TryHackMe - Pyramid Of Pain Room
Updated: Dec 6, 2022
Author Dan Rearden Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.
This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises. Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.
Are you ready to explore what hides inside the Pyramid of Pain?
Task 2 Hash Values (Trivial)
As per Microsoft, the hash value is a numeric value of a fixed length that uniquely identifies data. A hash value is the result of a hashing algorithm. The following are some of the most common hashing algorithms:
MD5 (Message Digest, defined by RFC 1321) — was designed by Ron Rivest in 1992 and is a widely used cryptographic hash function with a 128-bit hash value. MD5 hashes are NOT considered cryptographically secure. In 2011, the IETF published RFC 6151, “Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms,” which mentioned a number of attacks against MD5 hashes, including the hash collision.
SHA-1 (Secure Hash Algorithm 1, defined by RFC 3174) — was invented by United States National Security Agency in 1995. When data is fed to SHA-1 Hashing Algorithm, SHA-1 takes an input and produces a 160-bit hash value string as a 40 digit hexadecimal number. NIST deprecated the use of SHA-1 in 2011 and banned its use for digital signatures at the end of 2013 based on it being susceptible to brute-force attacks. Instead, NIST recommends migrating from SHA-1 to stronger hash algorithms in the SHA-2 and SHA-3 families.
The SHA-2 (Secure Hash Algorithm 2) — SHA-2 Hashing Algorithm was designed by The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in 2001 to replace SHA-1. SHA-2 has many variants, and arguably the most common is SHA-256. The SHA-256 algorithm returns a hash value of 256-bits as a 64 digit hexadecimal number.
A hash is not considered to be cryptographically secure if two files have the same hash value or digest.
Security professionals usually use the hash values to gain insight into a specific malware sample, a malicious or a suspicious file, and as a way to uniquely identify and reference the malicious artifact.
You probably read the ransomware reports in the past, where security researchers would provide the hashes related to the malicious or suspicious files used at the end of the report. You can check out The DFIR Report and FireEye Threat Research Blogs if you’re interested in seeing an example.
Various online tools can be used to do hash lookups like VirusTotal and Metadefender Cloud — OPSWAT.
VirusTotal:
MetaDefender Cloud — OPSWAT:
As you might have noticed, it is really easy to spot a malicious file if we have the hash in our arsenal. However, as an attacker, it’s trivial to modify a file by even a single bit, which would produce a different hash value. With so many variations and instances of known malware or ransomware, threat hunting using file hashes as the IOC (Indicators of Compromise) can become a difficult task.
Let’s take a look at an example of how you can change the hash value of a file by simply appending a string to the end of a file using echo: File Hash (Before Modification)
PS C:\Users\THM\Downloads> Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5
Algorithm Hash
Path _________ ____
____
MD5 D1A008E3A606F24590A02B853E955CF7 C:\Users\THM\Downloads\OpenVPN_2.5.1_I601_amd64.msi
File Hash (After Modification)
PS C:\Users\THM\Downloads> echo "AppendTheHash" >> .\OpenVPN_2.5.1_I601_amd64.msi
PS C:\Users\THM\Downloads> Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5 Algorithm Hash
Path _________ ____
____ MD5 9D52B46F5DE41B73418F8E0DACEC5E9F C:\Users\THM\Downloads\OpenVPN_2.5.1_I601_amd64.msi
Answer the questions below:
Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools.
Copy the Hash given to you be TryHackMe. Then we want to head to MetaDefender Cloud. You can use the link above or click the link I provided in the previous sentence. This should open a new tab, and take you to the MetaDefender Cloud home page.
In the middle of the page is a search box, this is what we want to paste the Hash into. Then click the Process button to the right.
As we can see, the file that this Hash came from is Malicious. The name of the Ransomware is at the top. It is a quite famous one you should of at least heard of. Copy and Paste or type the answer over in the TryHackMe answer field, then click submit.
Answer: Conti
To be a good SOC analyst though, we shouldn’t rely on one source claiming a Hash is malicious. It could be a false positive, let us look at VirusTotal quick to be sure this is malicious. We can use the link above or the one I provided in the previous sentence. This should open a new tab, and take you to the Virus Total home page.
Click the Search button in the middle of the screen.
Now paste the Hash value into the search field in the bottom of the webpage, then press the enter key on the keyboard to search this Hash.
After VirusTotal searches the Hash Value, we can see that it is in fact, Malicious!
Task 3 IP Address (Easy)
You may have learned the importance of an IP Address from the “What is Networking?” Room. the importance of the IP Address. An IP address is used to identify any device connected to a network. These devices range from desktops, to servers and even CCTV cameras!. We rely on IP addresses to send and receive the information over the network. But we are not going to get into the structure and functionality of the IP address. As a part of the Pyramid of Pain, we’ll evaluate how IP addresses are used as an indicator.