TryHackMe Room Write-Up
This is a write-up on the Cyber Kill Chain Room for TryHackMe. We will walk through what it is, why it’s important, and a bit about its origin.
As written in this room, the Cyber Kill Chain is important because it defines the steps taken by adversaries to pull off a successful attack. By being aware of this model, we can start to think of an active defense to mitigate the threat.
There are 7 phases:
- Recon
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objectives
We will visit each phase in more depth, starting with Recon.
Recon / Reconnaissance
What is reconnaissance? It can be best described as the information collecting phase. it is like when detectives are looking for relevant clues, except unfortunately in this case it’s a bad guy.
During this phase, as a threat actor, they would identify the environment, identify potential defenders, and acquire information that they can use to build a narrative.
To gather this information, a threat actor would use several resources. They have one of the most powerful resources out there. The internet. Large Language Models with web search capabilities. Think about all the information they can uncover in such little time. Imagine with recent craze of AI, what a simple prompt on ChatGPT while using a web search extension could do.
Thankfully, we have the same. We can use open and available resources to gain valuable information on attackers.
The process of using open resources for our knowledge is called “Open Source Intelligence” or better known as OSINT.
The TryHackMe room mentions email harvesting, IPs, subdomains, and URLS.
OSINT Frameworks are also available to streamline access to these tools.
Questions
What is the name of the Intel Gathering Tool that is a web-based interface to the common tools and resources for open-source intelligence?
Answer: OSINT FrameworkWhat is the definition for the email gathering process during the stage of reconnaissance?
Answer: email harvestingWeaponization
Weaponization in the context of information security refers to the process of turning vulnerabilities, exploits, or malicious code into potent tools to compromise or attack computer systems, networks, or data. It involves the development or modification of software, scripts, or techniques to exploit weaknesses and gain unauthorized access or control. (From ChatGPT)
As we can see, weaponization is the second phase of the Cyber Kill Chain. This involves the process of using our newly acquired knowledge in the Reconnaissance phase, for instance, knowledge of a weak point in a company, to then start crafting ‘weapons’ or tools to assist in the later stages of our “kill chain” or attack.
For instance, let’s say we knew that a website was vulnerable to SQL injection, we could start to craft a payload that would be weaponized to stage the attack.
# Example of a SQL injection payload that could be weaponized
' OR 1=1 --The reason this example works is because of how SQL queries are typically constructed.
1. SQL Syntax: In SQL, the OR operator is used for logical disjunction. The condition 1=1 always evaluates to true, as it is a simple equality comparison between two identical values. Therefore, when the injected condition ' OR 1=1 is added to the original query, it becomes a tautology that is always true. (From ChatGPT)
2. Comment Syntax: The double dash (--) is a common syntax used in SQL to indicate a comment. Anything that follows the double dash on the same line is treated as a comment and is ignored by the database engine. By appending -- after the injected condition, the rest of the original query is effectively commented out, ensuring that the injected condition becomes the last evaluated part of the query. (From ChatGPT)
The room references a different example with Microsoft Office documents which contain malicious macros. These are another form of a payload that would be utilized in the weaponization phase. Read more about it here
Questions
This term is referred to as a group of commands that perform a specific task. You can think of them as subroutines or functions that contain the code that most users use to automate routine tasks. But malicious actors tend to use them for malicious purposes and include them in Microsoft Office documents. Can you provide the term for it?
Answer: macroDelivery
Delivery is a crucial stage in the cyber kill chain, where threat actors employ various methods to deliver their weaponized payloads to targeted systems or individuals. This can occur through channels such as phishing emails, malicious attachments, compromised websites, social engineering, or even physical means. Effective delivery techniques are designed to bypass security measures and deceive unsuspecting users, increasing the chances of successful exploitation. (From ChatGPT)
Delivery! Did someone order a backdoor? Or, a pizza? Uh. Hello? Maybe a phishing email?
Delivery is the phase where we once again, stack on our reconnaissance and start delivering our weapons to the known locations. Dropped a malicious USB in a supermarket? That’s delivery when someone takes it to their computer. What about a fun microcontroller shipped in a cardboard box to a corporate office, probing for their network? These are some examples of delivery, be it a physical form, but all the same with digital mediums of delivering malicious software.
The room discusses a similar attack where a normal site turns malicious, with unsuspecting visitors doing their everyday operations on the “harmless” website. The compromised website would be the attacker’s form of delivery.
Questions
What is the name of the attack when it is performed against a specific group of people, and the attacker seeks to infect the website that the mentioned group of people is constantly visiting.
Answer: watering hole attackExploitation
Exploitation is the process of taking advantage of vulnerabilities or weaknesses in computer systems, software, or networks to gain unauthorized access, control, or perform malicious activities. Threat actors leverage their weaponized tools, such as exploits, malware, or backdoors, to manipulate or compromise targeted systems, compromising their confidentiality, integrity, or availability. (From ChatGPT)
Exploitation. This is where attackers actually take advantage of the vulnerabilities or weaknesses on infrastructure they have knowledge about.
Sometimes, an exploit can be so fresh that nobody knows about them. They are called zero-days. There are absolutely zero known mitigation techniques at the start of a zero-day exploit.
Once an exploit is seen in the wild, it will be documented into an organization’s database and proactive measures for mitigation will commence.
Questions
Can you provide the name for a cyberattack targeting a software vulnerability that is unknown to the antivirus or software vendors?
Answer: zero-dayInstallation
Installation involves the establishment of persistent access or control over compromised systems or networks. After successfully exploiting vulnerabilities, threat actors deploy their tools or malware to maintain a foothold within the target environment, ensuring continued access for further malicious actions. Installation may include the deployment of keyloggers, remote administration tools, or establishing backdoor access points. (From ChatGPT)
Once an attacker has exploited anything they have access to, they want to keep it in their control. To do this, they will establish any mechanisms to assist by installing them on the device. The goal is to establish a form of persistence so even if potentially mitigated, they have a backdoor back in.
Some methods of establishing persistence are:
- a web shell on a webserver
- a backdoor
- living off the land / modifying Windows services
- adding entries to the startup folder
Questions
Can you provide the technique used to modify file time attributes to hide new or changes to existing files?
Answer: timestompingCan you name the malicious script planted by an attacker on the webserver to maintain access to the compromised system and enables the webserver to be accessed remotely?
Answer: web shellCommand and Control
Command and control (C2) is a critical aspect of the cyber kill chain, where threat actors establish communication channels and infrastructure to manage and control compromised systems or networks. This allows them to issue commands, retrieve stolen data, update malware, or coordinate further attacks. Effective C2 systems ensure covert communication and enable threat actors to evade detection and maintain their control undetected. (From ChatGPT)
Command and Control is where the victim machine starts to talk back to a server that an attacker has set up. This is where things are scary because a victim may not even suspect that they are compromised, and the attacker can simply sit back and monitor the activity, peak at files, and cause disruption at their convenience.
While a whole lot of information is still not publicly available, SolarWinds’ breach in 2020 was a good example where stealthy command and control was established by the attackers, because it was speculative that systems may have been breached in early as September of 2019, according to TechTarget.
Questions
What is the C2 communication where the victim makes regular DNS requests to a DNS server and domain which belong to an attacker.
Answer: DNS TunnelingActions on Objectives
*Actions on objectives refer to the final stage of the cyber kill chain, where threat actors execute their intended actions or achieve their malicious goals. This may involve data exfiltration, destruction, unauthorized access, or any other objective aligned with the attacker’s motives. Successful completion of the actions on objectives stage signifies the accomplishment of the attacker’s mission and potential damage to the target organization or individual. (From ChatGPT)
This is where the attacker finally achieves his goals. From the TryHackMe room, it reads that they will have achieved the following:
- Collect the credentials from users.
- Perform privilege escalation (gaining elevated access like domain administrator access from a workstation by exploiting the misconfiguration).
- Internal reconnaissance (for example, an attacker gets to interact with internal software to find its vulnerabilities).
- Lateral movement through the company’s environment.
- Collect and exfiltrate sensitive data.
- Deleting the backups and shadow copies. Shadow Copy is a Microsoft technology that can create backup copies, snapshots of computer files, or volumes.
- Overwrite or corrupt data.
That’s a whole lot of potential actions that can be done, and can be quite damaging to a company. With the knowledge of such a framework, now we can see how beneficial it can be in mitigating these potential actions, and how it will assist us in valuable threat intelligence to stop future attacks in their tracks.
Questions
Can you provide a technology included in Microsoft Windows that can create backup copies or snapshots of files or volumes on the computer, even when they are in use?
Answer: Shadow copyPractical Analysis
In the practical analysis section, we have an opportunity to write the name of each step in the Cyber Kill Chain.
Remember, we have the following order, though this is not a linear sequence, as an attacker could go forward or backward to any phase at any time.
- Recon
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objectives
Questions
What is the flag after you complete the static site?
Answer: THM{7HR347_1N73L_12_4w35om3}Origin
The Cyber Kill Chain framework was introduced by Lockheed Martin in 2011. It has gained popularity for good reason, due to its utility in providing a way to identify the steps adversaries will take to complete their goals.
An important thing to note, is that the cyber kill chain is not a catch-all framework, as attackers are constantly thinking of ways to break our traditional ways of doing things. With this in mind, be prepared to work out of order, get experimental, and approach things dynamically and proactively as opposed to a rigid, linear approach.
Concluding Thoughts
This was a great room and I had fun doing this write-up. I wanted to provide value beyond what the room provides, so I greatly appreciate your feedback if I was successful. As always, be blessed and go make a difference in the world!
Credits:
ChatGPT for helping me document this room in a succinct manner.
TryHackMe for the awesome room