Hello world and welcome to HaXeZ, in this post we’re going to be walking through the 3rd Red Team challenge in the Red Team Fundamentals room on Try Hack Me. Moreover, this room covers how a Red Team uses the TTP’s of known APT to emulate attacks by an advisory.
Task 1 – Introduction
The first room is as expected, the introduction. Ultimately, this section of the room explains what will be covered. In summary, it covers the basics of threat intelligence, creating threat-intel-driven campaigns, and using frameworks.
Task 2 – What is Threat Intelligence
Next, the author talks about threat intelligence and how collecting indicators of compromise and TTPs is good for Cyber Threat Intelligence. Furthermore, it explains that there are intelligence platforms and frameworks such as ISAC that can provide this information.
Task 3 – Applying Threat Intel to the Red Team
The third task explains how teams can use Cyber Threat Intelligence (CTI) to aid in adversary emulation. Additionally, it explains how frameworks such as Mitre ATT&CK and Tiber-EU can be used to map the TTP’s of the adversary to known cyber kill chains.
Task 4 – The TIBER-EU Framework
The Tiber-EU framework was developed by the European Central bank and focuses on the use of threat intelligence. As can be seen, they have broken the steps down into three sections, Preparation, Testing, and Closure. Generally speaking, this matches up with other Cyber Kill Chains.
Task 5 – TTP Mapping
Tactics, techniques, and procedures are the skills that advanced persistent threats tend to be attributed with. Because of that, databases have been created showing the various TTP’s used by specific APT’s. Furthermore, these TTP’s can be mapped to the Cyber Kill chain which makes it easier for Red Teams to plan out an engagement where they are emulating an APT.
Question: How many Command and Control techniques are employed by Carbanak?
Answer: 2
Question: What signed binary did Carbanak use for defense evasion?
Answer: Rundll32
Question: What Initial Access technique is employed by Carbanak?
Answer: Valid AccountsTask 6 – Other Red Team Applications of CTI
Although we have already discussed emulating an APT, this task covers it in more detail. For example, it discusses how a Red Team would emulate C2 user traffic, ports and protocols, and listener profiles. Additionally, the author explains how manipulating host headers, POST URI, and server response headers can also be used to emulate an APT.
Task 7 – Creating a Threat Intel-Driven Campaign
The purpose of this task is to help the reader better understand how threats can map to the cyber kill chain. While the room started off well, I couldn’t get along with the first question. To explain, the reader is tasked with looking through the information pertaining to a specific APT. The reader then needs to map the TTP’s to layers in the cyber kill chain. Nevertheless, I struggled with this as none of the answers I was putting seemed to be correct.
Question: Once the chain is complete and you have received the flag, submit it below.
Answer: THM{7HR347_1N73L_12 _4w35om3}
Question: What web shell is APT 41 known to use?
Answer: ASPXSpy
Question: What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers?
Answer: certutil
Question: What tool does APT 41 use to mine and monitor SMS traffic?
Answer: MESSAGETAPc
Task 8 – Red Team Threat Intel Conclusion
The conclusion of this room explains what we have learned. I won’t recite it word for word but I will provide my own conclusion. I was quite surprised to learn that there was such emphasis on emulating real advanced persistent threats. Granted, that would be the goal of an engagement but I didn’t think a team would go to such lengths to plan out an engagement. I enjoyed this room except for the questions in task 7.
