We covered a practical case study where we discussed the tactics, techniques and procedures used by advanced persistent group APT28. As a soc analyst, you are required to research and hunt for techniques and tactics used by advanced persistent groups to spot an ongoing attack or prevent one from happening to your organization. This was part of TryHackME Eviction.

CHALLENGE DESCRIPTION
Unearth the monster from under your bed.

MITRE ATT&CK Framework

Its important to learn how to leverage this framework to understand the tactics, techniques, and procedures (TTPs) employed by threat actors like AP28. I should also stress the importance of using the MITRE ATT&CK Navigator for identifying these TTPs is highlighted.

Please visit this link to check out the MITRE ATT&CK Navigator layer for the APT group and answer the questions below.

Advanced Persistent Threat (APT)

Defined as sophisticated and often difficult-to-detect attacks that can persist within a network once infiltrated.

Threat Hunting

Threat Hunting involves actively searching for potential threats within a network, even in the absence of specific alerts, based on intelligence.

Living off the Land

This refers to attackers’ technique of utilizing legitimate, built-in system binaries to execute malicious actions, thereby evading detection.

Lateral Movement

Describes the attacker’s ability to navigate and move between different machines within an organization’s network after initial access.

Actions on Objective

This represents the final stage of an attack where adversaries achieve their ultimate goals, such as data exfiltration or system disruption.

TryHackMe Eviction Room Answers

What is a technique used by the APT to both perform recon and gain initial access?

Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?

E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: and )

If the above technique was successful, which scripting interpreters should Sunny search for to identify successful execution? (Answer format: <technique 1> and <technique 2>)

While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes?

Sunny identified that the APT executes system binaries to evade defences. Which system binary’s execution should Sunny scrutinize for proxy execution?

Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?

It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?

It looked like the primary goal of the APT was to steal intellectual property from E-corp’s information repositories. Which information repository can be the likely target of the APT?

Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: and )

Congratulations! You have helped Sunny successfully thwart the APT’s nefarious designs by stopping it from achieving its goal of stealing the IP of E-corp.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles