Day 4

I’m all atomic inside!

Last updated 4 months ago

Was this helpful?

Day 4

I’m all atomic inside!

Welcome back to Day 4 of TryHackMe’s Advent of Cyber 2024. Today’s challenge brings us into the fascinating realm of purple teaming with a hands-on activity using Atomic Red Team.

This task is recomended to be done in the attack machine.

What is Atomic Red Team? It’s an open-source framework designed to simulate adversarial TTPs (Tactics, Techniques, and Procedures) from the MITRE ATT&CK matrix. These tests are isolated, specific, and provide actionable insights into security readiness.

For today’s task, we’ll simulate spearphishing attachment attacks (T1566.001) and dive into other techniques related to Command and Scripting Interpreter (T1059).

We’re going to emulate a spearphishing attachment attack, which corresponds to the TTP T1566.001.

Open Event Viewer → Microsoft → Windows → Sysmon → Operational → Right Click → Clear Log → Clear. Now, after doing this, we can run the following command in Powershell:

Invoke-AtomicTest T1566.001 -TestNumbers 1

Refresh the Log in Sysmon → Operational. There should be information logs popping up.

You should find where the artefact was stored in one of the logs. So if we go to C:\Users\Administrator\AppData\Local\Temp, we should find a file called PhishingAttachment.txt.

So now, we can go back to PowerShell and execute this command to get the flag:

To ATT&CK technique ID - just search on google for the attack ID of Command and Scripting Interpreter as mentioned in the challenge description.

Do the same for the subtechnique id.

To find the name of Atomic Test to be simulated, run the following cmd:

Invoke-AtomicTest T1059.003 -ShowDetails

From the details we see that we are simulating BlackByte Ransomware Print Bombing

The name of the file is mentioned in the Dependencies: Wareville_Ransomware.txt

Run the atomic test using Invoke-AtomicTest T1059.003

It creates and executes multiple batch scripts, opens calc.exe (indicating a DLL attack vector) and creates a PDF file and prompts us for the file name. We can provide the name of a file and save the PDF. The flag will be in the PDF file;

Questions:

1.What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

A: THM{GlitchTestingForSpearphishing}

2.What ATT&CK technique ID would be our point of interest?

A: T1059

3.What ATT&CK subtechnique ID focuses on the Windows Command Shell?

A: T1059.003

4.What is the name of the Atomic Test to be simulated?

A: Simulate BlackByte Ransomware Print Bombing

5.What is the name of the file used in the test?

A: Wareville_Ransomware.txt

6.What is the flag found from this Atomic Test?

A: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}

Thank you!

PreviousDay 3 NextDay 5

Last updated 4 months ago

Was this helpful?

Welcome back to Day 4 of TryHackMe’s Advent of Cyber 2024. Today’s challenge brings us into the fascinating realm of purple teaming with a hands-on activity using Atomic Red Team.

This task is recomended to be done in the attack machine.

What is Atomic Red Team? It’s an open-source framework designed to simulate adversarial TTPs (Tactics, Techniques, and Procedures) from the MITRE ATT&CK matrix. These tests are isolated, specific, and provide actionable insights into security readiness.

For today’s task, we’ll simulate spearphishing attachment attacks (T1566.001) and dive into other techniques related to Command and Scripting Interpreter (T1059).

We’re going to emulate a spearphishing attachment attack, which corresponds to the TTP T1566.001.

Open Event Viewer → Microsoft → Windows → Sysmon → Operational → Right Click → Clear Log → Clear. Now, after doing this, we can run the following command in Powershell:

Invoke-AtomicTest T1566.001 -TestNumbers 1

Refresh the Log in Sysmon → Operational. There should be information logs popping up.

You should find where the artefact was stored in one of the logs. So if we go to C:\Users\Administrator\AppData\Local\Temp, we should find a file called PhishingAttachment.txt.

So now, we can go back to PowerShell and execute this command to get the flag:

To ATT&CK technique ID - just search on google for the attack ID of Command and Scripting Interpreter as mentioned in the challenge description.

Do the same for the subtechnique id.

To find the name of Atomic Test to be simulated, run the following cmd:

Invoke-AtomicTest T1059.003 -ShowDetails

From the details we see that we are simulating BlackByte Ransomware Print Bombing

The name of the file is mentioned in the Dependencies: Wareville_Ransomware.txt

Run the atomic test using Invoke-AtomicTest T1059.003

Questions:

1.What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

A: THM{GlitchTestingForSpearphishing}

2.What ATT&CK technique ID would be our point of interest?

A: T1059

3.What ATT&CK subtechnique ID focuses on the Windows Command Shell?

A: T1059.003

4.What is the name of the Atomic Test to be simulated?

A: Simulate BlackByte Ransomware Print Bombing

5.What is the name of the file used in the test?

A: Wareville_Ransomware.txt

6.What is the flag found from this Atomic Test?

A: THM{R2xpdGNoIGlzIG5vdCB0aGUgZW5lbXk=}

Thank you!