TryHackMe SOC Level 1 - Pyramid Of Pain Walkthrough - InfoSec Pat 2023

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey what's up guys welcome back to another video so we're going to continue the sock level one serious and this one is called pyramid of pain it's the second section in the same you know section we'll go over that in a second so if you guys are new to the channel welcome please like subscribe and share and if you're returning let's have some fun let's go ahead and jump on the desktop and get started all right so here we go so this is my desktop you know once you actually log in if you're unfamiliar with it you can just go to learn if you guys are at the dashboard or whatever you guys can go to learn and if you come down a little bit uh it's going to be the sock level one so and this just teaches you all the blue team stuff and we went over this and know all the video and we did the junior security analyst intro and now it's the Pyramid of pain I wonder what this is going to be about I haven't even read anything about this yet so we'll do this together right from the beginning so the Pyramid of pain so you get ttps's challenging annoying simple okay I guess like this is this is what they mean all right so I guess the you know this is the concepts that applies to Security Solutions like Cisco system set no one and sock radar these are probably all different kinds of you know talk radar you can go ahead and come here and learn about learn about it here and so on and so forth so let's go ahead and just hit moving let's go ahead and just get this party started all right so hash values task number two all right so this is going to show you md5 sha-1 shot 2. so if you want to go ahead and learn more about these hashes you can go here and click on them and read about them and all that stuff so if you come down here this is pretty critical right a hash is not considered a cryptographically secure if two files all have the same value right so that's super critical to know and we have total virus I use this on a daily basis to run hashes run files make sure you are not running any crazy malicious files and you know the hackers they can manipulate the hashes change of value and um cause Mayhem right so you can go here right click open this up right click open this up you guys aren't familiar with total virus for an example you can go to I don't know google.com make sure Google is good to go obviously we know it's going to be clean so you can see okay it ran 80 89 scans and zero came back malicious and meta Defender you could do the same thing let's see google.com and it's going to run and obviously we know google.com is Queen you get the idea so these are some cool tools that you can utilize and I'm sure they're going to be using a total virus in this in this in this example so let's keep going down and have some fun so we can see the two different the two different examples here meta Defender cloud and then uh total virus and as we see here we can see you know this get this file hash and you know it's running this md5 hash against this MSI which is this file and seeing if it comes back with any craziness all right so now we can analyze a hash so let's go ahead and right click on here gives us this so let's see what we have here all right let's go back to the question I really skipped the question I only read it halfway through what is the file name of the sample so we're looking at this hash so let's go back here and let's Zoom this really close so this is the same hash let me see a35d let's go back here a35d perfect so wow this is really really blurry so the file name I would assume is sales on the score receipt 56 I don't know if I can copy that all right I can't copy that so let's go ahead and use it sales on the scroll reset and then it was is it 56.06 I think let me let me go double check 5606 dot X LS is that right all right cool we got that one right Perfect all right so that was that was that task number two so now let's go ahead and come down to task number three and IP addressing so I just came across this tool probably a week ago and it's actually pretty decent you have to pay for it um that's the only you know downside so like if we open up app dot any run I'm actually talking to some people at work about this this is interesting so you can see here that you know it runs some sandbox environment against a file and I guess this file was 9 and 32i readme.txt and you know you can just go ahead and this is obviously Windows 7 so yeah but yeah that's uh that's that so if you want to learn more about the networking how ports how data traverses through a network and how IP addresses work obviously you can use this what is what is the networking room and then you can go through I don't know if I did this one obviously I know a little bit about networking so maybe I haven't gone through this let me see did I go through this oh yeah I did I did I probably made a video on it I don't remember there's so many videos I don't even remember what I make anymore but cool deal so this is a little snippet of you know uh TCP a PID which is a processor ID a processor name the country the IP address and the port that's running over it so yeah so do not attempt to interact with any of these isps so don't interact with these probably because they're malicious and you know probably in their sandbox environment or in their whatever I don't know so yeah let's keep going so read the following report this is your private report to answer the question what is the IP address of the malicious process PID 1632 attempts to connect with all right so let's go ahead and open this bad boy super small make this bigger all right so let's go down because it says something about Connections so let's see if there's any kind of connections down here processes let's keep going down these are all processes through that all right network activity maybe it's down here okay what was the question again holy moly process ID 1632 communication this is 1632. and it's communicating with 50 .87.136.52 that would be the first one so it's 50.87.136.52 hopefully that's right Perfect all right all right so let's go ahead and read the report let's see if this is this a different report I don't know oh looks like the same one so I want to exit out of here and what is the first domain name the malicious process connect attempts to connect with so it looks like the same thing so the first domain is uh shafting Legacy which whatever so that's okay so let's go ahead and just type that in here I forgot I think it's shafting Legacy in Legacy okay excuse me dot com I spell that right okay cool I did it cool deal so let's do task number four together all right so now this is about domain names right samples of domain names so if you're unfamiliar with DNS and how domains work obviously I think there should be a some kind of training one right here DNS and details room okay I don't know if I did this I don't think so now so understanding top level domains you know google.com like mail.google.com and all those fun stuff let's go ahead and X out of here now all right so we see malicious uh c2s which is a command and control infrastructure domains so these are all probably crazy domains that you don't want to go to so we have like Adidas Dot d e but there's probably some yeah point of code so you can see here like looks like a an eye but like a number one here and why you'd probably use like some shorten URLs or some is yeah ASCS Unicode you know all this crazy all this crazy stuff so if you come down you can see like bit dot uh L Y go go dot GL and blah blah I've used probably a few of these to shorten URLs so when you're making some kind of you know malicious link you want to shorten it so it looks a little you know a little different than like some crazy looking URL let's keep going down so viewing Connections in any any run so this is some HTTP requests blah blah blah connections DNS requests right so let's go ahead and look at this I'm not sure if this this doesn't look like the same one so let me X out of here all right so go to this provide the first URL so let's go here the first URL let's see the connections holy moly this is Tiny um so I can make this bigger oh yeah I can perfect all right so the first connection is going to be that same domain so copy this oh cool hopefully I can copy that I think that would be correct please thank you all right cool so what term refers to the address used and to access it so let's go ahead what term so anytime you are connecting to a site what term you're going to be using is it was up here domain names or domain uh let's see yeah domain names right so that's what I would guess here domain name okay we're getting somewhere what kind of attack uses Unicode characters in a domain name all right so what we wanted same kind of uh the attack is going to be right here on a code I don't know if it's funny code what would it be this is probably the first word I guess an attack that would be my guess okay perfect all right cool deal so provide the redirection website all right so what we can do if you guys are familiar we can this oh crap what did I do should I hit go back let's my bad whoops so anytime you like see these crazy URLs let's go back down yeah something like this I wouldn't throw this in oh that's what I'm doing them I'm an idiot I see what I did I put open instead of copy I did it twice so that that shows and it's a little early where I'm at right now so I'm gonna still a little so say for example we open up whoops I didn't mean to do that but if we copy this and put a little plus sign at the end we can see Tiny URL and what URL it's actually utilizing so we'll give this a second to load I think that I don't know if they changed it it says unavailable all right so what if I just do the URL all right so it looks like it's taken us to try hack me that's where it's look uh so https try hack me huh yeah okay cool so that was that was a section four so now we're going to go drop down to section five what is this called okay so host artifacts so this is the Annoying let's see how annoying this is this is pretty cool so say for example you have a malicious process or anything like that obviously powershell.exe it looks a little wonky right and G underscore Joe whatever junk I don't know dot exe that looks a little weird um so a security vendor has analyzed a malicious sample let's go ahead and just right click on here open this up all right so that's the report let's go ahead and hit complete so a process named reginald.exe has post-requency IP to an IP address on port 8080 what is the IP address all right so let's go back here I'm guessing and 8080. I want to come on I'm going to do control F and just do 8080. so okay perfect all right so I believe this is the file is it yep so the IP address looks like it's 96.126 1016 see if that's correct all right cool deal all right so the active drops a malicious executable exe what is the name of the executable so let's go back here executable malicious executable uh let me let me read that again all right so okay dropped in the middle or so I want to say it says whatever I don't know let's just guess g underscore dot EFC this may be it yeah because it says drop the files drop and malicious active all right so look at the report let's look at this report very so how many vectors of that uh host to be malicious I'm guessing it's nine I guess we'll be nine right uh one two three four five to say 9 up here oh one two three four five six seven eight nine okay could I zoomed it in let's do nine all right cool deal all right number six oh task number six what is this network artifacts all right so if you're not familiar with Wireshark Wireshark is definitely a cool tool to understand and learn so definitely check out Wireshark you can use t-shark as well that's running in this Cali box right here so let's go ahead and whoop what browser uses user agent string in this uh let's see let's do a hint here try to search for a string okay let's just copy this string the string above [Music] all right I'm just going to Google this just like it's saying uh Internet Explorer Maybe yeah strings of Internet Explorer I would say let's see if that's right I have no idea see if this is an explorer oh perfect all right that's not not too bad all right so what is the next one how many post requests are in a screenshot of the p e cap file right here the PCAT file one two three four five six sorry guys this is probably gonna be a longer video than expected but it's it's fun stuff right we learned something so what are we in now section seven all right congratulations you made it all right so now it's the challenging part all right so our children dropped the suspicious steeler.exe in a temp file obviously if you see a excuse me a steeler.exe I think you should get rid of that I wouldn't click on that payload.exe hell no on the Russian Panda no thanks I'm good you know so let's keep going down blah blah blah buzzing buzzing hashes with a strong weapon if it's out okay sample of a SSD or ssdeep from uh total virus details this is going to be essays okay all right so provide the method used to determine similarities between the files right so if we have I'm guessing I understand what their question is provide the method used to determine similarities while between the files so I'm assuming it's these two files right this would be my guess and the way that we can determine we can use buzzing or we can do fuzzy hashing right this is what we can try to do and we can see right here match two files with minor differences based on the fuzzing hash values so let me see if this is right okay cool deal all right so provide the alternative name of the fuzzing hash without the abbreviation what the hell didn't mean there uh let's keep going up congratulations um all right so let's see something okay I see what they're saying how to think about this for a second so we're still on this SSD from Total virus so because we're talking about these one sample of fuzzing hashing using the ssdss Deep so once we click on here let's make this larger so the S is deep is a program of computing blah so this is what it's doing so this is called hash so this is the long um to see and it's triggered piecewise hashes this is what you might guess because it looks a little let's see I don't even know okay cool we're right all right so ttps this is super important if you're unfamiliar with the Mida as an attacker as a adversary you know we're gonna use these Matrix you know this framework whatever you want to call it for example if you try to do reconnaissance you're going to do active scanning gathering information and all this stuff and goes across the board right uh initial access execution persistence prevask blah blah blah blah blah all right so so for example detect pass to Hash okay so go back and research okay and two okay so navigate in the in the page okay how many techniques are under exhortation category all right so let's go back to here x rotation all right right here so one two three four five six seven eight nine nueve okay let's hit submit here hopefully we'll write perfect all right so Chama is a china-based hacking group uh active in 2018 what is the name of the commercial blah all right so let's go I'm just gonna copy this and let's search this bad boy here all right so this is the group the Taiwan blah blah blah and what was the question again I totally forgot already what is the name of the commercial remote tool used in the C2 Beacon so uh China has used Cobalt strike so Cobalt strike as a like a red team or a pen tester you're probably going to be using this Tool uh this is to connect to you know your host your from your servers and you have a servical block and you can learn more about it here and or you can just go to Cobalt strike whatever and uh just a C2 all right cool that's correct number nine deploy the static site and what the hell this is about okay uh the player status once you sure submit your answer okay I don't know just submit it I don't know what date check answer I don't know what they want us to do oh I guess they want to do this but I guess it's it's all right whatever I'm not gonna know myself here they don't really need an answer in conclusion now you learn the concept of the Pyramid of pain so there we go congratulations folks we did it so the next one we'll do is cyber kill chain let's go check if that's correct let's go back to dashboard really quick we'll learn I just want to make sure that is the actual Cyborg cyber kill chain is the actual one for sock level one let's keep going down yeah so it's cyber kill chain so this is the one we'll do next and we'll continue learning along this path this is another 10. this should be fun so yes that concludes the video for today hopefully you found this informative thank you so much and please remember to like subscribe and share if there's any questions you may have leave in the comments below and I'll get back to you as soon as I can thank you so much folks and have a good day

Info

Channel: InfoSec Pat

Views: 10,203

Rating: undefined out of 5

Keywords: tryhackme, security, pentesting, cyber, ethical, hacking, penetration, metasploite, cybermentor, infosec pat, ctf, thm, htb, testing, university, burp, tools, hacks, computer, information, tech, technology, how, hackthebox, academy, teaching, learning, educational, intro, basic, fundamentals, hack, devsecops, sec, secure, cve, vulnerability, cia, nsa, hackers, news, hackerspolit, the pyramid of pain tryhackme, kali linux, how to get a cybersecurity job with no experience, how to become a millionaire, how to, share, like, subscribe

Id: S7AxXavRNQE

Channel Id: undefined

Length: 23min 19sec (1399 seconds)

Published: Sat Jun 10 2023