Pyramid of Pain
Utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.
Last updated
Utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.
Last updated
This concept is being applied to cyber solutions to improve effectiveness of Cyber Threat Intelligence (CTI), threat hunting, and incident response exercises.
With use of a hashing algorithm, a numeric value is generated into a fixed length to uniquely identify data known as a hash value. Some examples are MD5, SHA-1, SHA-2. MD5 is a widely used cryptographic hash function using a 128-bit hash value but is NOT considered cryptographically secure as a number of attacks occur against MD5.
SHA-1 takes an input to produce a 160-bit hash value string as a 40 digit hexadecimal. It is susceptible to brute-force attacks and is encouraged to use SHA-2 or SHA-3.
SHA-2 is used in place of SHA-1 and has many variants such as SHA-256. The SHA-256 algorithm returns a hash value of 256-bits as a 64 digit hexadecimal number.
If two files have the same hash value, the hash is not considered to be cryptographically secure.
Hash values are used to uniquely identify and reference a malicious artifact. Some online tools commonly used for hash lookups are VirusTotal & Metadefender Cloud - OPSWAT.
Threat hunting using file hashes can become a difficult task as an Indicator of Compromise (IOC) as attackers will often modify a file to produce different hashes.
Provide the ransomware name for the hash '63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be' using open-source lookup tools:
Using VirusTotal, the hash is determined to be the Conti ransomware.
An IP address is used to identify any node/device connected to a network in order to send and receive information. A common defense tactic is to block, drop, or deny requests from IP's on a parameter or external firewall although it is not trivial.
An adversary can recover by using a new public IP, commonly done using Fast Flux. FF cycles through multiple bots and DNS records for a malicious domain name (often a typosquat to fool users into visiting it as a known/trusted domain). Having numerous IP addresses that are constantly changing associated with a domain name, makes it difficult to block and track.
What is the ASN for the third IP address observed?
Host Europe GmbH
What is the domain name associated with the first IP address observed?
craftingalegacy.com
Domains names are used to map and IP address to a string of text. This makes it easy for people to interact with a web server by requesting info for bank.com instead of 62.246.156.24.
Domain names are not as easy to change as IP addresses as they entail purchase, registration, and DNS record modification per domain and top-level domain. While a subdomain does not need to be purchased, it does require DNS record propagation which also takes time. One way around this for attackers is to use APIs for the to change the domain.
Similarly, a punycode attack can be used. Punycode converts words unable to be written in ASCII into unicode ASCII encoding.
To detect malicious domains, proxy logs or web server logs can be used.
Attackers hide malicious domains under URL shorteners such as the following:
bit.ly
goo.gl
ow.ly
s.id
smarturl.it
tiny.pl
tinyurl.com
x.co
In most cases, adding "+" to the end of the shortened URL will display the full URL without taking you to the requested page:
Using this report provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.
What term refers to an address used to access websites?
domain name
What type of attack uses Unicode characters in the domain name to imitate the a known domain?
punycode attack
Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u
Host Artifacts are the traces or observables an attacker leaves on a system. These include registry values, suspicious process execution, attack patterns or IOCs, files dropped by malicious applications, or anything exclusive to the current threat.
If these attacks are detected, the attacker will need to change their tools and methodologies and spend more resources on adversary tools. This can be very time-consuming and very annoying for the attacker.
What is the suspicious IP the victim machine tried to connect to in the screenshot above?
Use the tools introduced in task 2 and provide the name of the malware associated with the IP address:
Using your OSINT skills, what is the name of the malicious document associated with the dropped binary?
G_jugk.exe
Use your OSINT skills and provide the name of the malicious document associated with the dropped binary
A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP requests. The user-agent is defined as the request-header field that contains the information about the user agent originating the request. An attacker may use a unique user-agent never before observed or out of the ordinary to the victim environment.
Using a network protocol analyzer (Tshark) or IDS logging (Snort), network artifacts can be detected in Wireshark PCAPs.
Filter out User-Agent strings with tshark with the following:
tshark --Y http.request -T fields -e http.host -e http.useragent -r <file_name>.pcap
This is important to know in effort of detecting custom User Agent strings used by attackers to block them and make compromise more annoying.
What browser uses the User-Agent string "Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.1;Trident/4.0;SLCC2;.NETCLR2.0.50727; .NETCLR3.5.30729;.NETCLR3.0.30729;MediaCenterPC6.0;.NET4.0C;.NET4.0E)" ?
Windows Explorer
At this point, the SOC team has levelled up their detection capabilities against artifacts. An attacker will most likely stop their attempts to compromise a network or step back to create or invest in a new tool. Because they may need to find a similar potential tool or become proficient in another, it will slow them down quite a bit and could also cost them money they don't want to spend.
Bad actors use utilities to create malicious macro documents. These maldocs are used for spearphishing, backdoors for C2's, custom .exe and .DLL files, payloads, or password crackers.
YARA rules are used to identify malware by creating descriptions of malware families based on textual or binary patterns. These are used alongside Antivirus signatures and detection rules to help defend against attackers.
Resources for samples, malicious feeds, and YARA results include MalwareBazaar and Malshare. For detection rules, SOC Prime Threat Detection Marketplace.
Fuzzy hashing (or context triggered piecewise hashes) helps perform similarity analysis by matching two files with minor differences based on fuzzy hash values. This can be a strong weapon against attacker's tools. A good resource is SSDeep.
Tactics, Techniques, & Procedures include the whole MITRE ATT&CK Matrix. This entails all the steps taken by and adversary to achieve their goal.
Detecting and responding quickly to TTPs leaves the adversary little chance to fight back. If an attack is detected and remedied, the compromised host can be found to stop lateral movement in the network. The attacker will have to find another target or spend more time researching, training, and reconfiguring their custom tools.
Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?
Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?
Pick any APT (Advanced Persistent Threat Groups) as an exercise. A good place to look at would be FireEye Advanced Persistent Threat Groups. Find their indicators and ask yourself: "What can I do or what detection rules and approach can I create to detect the adversary's activity?", and "Where does this activity or detection fall on the Pyramid of Pain?”
APT9 has been observed using spearphishing, valid accounts, and remote services for initial access. APT9 uses publicly available and custom backdoors.
Associated malware: SOGU, HOMEUNIX, PHOTO, FUNRUN, Gh0st, ZXSHEL
IDS rules can be used to detect Remote Access Trojans such as Gh0st. An IDS can detect signature or associated headers for known malware. Additionally, traffic protocol-aware detection can trigger alerts if a suspicious protocol is used on specified ports.
Keeping up to date with detection rules and new malware will assist in defending against APTs such as APT9.
MITRE can be used to see techniques used by certain groups or malware, such as GH0ST:
Since GH0ST was used in campaign C0016 (Operation Dust Storm), it would be worth looking at the techniques used there as well:
Researching these TTPs involved with the known malwares will greatly help defend against adversaries, making them unable to move forward with their current tools and resources.
