# Summit

{% embed url="<https://tryhackme.com/room/summit>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

The Pyramid of Pain is a concept often used in cybersecurity to illustrate the relative difficulty for an attacker to cause damage at different layers of an organization's infrastructure. It's a model that helps security professionals prioritize their defenses by focusing on the areas where attackers have the most leverage.

The following graphic illustrates the pyramid of pain.

<figure><img src="/files/CzNfbBB4G9xkTGHEOJwW" alt=""><figcaption><p>This image is courtesy of TryHackMe - <a href="https://www.tryhackme.com">https://www.tryhackme.com</a></p></figcaption></figure>

**Hash Values (Trivial)**: These are cryptographic representations of files or data. While they can be used to identify specific files or verify integrity, they are relatively trivial for attackers to deal with since they can be easily changed or obfuscated.

**IP Address (Easy)**: IP addresses are numerical labels assigned to devices connected to a network. While they can be used for tracking and blocking purposes, they are relatively easy for attackers to change or hide behind proxies or other techniques.

**Domain Names (Simple)**: Domain names are human-readable names that correspond to IP addresses. While they can be useful for tracking and blocking malicious activity, they are relatively simple for attackers to acquire or switch between.

**Host Artifacts (Annoying)**: These are artifacts left on a host system by an attacker, such as logs, temporary files, or registry entries. While they can provide valuable clues for forensic analysis, they are considered annoying for attackers because they can be cleaned or erased.

**Network Artifacts (Annoying)**: Similar to host artifacts, network artifacts are traces of malicious activity left on a network, such as network traffic patterns or communication logs. While they can be used to detect and analyze attacks, they are also annoying for attackers because they can be monitored and analyzed.

**Tools (Challenging)**: These are the software tools and utilities used by attackers to carry out their attacks, such as malware, exploit kits, or command-and-control frameworks. While they are more challenging for attackers to develop or acquire, they can still be detected and mitigated by security measures.

**TTPs (Tough)**: Tactics, Techniques, and Procedures (TTPs) are the methods and strategies used by attackers to achieve their objectives. This includes things like social engineering, privilege escalation, lateral movement, and data exfiltration. TTPs are tough for defenders to deal with because they involve human behavior and can be difficult to predict or detect.

## Sample1.exe

We have tools to manage hashes, Firewall manager DNS-filter and Sigma Rule Builder at our disposal. Which makes it increasingly difficult for the attacker. We will probably just start at the trivial stage of the Pyramid of Pain for our first sample. We run the Malware Sandbox on `Sample1.exe` and are able to retrieve some hashes.

<figure><img src="/files/O5vVg9JmUpB07CmtsjC2" alt=""><figcaption></figcaption></figure>

We send the discovered hash to  the EDR to block the threat.

<figure><img src="/files/KXlf22jOEWdPve6YHIPL" alt=""><figcaption></figcaption></figure>

After adding the hash, we are informed, that we successfully prevented the execution of `sample1.exe`.

<figure><img src="/files/Zt5gNFBvNj6AihadgCy9" alt=""><figcaption></figcaption></figure>

The following mail with the first flag informs us that you cannot rely on hashes alone, and that these can easily be changed by changes in the malware. We move on to Task 2.

<figure><img src="/files/Ht8LVlMiF9Z7OeGuDtvo" alt=""><figcaption></figcaption></figure>

## Sample2.exe

This time we see that an outgoing connection is being established to `154.35.10.113:4444`.

<figure><img src="/files/5f2lTpaAI5jqYmglLsII" alt=""><figcaption></figcaption></figure>

We can prevent this outgoing connection with the firewall tool.

<figure><img src="/files/2qJASKxG8L6OzeyNwFRQ" alt=""><figcaption></figcaption></figure>

After successful execution, we receive the second mail and, thus, the second flag. But here, too, we are informed that this method is not sufficient and that the attacker can circumvent this mitigation by using a different public address. We go to Task 3 with the information that the attacker is already using a new address and has many more in stock.

<figure><img src="/files/UQWG6nF80FBiREihrvOU" alt=""><figcaption></figcaption></figure>

## Sample3.exe

We climb further up the pyramid. We can see that the attacker is using a different IP this time, but also a domain.

<figure><img src="/files/4AlXSHGR5a3C0dgGGGLj" alt=""><figcaption></figcaption></figure>

We create a DNS filter rule to prevent this.

<figure><img src="/files/A0O1eeplC5WWojjAQlk6" alt=""><figcaption></figcaption></figure>

After we have created the rule, we receive the third email with the third flag. But we have not yet reached the top of the Pyramid of Pain. We're at about the middle level; it's still very simple. The attacker could still easily register new domains, for example.

<figure><img src="/files/r7agSAyNM2M0bPTCxlbO" alt=""><figcaption></figcaption></figure>

## Sample4.exe

We move on to `Sample4.exe`. We see the manipulation of registry entries. For the Real-Time Protection entry, the value `DisableRealtimeMonitoring` is set to `1` and deactivates the real-time monitoring of Windows Defender.

<figure><img src="/files/2hMNAIh5cfrg8BMLjjDD" alt=""><figcaption></figcaption></figure>

We have our first Sigma rule to create using the Sigma Rule Builder tool. In `Sysmon Event Logs -> Registry Modification`, we create the necessary rule to recognize registry modifications and mitigate the said attack.

<figure><img src="/files/sjLuIiX2vQQ1K2HKfoJx" alt=""><figcaption></figcaption></figure>

After creating, we receive the rule and the mail with the flag.

<figure><img src="/files/xFAjE30fDnHRE7xETUsS" alt=""><figcaption></figcaption></figure>

Sphinx notes that it was very time-consuming and cost-intensive for his team to develop new techniques and tools. We continue to successfully climb the pyramid. We are confronted with `Sample5.exe`.

<figure><img src="/files/iE6fhBPMg6I2gO9HPEZu" alt=""><figcaption></figcaption></figure>

## Sample5.exe

When analyzing, we detect several HTTP requests. The sandbox result does not immediately indicate what has to be done.

<figure><img src="/files/GPRthpgNR1vkfBKIgHig" alt=""><figcaption></figcaption></figure>

Back to the mail, in the attachment we find the outgoing connection logs.

<figure><img src="/files/jbNZfpXTn4FOA9U7f2lY" alt=""><figcaption></figcaption></figure>

We see multiple outgoing connections with the size of `97 bytes` every `30 minutes`. We know that the attacker already has a lot of IP addresses available; a simple firewall rule is not enough. We create a Sigma rule for this pattern.

<figure><img src="/files/Tvx7PdThggJLjBAWJqKZ" alt=""><figcaption></figcaption></figure>

We concentrate on the pattern and prevent all IPs and ports that make a request every 30 minutes with a packet size of `97 bytes`. The ATTC\&K ID is `TA0011` Command & Control, as the sandbox clearly shows the use of a `beacon.bat`, as in the C2 Cobalt Strike.

To create the rule, we reach out to:

`Sigma Rule Builder -> Sysmon Event Logs -> Network Connections`

<figure><img src="/files/x0Xzw7qM5zKvFYsz6uVj" alt=""><figcaption></figcaption></figure>

After we have set up the rule with the builder, we receive the finished rule and a reference to another email.

<figure><img src="/files/WADNDMy4CRgBxMI5RF9e" alt=""><figcaption></figcaption></figure>

We receive the fifth flag. We soon have the attacker so far that he can no longer keep up. We arrive at the top of the Pyramid of Pain - TTPs with `Sample6.exe`. We have to focus on the techniques and procedures of the adversary.

<figure><img src="/files/4AZxooH0YTK2qrziSrMK" alt=""><figcaption></figcaption></figure>

## Sample6.exe

In the mail for the fifth flag, we also received an attachment with command logs.

<figure><img src="/files/sNrmdz2URPpEihmzNlJx" alt=""><figcaption></figcaption></figure>

The sandbox also provides less detail but sufficient information.

<figure><img src="/files/KwESzAEmoctXpDlfSucV" alt=""><figcaption></figcaption></figure>

We create a sigma rule for the very last time. Which concentrates on file creation. We set the file path, the file name and, as can be seen from the file name and the command log, the ATT\&CK ID `TA0010` Exfiltration.

<figure><img src="/files/ObD5h7oLmfFYNFEBtuSP" alt=""><figcaption></figcaption></figure>

Once again, after setting the rule parameters, we receive the rule and the mail for the final flag.

<figure><img src="/files/cSPfWrPsPP5bOAqHuNVt" alt=""><figcaption></figcaption></figure>

The adversary finally gives up. We have reached the top of the pyramid of pain.

<figure><img src="/files/5qJrk9ZWHFIYwlHkNx3k" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/summit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.