Advent of Cyber 2024: Day 4: I’m all atomic inside!
SOC-mas is approaching! And the town of Warewille started preparations for the grand event.
Glitch, a quiet, talented security SOC-mas engineer, had a hunch that these year’s celebrations would be different. With looming threats, he decided to revamp the town’s security defences. Glitch began to fortify the town’s security defences quietly and meticulously. He started by implementing a protective firewall, patching vulnerabilities, and accessing endpoints to patch for security vulnerabilities. As he worked tirelessly, he left “breadcrumbs,” small traces of his activity.
Unaware of Glitch’s good intentions, the SOC team spotted anomalies: Logs showing admin access, escalation of privileges, patched systems behaving differently, and security tools triggering alerts. The SOC team misinterpreted the system modifications as a sign of an insider threat or rogue attacker and decided to launch an investigation using the Atomic Red Team framework.
Learning Objectives
- Learn how to identify malicious techniques using the MITRE ATT&CK framework.
- Learn about how to use Atomic Red Team tests to conduct attack simulations.
- Understand how to create alerting and detection rules from the attack tests.
Challenge:
As Glitch continues to prepare for SOC-mas and fortifies Wareville’s security, he decides to conduct an attack simulation that would mimic a ransomware attack across the environment. He is unsure of the correct detection metrics to implement for this test and asks you for help. Your task is to identify the correct atomic test to run that will take advantage of a command and scripting interpreter, conduct the test, and extract valuable artefacts that would be used to craft a detection rule.
Questions:
#1. What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Answer: THM{GlitchTestingForSpearphishing}
#2. What ATT&CK technique ID would be our point of interest?
Answer: T1059
#3. What ATT&CK subtechnique ID focuses on the Windows Command Shell?
Answer: T1059.003
#4. What is the name of the Atomic Test to be simulated?
Answer: Simulate BlackByte Ransomware Print Bombing
#5. What is the name of the file used in the test?
Answer: Wareville_Ransomware.txt
#6. What is the flag found from this Atomic Test?
Answer: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}
#7. Learn more about the Atomic Red Team via the linked room.
No answer needed
Thank you!
