longer than normal time with a large jitter interval as well. How long does the malware stay hidden on infected machines before beginning the beacon? Min Time | Max Time | Unit of Measure for time [Flag Format: **|**|**** ]
From Delivery and Installation section :12|14|days
Can you find the IoCs for host-based and network-based detection of the C2? The flag is the name of the classification which the first 3 network IP address blocks belong to?
This was a tricky one.
From Network Command and Control (C2) section the first 3 network IP address blocks were:
These are all private address ranges and the name of the classification as given as a hint was bit confusion but after wrapping your head around it the answer was “RFC 1918”
In the snort rules you can find a number of messages reffering to Backdoor.SUNBURST and Backdoor.BEACON. Only one of these domains resolves to a fake organization posing as an online college. What is the quoted domain name in the content field for this organization?
From this GitHub link about sunburst snort rules: digitalcollege.org
Steganography was used to obfuscate the commands and data over the network connection to the C2. If I wanted to change registry values on a remote machine which number command would the attacker use?
From Steganography->Supported Commands section->SetRegistryValue to write: 14
How was that payload encoded?
From Network Command and Control (C2) section: base64
What is the name of the program which dispatches the jobs?
From Steganography Section: JobExecutionEngine
How many Mitre Attack techniques were used?
Count from MITRE ATT&CK Techniques Observed section: 17
According to Solarwinds response only a certain number of machines fall vulnerable to this attack. What is the number of potentially affected machines?
From this Wikipedia link->SolarWinds section: 18,000
FireEye recommends a number of items to do immediately if you are an administrator of an affected machine. What is the name of the new recommended patch release?
From Immediate Mitigation Recommendations section: 2020.2.1 HF 1
That’s it. There are few more interesting links for reading in this topic in the “Additional Resources” section. Please also read them specially if you are interested in SOC.