The Pyramid of pain Explained | Complete Tutorial | TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys welcome back to this video today we're doing as you can see pyramid of pain now pyramid of pain is a room that has been released recently as well from trackme and today we're going to go over this concept so as you will find out we will be doing all of these tasks but before doing that let's go over first the concept of pyramid of pain and explain what it is first I didn't find anything better than this um uh figure here so this represents the pyramid as you can see here and the pyramid has levels so it starts with the very bottom with hash values and at the very top we have what is called the TTP TTP stands for tactics techniques and procedures so why do we use the Pyramid of pain and where it is used so basically the Pyramid of pain is a concept used in incident response and threat hunting repeat that with me with me instant response and threat hunting so instant responders and threat Hunters would use the Pyramid of pain to see how it is uh diff difficult for an attacker to change these um you know levels so basically when an attacker tries to infiltrate into a network by compromising one of its hosts they leave what is called the artifacts the artifacts are the traces or the observables they live on the system so these are um we call them the levels so when the attacker tries to infiltrate or compromise a network they will need to they will need to generate specific uh malicious files and these files have you know hashes they will need a command control center the command control center most probably has an IP address and a domain name so that the malicious file will communicate with the domain name uh when it is dropped on the system now Network host Network SL host artifacts it represents the um as as we said earlier the observables or traces when the after the attacker infiltrate the network so for example um when attacker compromises a single host with a malware the malware will leave traces such as registry changes um files dropped um Communications with C2 server post request HTP request user agent strings we call these Network and host artifacts tools so this represents the tools the attacker uses to compromise the Target and ttps it's at the very top it represents what the attacker uh did what are the techniques and what is the profile they represent so if we want to use the parameter of pain as a method of protecting the network we would first start with the hash values the hash values it is at the very bottom for a reason because it is the very first artifact you would use to uncover a malicious file so say uh you received a report from an inst the instant Response Team telling you that um there is a host that has been compromised and we detected the file or the malware so the first thing you would do you would check the hash of the malware and see if it is malicious so how do you do that you would you would do that with wirus total or any other tool that would let you look up the hash and see if others have reported the hash as malicious or belonging to a malicious file so what would the attacker do it's very easy for them to change the hash value of a malware let me tell you what I mean so let's go to task two so so in task two uh there is this report let's go over this report it's a report submitted to um virus total so in this report there is this file sales uncore receipt this is an Excel file that has been submitted let's assume it is submitted by uh an analyst okay um as you can see the file has a hash above it it's above the file name and most probably the um in responder submitted the hash so when the responder submits the hash they will get as you can see the result of uh the response of verice Security Solutions So currently it is detected or flagged as malicious by 37 antivirus Solutions out of 59 okay so what does that mean it means that the analyst successfully labeled the uh uh the file as malicious but if we go back to the parameter of pain here now what this how do we map this to the Pyramid of pain specifically the bottom lar hash values so the attacker to prevent this if the attacker wants to the same file to infect a host they would first need to change the hash so how difficult it is to change the hash it's very easy so the attacker would go and as you can see just this very explained very well explained in the task as you can see they can just equo a simple string to the end of the file and the file hash will change because the hash is a unique string fingerprint of a file okay now if you change a single bit of the file the hash of the file will change so if the attacker just appens a string to the file they will successfully change the hash and once the hash changed and uh submits if you try to submit the hash after the change process into the spus total you will receive zero flagged results so that's why the hash values are at the very bottom because they are very easy to change by the attacker and fool the analyst so when the an the analysis team uses the um pyramid of pain they use all of these levels or Liars collectively they don't rely on a specific liar so this means we cannot rely only on the hash value to flag a file as uh P9 or not malicious because the because it's very easy to change it okay so now this is yeah the question here is asking the file name so we answered it is the file name mentioned here sore receipt okay now the next level it is the IP address so now we are going up in difficulty a little bit so in IP addresses how easy it is for an attacker to change the IP address let's go back again so there is this report again we're going to assume that you received a report that there is a compromised host on your network and your team gave you the report of the tool that they analyzed so they used enun enun is an online sandbox to analyze files using Dynamic malware analysis so you receive this report and you want to monitor the network activity of the malware you want to find out what are the associated IP addresses and domain names with the malware so you will scroll down and highlight the network activity section so in the network activity section we see um these sections HTTP requests they represent the it be request that the malware made to any C2 server it communicates with so why would the malware creates HTP request because maybe the malware uh will drop another another malware into the system so they will the malware needs to communicate with the C2 server which probably host a web server there to download specific file and drop it into the system the connections it represents an overview of the connections that the is making so the M represents a process this is the process and this is the P it's 1632 and these represent or the column IP here represents the IP addresses that the malicious uh file is communicating with and this is the DNS resolution the domain name it resolves to okay go back to the pyam of pain so in IP address it's a bit a little bit more difficult than hash values because if the attacker wants to change the IP address of say their C2 server So currently crafting allegacy.com is a domain name that has an Associated IP address that ends with 52 let me zoom in okay so when if the attacker wants to change say that IP address to something else they will need to implement um a concept called the fast flux the fast flux is using a pool of IP addresses for a single domain name so that when you resolve crafting a legacy.com domain name it will resolve to multiple IP addresses not only one IP address this way an attacker would successfully um hide a specific IP address so when you run this report and you are monitoring the number activity and let's say attacker used the fast flux so that a domain name resolved to multiple IP addresses you will see that crafting ay.com domain resolves into or has many entries under the same row here so this way the attacker would hide the IP address of the C2 server that are using so it's still pretty much easy for an attacker to change the IP address which means again IP addresses cannot be Solly relied on upon to uh flag a specific behavior as malicious but collectively hash values and IP addresses can still be used together but will not give you a complete uh picture on the uh scenario so read the following report to answer this question what is the IP address the first IP address to uh sorry the first IP address the malicious process who P ID is 1632 attempts to communicate with we just answered this question a while ago it is this IP address starts with 1550 and and ends with 52 second question read the following report to answer this question what is the first domain name the malicious process attempts to communicate with it is a crafting alley.com all right so now we know that as an analyst or threat Hunter after we detect such an attack you will go ahead and grab these IP addresses these domain names and the hash Val we saw earlier feed them into your firewall or incident response so an IDs product so that you block these attacks from the from happening in the future so the lier hash values and IP addresses pretty much easy for an analyst to uh block the associated artifact such as IP address and hash values such you just need to add them to the firewall and any security solution you have in place to block a future attacks now the the attacker would move to the uh ler above IP addresses and hash values this ler represents the domain names now the attacker at this stage knows that you are able to block attacks using IP addresses and hash values and you are able to to detect if the attacker change them so they will try to change domain names is it easy to change the domain name um it is not easy but it's still duable by the attack they can change a domain name how so take a look at this domain Trac me.com there is an attack called uh the uh it's mentioned here so where an attacker try to change the characters it is called the Panic code it's very well explained here so the Panic code attack this domain named Adidas if the attacker wants to uh Target uh let's say a specific organization with a speed Speer fishing campaign they want their campaign to look authentic and original so they will buy a domain name very similar to Adidas if they are imperson Adidas in the scenario okay they will buy a domain name such as this one addas so this is a character used in German language and other languages maybe Turkish as well so Addidas Doda if they buy this domain the browser will convert this character is not written in the browser it's not recognized so what the browser would do it would convert this into a uni code asky so add d right will in the browser it will be shown as this one what does that mean it means that the attacker will be able to buy this domain and make the fishing campaign look very much similar to a campaign or an email address sent originally by Adidas so it is still doable by the attacker to manipulate the domain names so why the attacker with manipul domain names because again when you when IP addresses are flagged as malicious okay normally IP addresses resolved to domain names so when you take the list of domain names and block them you will effectively block the malicious domain names but if the attacker is able to hide a domain name using this method or using URL shorteners again URL shortening is another method to manipulate domain names and hide the malicious domain name so it is still bit a little bit um doable for the attacker to M domain names to hide a nonn malicious domain name from detection all right now let's show that using some questions and answers go to this report on any app okay and provide the first suspicious Ur request you're seeing you'll be using this report to answer the remaining questions of this task so we answered the first suspicious Ur it was a crafting Legacy what term refers to an address used to access a website or to access website is a domain name what type of attack uses Unicode characters in the domain name to imitate unnown or to IM the known name the known domain name it is pyod attack provide the redirected website for the short URL using a preview so this is a shorter URL it is not clear what is the original domain name or what is the real domain name hiding behind this URL so how you how you will find out you will need to open the URL and if the the page is malicious or has uh an execution script and and say that you are using a vulnerable out ofate browser you will get infected so how do you find out what is behind this URL you will simply have this URL over here in the URL bar and as you can see prepend a plus sign at the end of the URL when you prent a plus sign at the end of a shortened URL and click on enter the shortening URL service or the URL shortening server service will tell you what is behind this shorten URL in this case it is the tryck me all right so right now we know that the attacker easily can easily change the hash values the IP addresses the domain names we have taken the necessary measures uh to prevent non attacks that have non IP address add es non hash values non domain names how do you get these values how do you get these non IP address non hash values of course you get them from threat hunting uh feeds such as M bizar anun from your own analysis that's how you get these values or the artifacts all right so the attacker now needs to step up their game okay they will go ahead and try to manipulate the artifacts left by the tools they have used so right now it's getting a little bit annoying because at this stage the network and host artifacts what by the way what are the network and host artifacts they are the traces the attacker leaves on your system when they run their tools so let's say attacker infects a network with uh a worm and the worm drops U malware for persistence at at specific at a specific coost uh the malware will actually for the infection to be successful the M will change uh registry values the M will change specific uh files it will drop files into specific directories it will try to it will attempt to communicate with uh C2 servers make makes HTTP requests all of these we call them or even the M would use specific user agent all of these traces or observables can be obtained by the analyst right using uh peap uh maybe Network capture if you are using um snort or uh some other IDs you can configure it to create real time Network capture so using realtime Network capture we'll able to analyze the network activity that happened during a specific time stamp and therefore during this time you'll able to analyze the network activity that the uh malware creates by analyzing the netware activity of the malware you'll be able to detect the all sorts of Network packets exchanged between the malware and the C server using various protocols such as DNS HTTP um SSH we call these Network artifacts and all of the details that go into the request we also call them theic artifacts such as the user agent the host the type of request we call these Network artifacts host artifacts are the changes made by on the system such as the files created by the malare the process executed the registry value is changed for Vari purposes right so why would the attacker why would the tool creates the changes to perform its function so um we call these host artifacts so these artifacts pretty much hard for the attacker to change them because they are reliant on the tools they are using so the attacker wants to change the artifact they will need to go back and change change their tools or modify them and it's pretty much annoying let's go over these task and uh answer the questions okay we have a report to review here the question says a security vendor has analyzed the mil sample for us review the report and add to answer the following questions a process named regie ID or reg idle makes a post request to an IP address on Port 88 what's the IP address so the post request can be obtained or monitored using no capture right or real time analysis so we have to find out what is the IP address that the process is trying to communicate to using this port so this report is kind of uh heavy we're going to directly go to the page uh displaying the answer so it's pretty much maybe page 52 I think my memory is bad yeah it's here so what is the first okay so this is the process and as you can see we are able to see the IP address it is communicating to this is the first one but it is not on Port uh stated by the question we want to port 8080 this is the first IP address starts with five and ends with 85 the actor drops malicious executable what's the name of this executable now this is an example of a host artifact right the files created by the Mal going up we can see that this is the F name the column here displays the F name that created the change we are looking for the manare named grge idle and here we can see the process or the F name created this is Gore jujuk look at the report this report by virus total okay we close this report and open a new one how many vendors determine this host to be malicious all right let's go ahead let's count them oh I'm not going to be that stupid right don't count them just you can see the number here nine so it is nine vendors flag this as malicious same goes with network artifacts we can analyze theic artifact using packet capture so what browser uses the user agent string shown in the screenshot so here we want to um we detected a malicious activity and we want to flag the user agent we want to find out what is the browser behind this user agent so you will just click on the hand grab this and Google it to be able to find it because if you go back to the user agent here some may um say it is mozella Firefox because it starts with mozella but no I heard many people telling me Oh is mozella Firefox no it's some Firefox come on this is not the browser to find out the browser behind user agent you just have to Google the string and there is a specific site here which you can look up uh the user agent in and you can see the browser name and more information about the uh platform used such as the architecture the operating system as you can see the briser agent reveals so many information about the uh user how many post requests are in the screenshot of thepa five we can see we have nine post requests all right so at this stage uh in the Y stage we are actually able to detect an attack by analyzing the artifacts so we have tools in place to block non hash values to block non IP address to block non-domain names and also we have tools in place Security Solutions to monitor changes on the system to monitor changes on the registry values to monitor changes on the files uh from the we call them deviations from the Baseline uh we also have tools to monitor network activity in real time right now it's right now we are able to detect attacks in real time by analyzing the changes on the system so now the attacker realiz realizes that we have uh Advanced defenses in place so they need to step up their game so they will go to the liar above it which is the tools liar it is now getting kind of impossible for the attacker and attacker probably now is thinking of giving up on the attack because it's very hard to change the tools of the attack they will need to go back and create a new tool if they are able to maybe that maybe the attacker is cryp they are using known tools to launch the attack if they are script Kitty they will find this level and the level above it impossible to bypass because they will need to create a new tool or program a new tool all right so the tools and TTP are the most difficult uh Liars or let's say stages uh where the attacker on attacker sorry so here we can assume that the attacker is now using new tools if the attacker is successful at creating new tools or modifying the existing tools all of the lers below the tools are now negligible and will not give you any um they may still be helpful but you still need to create a new detection method so what do we do here we create something called detection rules or or Y some of the detection rules are Yara rules or Sigma rules they are rules that monitor again the system real time analyze many artifacts more than the network and host artifacts to detect the use of malicious tools now these detection rules are spread uh very wide in the threat Hunting Community you can find them in Mal bizar Mal share uh as you can see detection Marketplace and here you can see guys this site is unavailable okay M out here you can research malware by using hash values and uh other artifacts and from that from from the reports displayed here you can grab detection rules and Supply it to Yara or Sigma or any other tool you are using for detecting threats in real time same with so Prime platform we call these threat hunting communities it's very important for instant respond teams and threat Hunters to be uh up to date with the uh you know changes and uh new threats published on these platforms again if you encounter or if an instant response an attack happened in your environment or attack hits your environment you and you detected the attack you will go ahead and feed the uh communities here with the artifacts you have just uncovered all right so provide the method used to determine the similarity between files now fuzzy hashing okay about fuzzy hashing fuzzy hashing is a technique to detect if a file F hash has been changed so it it gives you the similarities between the hatches of two files this is the tool and the other question provide the alternative name for fuzzy hashes without abbreviation you can find it here from the definition ssdp is a program for computing context triggered piecewise hashes ttps all right so now the attacker uh knows that you have deployed detection rule such as Yara or Sigma to pict attacks in real time now the attacker needs to step up their game to the ttps ttps tactics techniques and procedures and they are very much explained and used by the miter framework to profile attackers their techniques and their tools so at this stage the attacker have two options as you can see here they either give up and find another Target or go back and create new tools so it's pretty much challenging for them right now so your goal in any instant response team or third hunting team is to be in these two lers tools and ttps preferably if you are at this lier ttps so you have all the Security Solutions or the uh counter measures or security controls in place to block non has values non IP addresses malicious ones domain names monitor the network and H artifacts and have detection rules in place to detect the tools or malicious tools at TTP it's kind of uh difficult for even uh near not impossible but it is challenging and tough for any group of attackers to bypass a system that has defenses in place that which map these Liars navigate to the at and CK Matrix web page how many techniques fall under the X filtration category now we explained in detail the MIT edity and CK in my channel you can go back uh and find the relevant video to have a look at ITN we're not going to explain SEC now guys because we did that before all right so how many techniques under the data exfiltration exfiltration category these represents the stages the attacker goes through when they first launch an attack it starts with reconnaissance information gathering and ends with impact the impact they leave on the system okay and for every stage there are techniques that the attacker would um implement or apply to make this stage successful or to move up into the next stage in line so what are the techniques under exfiltration we have nine techniques kimira is a China based hacking group that has been active since 2018 what's the name of the commercial remote access to they use for T2 beacons and that ex filtration so here we are researching a known attacker group called kimira so how do we find out what are the techniques the tools and tactics used by a specific hacking group we can use again the mitro Ed nck by researching the group name and we select the result that has the group name as the title so we go ahead here and we see all the techniques used by CA we also see the software and here we need to highlight the commercial software used to perform C2 beacons and cation which is Cobalt strike all right so lastly we go to this task so in this task finally we will answer this question we need to map the explanations or statements here and put them into the correct lar now this task is currently broken and needs to be fixed okay why you will find out uh now okay let's now read through these prom promps and put the appropriate prompt with the appropriate liar the first one the attacker would get a little annoyed at this stage as he would need to go back and reconfigure his tools the attacker tends to leave the common patterns like registry key changes dropped files and suspicious process execution these are host artifacts so we're going to put them here fine the next prompt at this stage it is a little bit tricky for an attacker to change as he would need to purchase register and host it somewhere so purchase register and host it somewhere it is your domain name so we grab this and map it to the domain name lar at this stage it wouldn't take a lot of effort to change it with a single bit of modification of the file so when we change a bit a single bit on far we are changing the hash value but you can still detect it most of the time by using fuzzy hashing so it is the hash values live at this stage the attacker would need more time to go back and change his Statics or modify the tools a user agent string C2 information or URI patterns followed by the HTP post request can be indicators these are network indicators now this is is the problem with this task you cannot place two statements or two prompts with one liar so if I direct this here to damic artifacts and put it it will replace the old one which is the host artifacts put this one more time here it will go back here so maybe the author needs to separate the network and host artifacts into two different lers or just enable the ability to put two prompts uh for one ler all right we're can to leave this here but you know now it is Network artifact at this stage the attacker would most likely give up trying to break into your network or go back and try to create a new tool that serve the same capabilities at this stage inversor would use a backto custom payload or a malicious document here we are in the tools at this stage you would leave adversary no chance to succeed in this attack if you can detect and respond to the threats quickly of course by virtue of detection rules so we place this at the ttps here it's not working okay so that was it guys this is the Pyramid of pain and I will make sure that I update the current notes with the Pyramid of pain so you have the information summarized if you are subscribed of course to the channel two membership uh so that was it guys I'm going to see you later
Info
Channel: Motasem Hamdan
Views: 10,118
Rating: undefined out of 5
Keywords:
Id: y8TIKIWv2ws
Channel Id: undefined
Length: 36min 11sec (2171 seconds)
Published: Mon Nov 27 2023
Related Videos
TryHackMe SOC Level 1 - Pyramid Of Pain Walkthrough - InfoSec Pat 2023
InfoSec Pat
14K
Understanding Sysmon & Threat Hunting with A Cybersecurity Specialist & Incident Detection Engineer
Lawrence Systems
8.9K
Compliance VS Security: Exploring the Real-World Security Value of CMMC
Summit 7
1K
Network Threat Hunting Made Easy (Finding Hackers)
John Hammond
55K
How TCP really works // Three-way handshake // TCP/IP Deep Dive
David Bombal
663K
Hunt for Hackers with Velociraptor
John Hammond
93K
Hunting Threat Actors Using OSINT
SANS Digital Forensics and Incident Response
12K
TryHackMe Walkthrough // Wireshark Basics Room - SOC Analyst 1
Chris Greer
18K
What Is SIEM ? | Security Information And Event Management Explained | How SIEM Works ? |Simplilearn
Simplilearn
11K
Wireshark Tutorial for Beginners | Network Scanning Made Easy
Anson Alexander
198K
Become a Cyber Security Analyst | Top 5 Courses for SOC Analysts (Cyber Security for Beginners)
Sandra Liu
37K
TryHackMe! Finding Computer Artifacts with osquery
John Hammond
29K
SOC 101: Real-time Incident Response Walkthrough
Exabeam
190K
How to know if your PC is hacked? Suspicious Network Activity 101
The PC Security Channel
1.1M
Hunting for Hackers with Sigma Rules
John Hammond
18K
Try Hack Me: Sysmon
stuffy24
4.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.