By Shamsher khan This is a Writeup of Tryhackme room “THREAT INTELLIGENCE”
Room link: https://tryhackme.com/room/threatintelligence
Note: This room is Free
Task 1: Understanding a Threat Intelligence blog post on a recent attack
THREAT INTELLIGENCE: SUNBURST
This lab will try to walk an SOC Analyst through the steps that they would take to assist in breach mitigations and identifying important data from a Threat Intelligence report.
Lets try to define some of the words that we will encounter:
Red Team Tools: Red team tools are a set of programs that offensive security teams will use in pentesting engagements to assist a company in determining flaws in their procedures, policies, frameworks, tools, configurations, and workflows. A Red Team may try to crack user passwords, takeover company infrastructure like apis, routers, firewalls, IPS/IDS, Printer servers, Mail Servers, Active Directory Servers, basically ANYTHING they can get their digital hands on. Some common frameworks and OS used to study for Sec+/Sans/OSCP/CEH include Kali, Parrot, and metasploit
APT: Advanced Persistant Threat is a nation-state funded hacker organization which participates in international espionage and crime. Humanity is far into the fourth industrial revolution whether we know it or not. Robotics, AI, and Cyberwar are now considered a norm and there are many things you can do as an individual to protect yourself and your data (Pi-Hole, OpenDNS, GPG).
IoT (Internet of Things): This is now any electronic device which you may consider a PLC (Programmable Logic Controller). Any PC, Computer, Smart device (Refridgerator, doorbell, camera) which has an IPv4 or IPv6 is likely accessible from the public net. In many challenges you may use Shodan to search for interesting devices. The IoT (Internet of Things) has us all connected in ways which we never imagined possible and the changing technological landscape is evolving faster than policies and privacies can keep up with.
Zero-Day Exploit: A vulnerability discovered in a system or carefully crafted exploit which does not have a released software patch and there has not been a specific use of this particular exploit. (Stuxnet)
Blue Team: Blue team will work with their organizations Developers, Operations team, IT Operations, DevOps, and Networking to communicate important information from security disclosures, threat intelligence, blog posts, and other resources to update procedures, processes, and protocols. A lot of Blue Teams worm within an SIEM which can utilize Open Source tools (ELK) or purchase powerful enterprise solutions (SPLUNK).
You can find additional learning materials in the free ATT&CK MITRE room: https://tryhackme.com/room/mitre
Task 2: Review the FireEye Threat Intel on the SUNBURST Malware
Given a threat report from FireEye attack either a sample of the malware, wireshark pcap, or SIEM identify the important data from an Incident Response point of view.
Read the FireEye Blog and search around the internet for additional resources. After you familiarize yourself with the attack continue.
Task 3: Analyze Threat Intelligence
Q.1: After reading the report what did FireEye name the APT?
Answer: Executive Summary section tell us the APT name :UNC2452
Q.2: FireEye released some information to help security orgranizations Blue Team to detect the tools which have been leaked. What ‘multiple languages’ can you find the rules? [Ans Format: *****|****|***|****** ]
Answer: From this GitHub page: Snort|Yara|IOC|ClamAV
Q.3: Which dll file was used to create the backdoor?
Answer: From Summary->SUNBURST Backdoor Section SolarWinds.Orion.Core.BusinessLayer.dll
Q.4: What is the MD5 sum of this file?
Answer: From In-Depth Malware Analysis Section: b91ce2fa41029f6955bff20079468448
Q.5: Authorized system administrators commonly perform tasks which ultimately led to how was the malware was delivered and installed into the network. What is the file extension of the software which contains the delivery of the dll file mentioned earlier?
Answer: From Delivery and Installation section : msp
Q.6: A C2 Framework will Beacon out to the botmaster after some amount of time. This particular malware sample was purposely crafted to evade common sandboxing techniques by using a longer than normal time with a large jitter interval as well. How long does the malware stay hidden on infected machines before beginning the beacon? Min Time | Max Time | Unit of Measure for time [Flag Format: **|**|**** ]
Answer: From Delivery and Installation section :12|14|days
Q.7: Can you find the IoCs for host-based and network-based detection of the C2? The flag is the name of the classification which the first 3 network IP address blocks belong to?
Answer: This was a tricky one.
From Network Command and Control (C2) section the first 3 network IP address blocks were:
These are all private address ranges and the name of the classification as given as a hint was bit confusion but after wrapping your head around it the answer was “RFC 1918”
Q.8: In the snort rules you can find a number of messages reffering to Backdoor.SUNBURST and Backdoor.BEACON. Only one of these domains resolves to a fake organization posing as an online college. What is the quoted domain name in the content field for this organization?
Answer: From this GitHub link about sunburst snort rules: digitalcollege.org
Q.9: Stenography was used to obfuscate the commands and data over the network connection to the C2. If I wanted to change registry values on a remote machine which number command would the attacker use?
Answer: From Steganography->Supported Commands section->SetRegistryValue to write: 14
Q.10: How was that payload encoded?
Answer: From Network Command and Control (C2) section: base64
Q.11: What is the name of the program which dispatches the jobs?
Answer: From Steganography Section: JobExecutionEngine
Q.12: How many Mitre Attack techniques were used?
Answer: Count from MITRE ATT&CK Techniques Observed section: 17
Q.13: According to Solarwinds response only a certain number of machines fall vulnerable to this attack. What is the number of potentially affected machines?
Answer: From this Wikipedia link->SolarWinds section: 18,000
Q.14: FireEye recommends a number of items to do immediately if you are an administrator of an affected machine. What is the name of the new recommended patch release?
Answer: From Immediate Mitigation Recommendations section: 2020.2.1 HF 1
Task 4: Additional Resources
After ingesting the threat intelligence the SOC team will work to update the vulnerabilities using tools like Yara, Suricata, Snort, and ELK for example.
You can learn more at this TryHackMe Room: https://tryhackme.com/room/yara
FireEyeBlog Accessed Red Team Tools: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
FireEyeBlog Solarwinds malware analysis: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
SolarWinds Advisory: https://www.solarwinds.com/securityadvisory
SOC Rule Updates for IOC: https://github.com/fireeye/red_team_tool_countermeasures
SOC Rule Updates for IOC: https://github.com/fireeye/sunburst_countermeasures
Gov Security Disclosure: https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm
You can find me on:
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!