Red Team Part 3 – Red Team Threat Intel | TryHackMe

Red Team Part 3 – Red Team Threat Intel | TryHackMe

Hello world and welcome to HaXeZ, in this post we’re going to be walking through the 3rd Red Team challenge in the Red Team Fundamentals room on Try Hack Me. Moreover, this room covers how a Red Team uses the TTP’s of known APT to emulate attacks by an advisory.

Task 1 – Introduction

The first room is as expected, the introduction. Ultimately, this section of the room explains what will be covered. In summary, it covers the basics of threat intelligence, creating threat-intel-driven campaigns, and using frameworks.

Task 1 - Introduction
Task 1 – Introduction

Task 2 – What is Threat Intelligence

Next, the author talks about threat intelligence and how collecting indicators of compromise and TTPs is good for Cyber Threat Intelligence. Furthermore, it explains that there are intelligence platforms and frameworks such as ISAC that can provide this information.

Task 2 - What is Threat Intelligence
Task 2 – What is Threat Intelligence

Task 3 – Applying Threat Intel to the Red Team

The third task explains how teams can use Cyber Threat Intelligence (CTI) to aid in adversary emulation. Additionally, it explains how frameworks such as Mitre ATT&CK and Tiber-EU can be used to map the TTP’s of the adversary to known cyber kill chains.

Task 3 - Applying Threat Intel to the Red Team
Task 3 – Applying Threat Intel to the Red Team

Task 4 – The TIBER-EU Framework

The Tiber-EU framework was developed by the European Central bank and focuses on the use of threat intelligence. As can be seen, they have broken the steps down into three sections, Preparation, Testing, and Closure. Generally speaking, this matches up with other Cyber Kill Chains.

Task 4 - The TIBER-EU Framework
Task 4 – The TIBER-EU Framework

Task 5 – TTP Mapping

Tactics, techniques, and procedures are the skills that advanced persistent threats tend to be attributed with. Because of that, databases have been created showing the various TTP’s used by specific APT’s. Furthermore, these TTP’s can be mapped to the Cyber Kill chain which makes it easier for Red Teams to plan out an engagement where they are emulating an APT.

Task 5 - TTP Mapping
Task 5 – TTP Mapping
Question: How many Command and Control techniques are employed by Carbanak?
Answer: 2

Question: What signed binary did Carbanak use for defense evasion?
Answer: Rundll32

Question: What Initial Access technique is employed by Carbanak? 
Answer: Valid Accounts

Task 6 – Other Red Team Applications of CTI

Although we have already discussed emulating an APT, this task covers it in more detail. For example, it discusses how a Red Team would emulate C2 user traffic, ports and protocols, and listener profiles. Additionally, the author explains how manipulating host headers, POST URI, and server response headers can also be used to emulate an APT.

Task 6 - Other Red Team Applications of CTI
Task 6 – Other Red Team Applications of CTI

Task 7 – Creating a Threat Intel-Driven Campaign

The purpose of this task is to help the reader better understand how threats can map to the cyber kill chain. While the room started off well, I couldn’t get along with the first question. To explain, the reader is tasked with looking through the information pertaining to a specific APT. The reader then needs to map the TTP’s to layers in the cyber kill chain. Nevertheless, I struggled with this as none of the answers I was putting seemed to be correct.

Answers
Answers
Question: Once the chain is complete and you have received the flag, submit it below.
Answer: THM{7HR347_1N73L_12 _4w35om3}

Question: What web shell is APT 41 known to use? 
Answer: ASPXSpy

Question: What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers? 
Answer: certutil

Question: What tool does APT 41 use to mine and monitor SMS traffic? 
Answer: MESSAGETAPc


Task 8 – Red Team Threat Intel Conclusion

The conclusion of this room explains what we have learned. I won’t recite it word for word but I will provide my own conclusion. I was quite surprised to learn that there was such emphasis on emulating real advanced persistent threats. Granted, that would be the goal of an engagement but I didn’t think a team would go to such lengths to plan out an engagement. I enjoyed this room except for the questions in task 7.

Task 8 - Red Team Threat Intel Conclusion
Task 8 – Red Team Threat Intel Conclusion
%d bloggers like this: