We covered The Pyramid of pain concept used in incident response and threat hunting which covers the artifacts of the attacker’s tools and techniques and how easy/difficult on them to change to avoid detection by analysts. We also covered and explained what every layer in the pyramid represents as an artifact during the stage of a cyber attack. This was part of TryHackMe The Pyramid of pain.

Get COMPTIA Security+ Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.

Video Highlights

Security professionals usually use the hash values to gain insight into a specific malware sample, a malicious or a suspicious file, and as a way to uniquely identify and reference the malicious artifact.

You’ve probably read ransomware reports in the past, where security researchers would provide the hashes related to the malicious or suspicious files used at the end of the report. You can check out The DFIR Report and FireEye Threat Research Blogs if you’re interested in seeing an example.

In the Pyramid of Pain, IP addresses are indicated with the color green. You might be asking why and what you can associate the green colour with?

From a defense standpoint, knowledge of the IP addresses an adversary uses can be valuable. A common defense tactic is to block, drop, or deny inbound requests from IP addresses on your parameter or external firewall. This tactic is often not bulletproof as it’s trivial for an experienced adversary to recover simply by using a new public IP address.

One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux.

According to Akamai, Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts acting as proxies. The purpose of using the Fast Flux network is to make the communication between malware and its command and control server (C&C) challenging to be discovered by security professionals.

Domain Names can be a little more of a pain for the attacker to change as they would most likely need to purchase the domain, register it and modify DNS records. Unfortunately for defenders, many DNS providers have loose standards and provide APIs to make it even easier for the attacker to change the domain.

Attackers usually hide the malicious domains under URL Shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL Shortener link.

Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.

Network Artifacts also belong to the yellow zone in the Pyramid of Pain. This means if you can detect and respond to the threat, the attacker would need more time to go back and change his tactics or modify the tools, which gives you more time to respond and detect the upcoming threats or remediate the existing ones.

A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests.An attacker might use a User-Agent string that hasn’t been observed in your environment before or seems out of the ordinary. The User-Agent is defined by RFC2616 as the request-header field that contains the information about the user agent originating the request.

Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort.

MalwareBazaar and Malshare are good resources to provide you with access to the samples, malicious feeds, and YARA results – these all can be very helpful when it comes to threat hunting and incident response.

For detection rules, SOC Prime Threat Detection Marketplace is a great platform, where security professionals share their detection rules for different kinds of threats including the latest CVE’s that are being exploited in the wild by adversaries.

Fuzzy hashing is also a strong weapon against the attacker’s tools. Fuzzy hashing helps you to perform similarity analysis – match two files with minor differences based on the fuzzy hash values. One of the examples of fuzzy hashing is the usage of SSDeep; on the SSDeep official website, you can also find the complete explanation for fuzzy hashing.

TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.

If you can detect and respond to the TTPs quickly, you leave the adversaries almost no chance to fight back. For, example if you could detect a Pass-the-Hash attack using Windows Event Log Monitoring and remediate it, you would be able to find the compromised host very quickly and stop the lateral movement inside your network. At this point, the attacker would have two options:

  1. Go back, do more research and training, reconfigure their custom tools
  2. Give up and find another target

Option 2 definitely sounds less time and resource-consuming.

Room Answers

Analyse the report associated with the hash “b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d” here. What is the filename of the sample?
Read the following report to answer this question. What is the first IP address the malicious process (PID 1632) attempts to communicate with?
Read the following report to answer this question. What is the first domain name the malicious process ((PID 1632) attempts to communicate with?
Go to this report on app.any.run and provide the first suspicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.

What term refers to an address used to access websites?

What type of attack uses Unicode characters in the domain name to imitate the a known domain?

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

A security vendor has analysed the malicious sample for us. Review the report here to answer the following questions.

A process named regidle.exe makes a POST request to an IP address on port 8080. What is the IP address?

The actor drops a malicious executable (EXE). What is the name of this executable?

Look at this report by Virustotal. How many vendors determine this host to be malicious?

What browser uses the User-Agent string shown in the screenshot above?

How many POST requests are in the screenshot from the pcap file?

Provide the method used to determine similarity between the files

Provide the alternative name for fuzzy hashes without the abbreviation

Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?

Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles