KimbakiS Portfolio

A simple room that involves investigations through each tier of the Pyramid of Pain.

SCENARIO:

This is a purple team scenario, and we’re acting on behalf of the blue team to test the security controls by seeing if they pick up the red team’s attack simulations.

SAMPLE 1: HASHES

First sample scanned with Malware Sandbox:

Result: detected a Trojan sent via Metasploit.

Looked around on this simulated detection platform and found a place to submit malicious hashes:

I submitted the MD5 hash of the first sample and we passed the first detection phase:

SAMPLE 2: IP ADDRESSES

The new malware sample is apparently just slightly changed, but this would be more than enough to result in a different hash, which likely won’t be detected in this scenario.

It still picks up the Metasploit tool, and it also detects a connection to an unusual IP.

The port 4444 is commonly associated with reverse shell connections, and the attacker is likely hosting a reverse shell at this URL to which the victim would connect:

Since the attacker IP is the destination here, we need to block all outgoing (egress) traffic to this IP:

SAMPLE 3: DOMAINS

This time, the red teamer is using a pool of public IPs, so we can’t use the IP detection method now:

This time, there was a suspicious executable found to have been downloaded from the internet:

By the name alone, this is designed as a persistence mechanism.

The domain from which the file was downloaded also looks highly suspicious:

Rather than blocking the IP, which is constantly changing now, we can likely just block the domain by creating a DNS rule:

Success:

SAMPLE 4: ARTIFACTS

Blocking the hash, IP, or domain won’t work here, so we have to focus on the artifacts themselves:

In the registry activity section of the analysis report, we have a record of a sample4.exe that disables Windows Defender’s real-time protection on the system:

With the Sigma Rule Builder tool, it looks like we can create a new detection rule, so I created a new Sysmon rule that detects registry modification of the Real-Time Protection key’s DisableRealtimeMonitoring registry (a value of 1 means that registry is now active):

The MITRE ATT&CK ID is naturally Defense Evasion, since the goal of this modification was to turn off the system’s defense perimeter.

And we managed to tick off the red teamer :)

SAMPLE 5: TOOLS

In our last stretch, it looks like we have to now focus on any abnormal behaviors of the tool itself:

Rather than the malware sample, we got an outgoing connection log this time:

Two of the lines that stand out show that huge amounts of data are being sent to different IPs, but on the same port 443 (HTTPS). A sign of exfiltration maybe? But it’s also notable that exactly 97 bytes are included in each packet sent to the IP 51.102.10.19. And each of these packets are spaced 30 minutes apart, which may be a sign of beaconing (aka, sending traffic to a C2 server at specific time intervals:

That’s why it’s important to pay attention to patterns like these. It’s how we separate the normal from abnormal.

On those lines, I created a Sysmon rule for network connections. The first IP I entered was incorrect, and I got a message saying that the attacker had evolved, so I expanded my remote IP and port coverage to “Any” and also set the ATT&CK ID to reflect a C2 (Command and Control) communication:

Red teamer is super annoyed now:

And that’s the purpose: to get the attacker to give up. But it looks like we still have one more level left.

SAMPLE 6: TTPs

We need to focus on the attacker “techniques and procedures” at this point, something they have absolutely no control over and can’t change. For this last stage, the red teamer gave us the command logs from all the previous malware samples, so we need to try and understand his methodology:

Red teamer seems to be working on the Command Prompt, appending information about the system to a single file in the Temp directory called exfiltr8.log:

A quick overview of the information that’s clearly being exfiltrated:

Directory listings of C:\, C:\Documents and Settings, C:\Program Files, and D:\
net localgroup administrator Member listing of the Administrator group
systeminfo, ver System info, including version of the OS and other info
ipconfig /all A listing of network adapters info, including IP and MAC addresses
netstat -ano A listing of active TCP connections, which includes PID info for each connecton
net start Displays a list of running services

Since we’ve determined this to be a sure sign of exfiltration, this seems to be a simple case of detecting further changes to this log file from the Temp directory, at least in this case:

And success!

A few final words from our tenacious red teamer:

That was a rather fun way of visualizing the pyramid of pain!