Summit
Can you chase a simulated adversary up the Pyramid of Pain until they finally back down? -by odacavoTHM
The Pyramid of Pain is a concept often used in cybersecurity to illustrate the relative difficulty for an attacker to cause damage at different layers of an organization's infrastructure. It's a model that helps security professionals prioritize their defenses by focusing on the areas where attackers have the most leverage.
The following graphic illustrates the pyramid of pain.
Hash Values (Trivial): These are cryptographic representations of files or data. While they can be used to identify specific files or verify integrity, they are relatively trivial for attackers to deal with since they can be easily changed or obfuscated.
IP Address (Easy): IP addresses are numerical labels assigned to devices connected to a network. While they can be used for tracking and blocking purposes, they are relatively easy for attackers to change or hide behind proxies or other techniques.
Domain Names (Simple): Domain names are human-readable names that correspond to IP addresses. While they can be useful for tracking and blocking malicious activity, they are relatively simple for attackers to acquire or switch between.
Host Artifacts (Annoying): These are artifacts left on a host system by an attacker, such as logs, temporary files, or registry entries. While they can provide valuable clues for forensic analysis, they are considered annoying for attackers because they can be cleaned or erased.
Network Artifacts (Annoying): Similar to host artifacts, network artifacts are traces of malicious activity left on a network, such as network traffic patterns or communication logs. While they can be used to detect and analyze attacks, they are also annoying for attackers because they can be monitored and analyzed.
Tools (Challenging): These are the software tools and utilities used by attackers to carry out their attacks, such as malware, exploit kits, or command-and-control frameworks. While they are more challenging for attackers to develop or acquire, they can still be detected and mitigated by security measures.
TTPs (Tough): Tactics, Techniques, and Procedures (TTPs) are the methods and strategies used by attackers to achieve their objectives. This includes things like social engineering, privilege escalation, lateral movement, and data exfiltration. TTPs are tough for defenders to deal with because they involve human behavior and can be difficult to predict or detect.
Sample1.exe
We have tools to manage hashes, Firewall manager DNS-filter and Sigma Rule Builder at our disposal. Which makes it increasingly difficult for the attacker. We will probably just start at the trivial stage of the Pyramid of Pain for our first sample. We run the Malware Sandbox on Sample1.exe and are able to retrieve some hashes.
We send the discovered hash to the EDR to block the threat.
After adding the hash, we are informed, that we successfully prevented the execution of sample1.exe.
The following mail with the first flag informs us that you cannot rely on hashes alone, and that these can easily be changed by changes in the malware. We move on to Task 2.
Sample2.exe
This time we see that an outgoing connection is being established to 154.35.10.113:4444.
We can prevent this outgoing connection with the firewall tool.
After successful execution, we receive the second mail and, thus, the second flag. But here, too, we are informed that this method is not sufficient and that the attacker can circumvent this mitigation by using a different public address. We go to Task 3 with the information that the attacker is already using a new address and has many more in stock.
Sample3.exe
We climb further up the pyramid. We can see that the attacker is using a different IP this time, but also a domain.
We create a DNS filter rule to prevent this.
After we have created the rule, we receive the third email with the third flag. But we have not yet reached the top of the Pyramid of Pain. We're at about the middle level; it's still very simple. The attacker could still easily register new domains, for example.
Sample4.exe
We move on to Sample4.exe. We see the manipulation of registry entries. For the Real-Time Protection entry, the value DisableRealtimeMonitoring is set to 1 and deactivates the real-time monitoring of Windows Defender.
We have our first Sigma rule to create using the Sigma Rule Builder tool. In Sysmon Event Logs -> Registry Modification, we create the necessary rule to recognize registry modifications and mitigate the said attack.
After creating, we receive the rule and the mail with the flag.
Sphinx notes that it was very time-consuming and cost-intensive for his team to develop new techniques and tools. We continue to successfully climb the pyramid. We are confronted with Sample5.exe.
Sample5.exe
When analyzing, we detect several HTTP requests. The sandbox result does not immediately indicate what has to be done.
Back to the mail, in the attachment we find the outgoing connection logs.
We see multiple outgoing connections with the size of 97 bytes every 30 minutes. We know that the attacker already has a lot of IP addresses available; a simple firewall rule is not enough. We create a Sigma rule for this pattern.
We concentrate on the pattern and prevent all IPs and ports that make a request every 30 minutes with a packet size of 97 bytes. The ATTC&K ID is TA0011 Command & Control, as the sandbox clearly shows the use of a beacon.bat, as in the C2 Cobalt Strike.
To create the rule, we reach out to:
Sigma Rule Builder -> Sysmon Event Logs -> Network Connections
After we have set up the rule with the builder, we receive the finished rule and a reference to another email.
We receive the fifth flag. We soon have the attacker so far that he can no longer keep up. We arrive at the top of the Pyramid of Pain - TTPs with Sample6.exe. We have to focus on the techniques and procedures of the adversary.
Sample6.exe
In the mail for the fifth flag, we also received an attachment with command logs.
The sandbox also provides less detail but sufficient information.
We create a sigma rule for the very last time. Which concentrates on file creation. We set the file path, the file name and, as can be seen from the file name and the command log, the ATT&CK ID TA0010 Exfiltration.
Once again, after setting the rule parameters, we receive the rule and the mail for the final flag.
The adversary finally gives up. We have reached the top of the pyramid of pain.
Last updated
