Advent of Cyber 2024 — Summary notes

Márcia Mota
5 min readDec 4, 2024

--

Access this event at: https://tryhackme.com/christmas

Advent of Cyber 2024 — Join for free

Day 1 — OPSEC

# Get information about the type of the file
file somg.mp3

# exiftool gets us all the attributes information about the file
exiftool somg.mp3

We learned that the two files we downloaded are completely different and that one of them are not a mp3 (although the name of the file is somg.mp3) but instead a powershell.exe.

If we try to open the file, some command line arguments will be executed to download a file from a link that contains a malicious script. Following that link (in a safe environment) we discover a script. The purpose of this script (that just runs in windows) is to steal cryptocurrencies from wallets.

Since we already have the malicious script we can search for it on github using the name written on it M.M. (Write-Host “ Created by the one and only M.M.”).

Introduction to OPSEC

Common Opsec mistakes:

  • Reusing usernames, email addresses, or account handles across multiple platforms
  • Using identifiable metadata in code, documents, or images
  • Posting publicly on forums or Github
  • Failing to use a VPN or proxy

Clues from Github:

  • M.M. stands for Mayor Malware — @Mayor.WarevilleTHM
  • Location: Wareville Town
  • The commits have previous information that was changed

Next steps: https://tryhackme.com/r/room/opsec

Day 2 — Log Analysis: SIEM (Blue Team)

SOC analyst → Security Operations Work skills:

  • Communication
  • Change request processes

Detection Engineering rules — — ->Identify malicious or suspicious activity:

  • TP --> True Positive — alert triggered by a malicious actor
  • FP --> False Positive — alerts triggered by normal system actions

SIEM (Security Information and Event Management system) ← — — — (logs, alerts, artifacts and events) — — →Centralized information aggregation

(tool)Elastic SIEM -> Security information and event management tool.
Some useful filters: host.hostname, user.name, event.category, process.command_line and event.outcome.

By filtering through the data we discover that a large quantity of failed authorization actions were made by a single API and that, after a while it succeeds. Base on the data we can tell it is a Brute Force attack that runs an encrypted PowerShell command. We can then use
(tool) CyberChef to decrypt the command and know what it does (the PowerShell command is Base64 encoded).

Next steps: Investigating with ELK 101

Day 3— Log Analysis: ELK (Purple Team)

OpenSource Tools:

  • REC vulnerability — Remote Code Execution
  • KQL — Kibana Query Language
  • ELKElasticsearch, Logstash and Kibana.

Elasticsearch is an open source distributed, RESTful search and analytics engine, scalable data store, and vector database capable of addressing a growing number of use cases.
Logstash is an open source server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash.”
KQL, or Kibana Query Language, is an easy-to-use language that can be used to search documents for values.

Operation Blue
Analyze the logs to find the malicious activity. In this case, there is an attempt to add a php script to a website.

Operation Red
Replicate the attack to understand what it does.

File Upload Vulnerabilities:

  • RCE: Uploading a script that the server runs giving the attacker control over it.
  • XSS: Uploading an HTML file that contains XSS code that steals a cookie and send it back to the attacker’s server.

We first get a website that does not have any input element where we can inject our malicious script. In this case we may try to enter as an admin exploiting a very common vulnerability that consists of using very standard usernames and passwords (i.e. username: admin@corp.com, pass: admin).

In the admin part of the site, we may find a way to input the script (that can be an html element that creates a input text element and a button for execution of commands). After that, we may use the url search of the browser to directly go to the web page we created and run commands from there.

Next steps: advanced ELK queries.

Day 4 —Atomic Red Team

MITRE ATT&CK framework

The Atomic Red Team library is a collection of red team test cases that are mapped to the MITRE ATT&CK framework. The library consists of simple test cases that can be executed by any blue team to test for detection gaps and help close them down.

T1566.001 Spearphishing

Sysmon event log -> Investigate the logs created by the Atomic tests.

  • Find the Artifacts left by the attacks-> PhishingAttachment.xlsm
  • Use those artifacts to create alerts for future attacks.

Nest steps: Atomic Red Team

Day 5—XXE

XML — Extensible Markup Language
Structured format for storing and transport data.

DTD — Document Type Definition
Set of rules that define the structure of an XML document.

XML External Entity (XXE) — Receives external references

(tool) Burp Suite — Application used to find and exploit vulnerabilities in web applications

http://MACHINE_IP/CHANGELOG

Solutions:
- Disable External Entity Loading
- Validate and Sanitize User Input

Next steps: XXE

Day 6 — Sandboxes

Detecting Sandboxes

(tool) YARA — tool used to identify and classify malware.
Works together with Sysmon in Event Viewer (Windows)

(tool) Floss — Reveal concealed details for malware analysis.

Both tools search for specific clues.

Next steps: FlareVM: Arsenal of Tools

Day 7- AWS Log Analysis

AWS S3 bucket — Amazon webservers

AWS CloudWatch is a monitoring and observability platform that gives us greater insight into our AWS environment by monitoring applications at multiple levels.

CloudTrail captures and stores any action the user takes (via the management console or AWS CLI).

S3 (Amazon Simple Storage Service used for object storage)
IAM (AWS’s Identity and Access Management service)
JQ is a lightweight and flexible command line processor that can be used on JSON.

Next step: the Log Universe

Day 8— Shellcodes

Shellcode: A piece of code usually used by malicious actors during exploits
Reverse shell: A type of connection in which the target initiates a connection back to your attacking machine

Next step: AV Evasion: Shellcode

Day 9 — GRC

GRC — Governance, Risk, and Compliance

An internal risk assessment serves to define what are the risks for an organization. Each risk is associated with a score base on the consequences and how likely or easy it is for the situation to happen.

Next step: Risk Management

Day 10 — Phishing

Day 11- Wi-fi attacks

--

--

No responses yet