TryHackMe - Pyramid Of Pain Room

Author Dan Rearden Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.

This well-renowned concept is being applied to cybersecurity solutions like Cisco Security, SentinelOne, and SOCRadar to improve the effectiveness of CTI (Cyber Threat Intelligence), threat hunting, and incident response exercises. Understanding the Pyramid of Pain concept as a Threat Hunter, Incident Responder, or SOC Analyst is important.

Are you ready to explore what hides inside the Pyramid of Pain?

Task 2 Hash Values (Trivial)

As per Microsoft, the hash value is a numeric value of a fixed length that uniquely identifies data. A hash value is the result of a hashing algorithm. The following are some of the most common hashing algorithms:

• MD5 (Message Digest, defined by RFC 1321) — was designed by Ron Rivest in 1992 and is a widely used cryptographic hash function with a 128-bit hash value. MD5 hashes are NOT considered cryptographically secure. In 2011, the IETF published RFC 6151, “Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms,” which mentioned a number of attacks against MD5 hashes, including the hash collision.

• SHA-1 (Secure Hash Algorithm 1, defined by RFC 3174) — was invented by United States National Security Agency in 1995. When data is fed to SHA-1 Hashing Algorithm, SHA-1 takes an input and produces a 160-bit hash value string as a 40 digit hexadecimal number. NIST deprecated the use of SHA-1 in 2011 and banned its use for digital signatures at the end of 2013 based on it being susceptible to brute-force attacks. Instead, NIST recommends migrating from SHA-1 to stronger hash algorithms in the SHA-2 and SHA-3 families.

• The SHA-2 (Secure Hash Algorithm 2) — SHA-2 Hashing Algorithm was designed by The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in 2001 to replace SHA-1. SHA-2 has many variants, and arguably the most common is SHA-256. The SHA-256 algorithm returns a hash value of 256-bits as a 64 digit hexadecimal number.

A hash is not considered to be cryptographically secure if two files have the same hash value or digest.

Security professionals usually use the hash values to gain insight into a specific malware sample, a malicious or a suspicious file, and as a way to uniquely identify and reference the malicious artifact.

You probably read the ransomware reports in the past, where security researchers would provide the hashes related to the malicious or suspicious files used at the end of the report. You can check out The DFIR Report and FireEye Threat Research Blogs if you’re interested in seeing an example.

Various online tools can be used to do hash lookups like VirusTotal and Metadefender Cloud — OPSWAT.

VirusTotal:

MetaDefender Cloud — OPSWAT:

As you might have noticed, it is really easy to spot a malicious file if we have the hash in our arsenal. However, as an attacker, it’s trivial to modify a file by even a single bit, which would produce a different hash value. With so many variations and instances of known malware or ransomware, threat hunting using file hashes as the IOC (Indicators of Compromise) can become a difficult task.

Let’s take a look at an example of how you can change the hash value of a file by simply appending a string to the end of a file using echo: File Hash (Before Modification)

PS C:\Users\THM\Downloads> Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5

Algorithm Hash

Path _________ ____

____

MD5 D1A008E3A606F24590A02B853E955CF7 C:\Users\THM\Downloads\OpenVPN_2.5.1_I601_amd64.msi

File Hash (After Modification)

PS C:\Users\THM\Downloads> echo "AppendTheHash" >> .\OpenVPN_2.5.1_I601_amd64.msi

PS C:\Users\THM\Downloads> Get-FileHash .\OpenVPN_2.5.1_I601_amd64.msi -Algorithm MD5 Algorithm Hash

Path _________ ____

____ MD5 9D52B46F5DE41B73418F8E0DACEC5E9F C:\Users\THM\Downloads\OpenVPN_2.5.1_I601_amd64.msi

Answer the questions below:

Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools.

Copy the Hash given to you be TryHackMe. Then we want to head to MetaDefender Cloud. You can use the link above or click the link I provided in the previous sentence. This should open a new tab, and take you to the MetaDefender Cloud home page.

In the middle of the page is a search box, this is what we want to paste the Hash into. Then click the Process button to the right.

As we can see, the file that this Hash came from is Malicious. The name of the Ransomware is at the top. It is a quite famous one you should of at least heard of. Copy and Paste or type the answer over in the TryHackMe answer field, then click submit.

Answer: Conti

To be a good SOC analyst though, we shouldn’t rely on one source claiming a Hash is malicious. It could be a false positive, let us look at VirusTotal quick to be sure this is malicious. We can use the link above or the one I provided in the previous sentence. This should open a new tab, and take you to the Virus Total home page.

Click the Search button in the middle of the screen.

Now paste the Hash value into the search field in the bottom of the webpage, then press the enter key on the keyboard to search this Hash.

After VirusTotal searches the Hash Value, we can see that it is in fact, Malicious!

Task 3 IP Address (Easy)

You may have learned the importance of an IP Address from the “What is Networking?” Room. the importance of the IP Address. An IP address is used to identify any device connected to a network. These devices range from desktops, to servers and even CCTV cameras!. We rely on IP addresses to send and receive the information over the network. But we are not going to get into the structure and functionality of the IP address. As a part of the Pyramid of Pain, we’ll evaluate how IP addresses are used as an indicator.

In the Pyramid of Pain, IP addresses are indicated with the color green. You might be asking why and what you can associate the green color with?

From a defense standpoint, knowledge of the IP addresses an adversary uses can be valuable. A common defense tactic is to block, drop, or deny inbound requests from IP addresses on your parameter or external firewall. This tactic is often not bulletproof as it’s trivial for an experienced adversary to recover simply by using a new public IP address. Malicious IP connections (app.any.run):

NOTE! Do not attempt to interact with the IP addresses shown above. One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux.

According to Akamai, Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts acting as proxies. The purpose of using the Fast Flux network is to make the communication between malware and its command and control server (C&C) challenging to be discovered by security professionals.

So, the primary concept of a Fast Flux network is having multiple IP addresses associated with a domain name, which is constantly changing. Palo Alto created a great fictional scenario to explain Fast Flux: “Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns”

Use the following any.run URL to answer the questions below:

Answer the questions below

What is the ASN for the third IP address observed?

To start off, click the link above, that is given to us by TryHackMe. This will take us to an instant of any.run that we need to answer these questions. Once you click the link, a new tab will open with the any.run instance.

Looking under the desktop image, you will see four tabs. Click on the Connections tab. This is where the answer will be located, look in this table at the column labeled ASN. Now move down to the third entry, this is the answer, copy and paste it over to the TryHackMe answer field, and click submit.

Answer: Host Europe GmbH

What is the domain name associated with the first IP address observed?

Now, staying in the Connections tab, move to the column Domain. Look at the first entry, this is the answer. Copy and paste it over to the TryHackMe answer field, and click submit.

Answer: craftingalegacy.com

Task 4 Domain Names (Simple)

Let’s step up the Pyramid of Pain and move on to Domain Names. You can see the transition of colors — from green to teal.

Domain Names can be thought as simply mapping an IP address to a string of text. A domain name can contain a domain and a top-level domain (evilcorp.com) or a sub-domain followed by a domain and top-level domain (tryhackme.evilcorp.com). But we will not go into the details of how the Domain Name System (DNS) works. You can learn more about DNS in this “DNS in Detail” Room.

Domain Names can be a little more of a pain for the attacker to change as they would most likely need to purchase the domain, register it and modify DNS records. Unfortunately for defenders, many DNS providers have loose standards and provide APIs to make it even easier for the attacker to change the domain.

Malicious Sodinokibi C2 (Command and Control Infrastructure) domains:

Can you spot anything malicious in the above screenshot? Now, compare it to the legitimate website view below:

This is one of the examples of a Punycode attack used by the attackers to redirect users to a malicious domain that seems legitimate at first glance.

What is Punycode? As per Wandera, “Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding.”

What you saw in the URL above is adıdas.de which has the Punycode of http://xn--addas-o4a.de/

Internet Explorer, Google Chrome, Microsoft Edge, and Apple Safari are now pretty good at translating the obfuscated characters into the full Punycode domain name.

To detect the malicious domains, proxy logs or web server logs can be used. Attackers usually hide the malicious domains under URL Shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL Shortener link. According to Cofense, attackers use the following URL Shortening services to generate malicious links:

• bit.ly

• goo.gl

• ow.ly

• s.id

• smarturl.it

• tiny.pl

• tinyurl.com

• x.co

You can see the actual website the shortened link is redirecting you to by appending “+” to it (see the examples below). Type the shortened URL in the address bar of the web browser and add the above characters to see the redirect URL.

NOTE: The examples of the shortened links below are non-existent.

Answer the questions below

Go to this report on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.

Before we get started, I believe that the Trackmo is looking for the first Suspicious URL. With that knowledge, let us start this question. Click on the link in the question, to open a tab at any.run

Once any.run opens, click on the tab under the desktop display labeled DNS Requests. The first entry will be the answer to this question. Copy the URL and paste it into the TryHackMe answer field, then click submit.

Answer: craftingalegacy.com

What term refers to an address used to access websites?

The answer to this can be found in the first sentence, and several times in the first paragraph. Type it into the TryHackMe answer field, then click submit.

Since the answer can be found about, I won’t be posting it here.

What type of attack uses Unicode characters in the domain name to imitate the a known domain?

The answer to this can be found after the second example of the URLs. Type it into the TryHackMe answer field, then click submit.

Since the answer can be found about, I won’t be posting it here.

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

To start out, open a new tab using the keyboard shortcut ctrl + t. This will open a new tab. Now highlight, copy and paste the URL into the new Tab. Add the + on the end.

Press enter, to go to TinyURL and see where this will take you too.

The answer can be found in the middle of the page. Copy and paste the answer over in the TryHackMe answer field, then click submit.

Answer: https://tryhackme.com/

Task 5 Host Artifacts (Annoying)

Let’s take another step up to the yellow zone.

On this level, the attacker will feel a little more annoyed and frustrated if you can detect the attack. The attacker would need to circle back at this detection level and change his attack tools and methodologies. This is very time-consuming for the attacker, and probably, he will need to spend more resources on his adversary tools. Host artifacts are the traces or observables that attackers leave on the system, such as registry values, suspicious process execution, attack patterns or IOCs (Indicators of Compromise), files dropped by malicious applications, or anything exclusive to the current threat.

Suspicious process execution from Word:

The files modified/dropped by the malicious actor:

Answer the questions below

What is the suspicious IP the victim machine tried to connect to in the screenshot above?

The answer can be found in the screenshot of the Suspicious events followed by opening a malicious application. In the screenshot, you will see two IP address that end with port numbers. The IP address starting with 192 is the end user’s system, the other IP address is the Malicious IP address and answer to this question. Type the answer into the TryHackMe answer field, then click submit.

Use the tools introduced in task 2 and provide the name of the malware associated with the IP address

You can either go back to task two, then click on one of the two links given to you. VirusTotal or MetaDefender Cloud. Since MetaDefender Cloud gave a little more info on the name of the ransomware from Task 2 we should start with that (but I provided the links to bot in the previous sentence). Go back to the previous TryHackMe answer field, highlight, then keyboard shortcut ctrl + c to copy the IP address.

Now that you have the IP address copied, use one of the links above to go to MetaDefender Cloud. When the page loads, click on the input field in the middle of the screen, then use the keyboard shortcut ctrl + v to paste the IP address into the input field.

Now click the blue Process button at the right of the input field.

This time, as we can see, no dice!! Not detecting anything. This is why we check more than one of these repositories.

Click on the VirusTotal link above to be taken to the Virustotal site. Once you are there, click on the Search button to the right of the middle of the screen.

When the page loads you will see an input field, click on it, then paste the IP address into it again, then press enter to search it through VirusTotal.

So on VirusTotal we can see that it looks clean but at the top we see that 10+ detected files communicating with this IP address. That is interesting, so let us click on RELATIONS to see what it could be related too. Scroll down till you see Communicating Files, look in the Name column. You should see the name of a famous piece of Malware, this is the answer. Copy the answer and paste it in the TryHackMe Answer field, then click submit.

Answer: emotet

Using your OSINT skills, what is the name of the malicious document associated with the dropped binary?

Since the answers can be found above, I won’t be posting it. You can follow along to learn and discover where they are located. In the question it talks about dropped binary, what it means is what the threat actor put on the victim's device, specifically for this question an executable. So knowing this, we can look at the screenshot above to find the answer. Use the first screenshot and compare it to the second screenshot. You will see a file on both, you will see it several more times on the first screenshot. Type the answer into the TryHackMe answer field, then click submit.

Use your OSINT skills and provide the name of the malicious document associated with the dropped binary

In the question it talks about dropped binary, what it means is what the threat actor put on the victim’s device, specifically for this question a document file. Both of these questions next to each other are very confusing and took me way longer than I care to admit figuring out. I even had to phone a friend to point me in the right direction. So knowing we need to look for a doc file and knowing that it isn’t in the screenshots above, time to go to our second-best friend Google. A piece of info we have from above is the file path, so let us search that Users\admin\Jehhzda\Ben14fr\ . You will get many results, but the one we are looking for is the any.run instance. Make sure it is the one from at least Feb 9, 2022. Click on the link.

You will be greeted to a lot of info, but you want to scroll down the page.

Till you come to File Activity, once you reach here you will notice a couple of things. The biggest thing is one text file, which is what we are trying to look for. Once you find the text file name you can highlight it, copy it with the keyboard shortcut ctrl + c, then paste (click the answer field, use shortcut ctrl +v) it over in the TryHackMe answer field, and click submit.

Answer: CMO-100120 CDW-102220.doc

Task 6 Network Artifacts (Annoying)

Network Artifacts also belong to the yellow zone in the Pyramid of Pain. This means if you can detect and respond to the threat, the attacker would need more time to go back and change his tactics or modify the tools, which gives you more time to respond and detect the upcoming threats or remediate the existing ones.

A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests. An attacker might use a User-Agent string that hasn’t been observed in your environment before or seems out of the ordinary. The User-Agent is defined by RFC2616 as the request-header field that contains the information about the user agent originating the request.

Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort. HTTP POST requests containing suspicious strings:

Let’s use TShark to filter out the User-Agent strings by using the following command: tshark --Y http.request -T fields -e http.host -e http.user_agent -r analysis_file.pcap

These are the most common User-Agent strings found for the Emotet Downloader Trojan If you can detect the custom User-Agent strings that the attacker is using, you might be able to block them, creating more obstacles and making their attempt to compromise the network more annoying.

Answer the questions below

What browser uses the User-Agent string shown in the screenshot above?

Look at the Tshark output from the screenshot above it will show us the User-Agent string. I did you a favor and typed it out for you already. Mozilla/4.0 (compatible; MSIE 7.0: Windows NT 6.1: Trident/7.0; SLCC2; .NET CLR 2.0.5727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Now we have to decode this, to do so there are website that can do this. One of these websites is called WhatIsMyBrowser (link provided). Use the link provided to go to the WhatIsMyBrowser site, once it loads you will see a blue box in the middle of the website.

Now either copy (ctrl + c) the User-Agent String and paste (ctrl + v) it into Parse a User agent field, or type it out in the Parse a User agent field. Then click the dark blue Parse this user agent button. After the page load, the answer will be shown in the bottom blue box. Now highlight the answer, copy it with the keyboard shortcut ctrl + c, then paste (click the answer field, use shortcut ctrl +v) it over in the TryHackMe answer field, and click submit. How many POST requests are in the screenshot from the pcap file?

Since the answers can be found above, I won’t be posting it. You can follow along to learn and discover where they are located.

This answer is as simple as counting the number of times POST from the screenshot. Count them and put the number in TryHackMe answer field, then click submit.

Task 7 Tools (Challenging)

Congratulations! We have made it to the challenging part for the adversaries! At this stage, we have leveled up our detection capabilities against the artifacts. The attacker would most likely give up trying to break into your network or go back and try to create a new tool that serves the same purpose. It will be a game over for the attackers as they would need to invest some money into building a new tool (if they are capable of doing so), find the tool that has the same potential, or even gets some training to learn how to be proficient in a certain tool.

Attackers would use the utilities to create malicious macro documents (maldocs) for spear phishing attempts, a backdoor that can be used to establish C2 (Command and Control Infrastructure), any custom .EXE, and .DLL files, payloads, or password crackers.

A Trojan dropped the suspicious “Stealer.exe” in the Temp folder:

The execution of the suspicious binary:

Antivirus signatures, detection rules, and YARA rules can be great weapons for you to use against attackers at this stage.

MalwareBazaar and Malshare are good resources to provide you with access to the samples, malicious feeds, and YARA results — these all can be very helpful when it comes to threat hunting and incident response.

For detection rules, SOC Prime Threat Detection Marketplace is a great platform, where security professionals share their detection rules for different kinds of threats including the latest CVE’s that are being exploited in the wild by adversaries.

Fuzzy hashing is also a strong weapon against the attacker’s tools. Fuzzy hashing helps you to perform similarity analysis — match two files with minor differences based on the fuzzy hash values. One of the examples of fuzzy hashing is the usage of SSDeep; on the SSDeep official website, you can also find the complete explanation for fuzzy hashing.

Example of SSDeep from VirusTotal:

Answer the questions below

Provide the method used to determine similarity between the files

Since the answers can be found above, I won’t be posting it. You can follow along to learn and discover where they are located.

Find the section that talks about SSDeep, in this section it discusses a hash form that can help match similarities between files. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Provide the alternative name for fuzzy hashes without the abbreviation

Start off by scrolling up till you find the link to SSDeep, click it.

It will open the SSDeep page on a new tab, read the first sentence. This is where you will find the answer to this question. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: context triggered piecewise hashes

Task 8 TTPs (Tough)

It is not over yet. But good news, we made it to the final stage or the apex of the Pyramid of Pain!

TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an adversary to achieve his goal, starting from phishing attempts to persistence and data exfiltration.

If you can detect and respond to the TTPs quickly, you leave the adversaries almost no chance to fight back. For, example if you could detect a Pass-the-Hash attack using Windows Event Log Monitoring and remediate it, you would be able to find the compromised host very quickly and stop the lateral movement inside your network. At this point, the attacker would have two options:

Go back, do more research and training, reconfigure their custom tools

Give up and find another target

Option 2 definitely sounds less time and resource-consuming.

Answer the questions below

Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?

Start off by scrolling up till you find the link to ATT&CK Matrix, click it.

It will open the ATT&CK Matrix page on a new tab, at the bottom of the page you will see the ATT&CK Matrix for Enterprise. You could scroll down but the answer is visible from where you are at currently. Look for the column labeled Exfiltration, under it gives the number of techniques. This number is the answer. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: 9

Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

Scroll down on the ATT&CK Matrix page, look under the Exfiltration column. Look for Exfiltration Over C2 Channel, since this is what the question is asking, and click on Exfiltration Over C2 Channel. The page will load for Exfiltration Over C2 Channel, it will have a table on it listing names of adversaries that use this technique. Time to scroll down till you find Chimera under the Name column.

Once you find them, look to the next column on the right and you should spy a famous tool, this is the answer to the question. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: Cobalt Strike

Task 9 Practical: The Pyramid of Pain

Currently, Task 9 is broken, you don’t have to answer any questions but even if you put the right descriptions on the Pyramid of Pain it will still say it is wrong. As soon as it is fixed, I plan on updating/ fixing this statement.

Deploy the static site attached to this task and place the prompts into the correct tiers in the pyramid of pain!

Once you are sure, submit your answer on the static site to retrieve a flag!

Answer the questions below

Complete the static site.

There is no actual answer to this question, but a task to complete. Follow along to solve the task. To start off, click the green View Site button in the top right of the task.

After clicking on the green View Site button, the screen will split with the task on the right side. You are tasked with dragging the descriptions at the top to their corresponding place on the pyramid of pain. By clicking on each description, it will give you the full description.

Let us start at the top of the Pyramid of Pain and work our way down.

TTP

For TTP, this is not only the top of the pyramid, but the most difficult on the attacker. So the answer points to, At this stage, you would leave the adversary no chance to succeed in his attack if you can detect and respond to the threats quickly.

If we look back to Task 8 TTPs (Tough), we can see how this statement fits in here.

Tools

The next layer down is Tools, we discovered tools, files, and documents that could be on a victim’s PC. So the answer for this layer would be the statement; At this stage the attacker would most likely give up trying to break into your network or go back and try to create a new tool that serves the same capabilities. At this stage, an adversary would use a backdoor, custom payload, or a malicious document.

You can also find the answer back in Task 7 Tools (Challenging), it shows how the statement fits.

Network / Host Artifacts

Next layer down is Network/Host Artifacts, on this layer we learn about HTTP POST and User-agent strings. So the description that best suits this layer is; At this stage, the attacker would need more time to go back and change his tactics or modify the tools. A user-agent string, C2 information, or URI patterns followed by the HTTP POST requests can be the indicators.

You can also find the answer back in Task 6 Network Artifacts (Annoying), it shows how the statement fits.

Domain Names

Next layer down is the Domain Names layer, in this layer we learned about shortened URLs and that threat actors can change domain names. So the description answer would be; At this stage, it is a little bit tricky for an attacker to change as he would need to purchase, register and host it somewhere.

You can also find the answer back in Task 4 Domain Names (Simple), it shows how the statement fits.

IP Addresses

Next layer down is the IP Addresses layer, in this level we learn that we can discover the threat actor IP address then block it through the firewall thus annoying the threat actor. So the description answer would be; The attacker would get a little annoyed at this stage as he would need to go back and reconfigure his tools. The attacker tends to leave the common patterns like registry key changes, dropped files, and suspicious process executions.

You can also find the answer back in Task 3 IP Address (Easy), it shows how the statement fits.

Hash Values

We made it to the final layer, Hash Values!! In this layer we learned that hashes are unique sequins of letters and numbers. When run the malicious file through a hashing algorithm, the output can be used to signature malware. The problem is though that one small change would change the hash value. The description that best fits this layer is; At this stage, it wouldn’t take a lot of effort to change it with a single bit of modification of the file, but you can still detect it most of the time by using fuzzy hashing.

You can also find the answer back in Task 3 Hash Values (Trivial) and Task 7 Tools (Challenging), it shows how the statement fits.

Task 10 Conclusion

Now you have learned the concept of the Pyramid of Pain. Maybe it is time to apply this in practice. Please, navigate to the Static Site to perform the exercise.

You can pick any APT (Advanced Persistent Threat Groups) as another exercise. A good place to look at would be FireEye Advanced Persistent Threat Groups. When you have determined the APT Group you want to research — find their indicators and ask yourself: “ What can I do or what detection rules and approach can I create to detect the adversary’s activity?”, and “Where does this activity or detection fall on the Pyramid of Pain?” As David Blanco states, “the amount of pain you cause an adversary depends on the types of indicators you are able to make use of”.

🎉🎉Congrats!!!! You completed the Pyramid of Pain Room!!!!!🎉🎉

About the Author: Hello, Everybody!!! I am Dan Rearden aka. HaircutFish, I am a looking to be a future SOC analyst. I use my passion for cybersecurity to learn as much as possible, so that I may pass on the knowledge to others that want to learn as well. I got into this field back in 2020, after I injured my knee, and after multiple surgeries that ultimately lead to a knee replacement. During the time I had off between surgeries, I started learning about IT through Udemy courses and books. The deeper I got into IT, I started to learn about cybersecurity and found a renewed passion!! At first, I wanted to be a Pentester because they make it look cool on TV, but the more I learned about Pentesting, the more I didn’t think I was able to do it. That’s when I learned about cyber defense or Blue team, and bam, I found my niche. So I’ve put my focus and study toward these efforts. These write-ups I product from TryHackMe are used to help those out that need a nudge, or want to dip a toe in to find out if they would like blue teaming. If you want to follow my write-ups I post them to my socials which can be found my LinkTree. Thank you, and be awesome!