The Cyber Kill Chain TryHackMe Walkthrough

In this room, you will learn about each phase of the Cyber Kill Chain Framework and the advantages and disadvantages of the traditional Cyber Kill Chain. As a result, you will be ready to recognize different phases or stages of the attack carried out by an adversary and be able to break the “kill chain.”

6 min readOct 31, 2023

This write-up covers The Cyber Kill Chain Room on TryHackMe.
Learning Path (s): SOC Level 1
Module: Cyber Defence Frameworks

The Cyber Kill Chain

💡The framework defines the steps used by adversaries or malicious actors in cyberspace. It is designed for the identification and prevention of network intrusions. To succeed, an adversary needs to go through all phases of the Kill Chain.

The Cyber Kill Chain will help you understand and protect against ransomware attacks, security breaches as well as Advanced Persistent Threats (APTs). You can use the Cyber Kill Chain to assess your network and system security by identifying missing security controls and closing certain security gaps based on your company’s infrastructure.

Reconnaissance

Reconnaissance involves discovering and collecting information on the system and the victim.

This is the Planning phase for the adversaries

OSINT (Open-Source Intelligence) — the first step an attacker needs to complete to carry out the further phases of an attack

Email harvesting (Hunter.io)
theHarvester: gathering names, subdomains, IPs, and URLs
OSINT Framework
Social Media

Weaponization

Weaponization: Crafting a “weapon of destruction,” preferably one that will not interact with the victim directly.

In the weaponization phase, the attacker would:

create a malicious payload or a very sophisticated worm,
Choose Command and Control (C2) techniques for executing the commands on the victim’s machine or delivering more payloads.
select a backdoor implant (the way to access the computer system, which includes bypassing the security mechanisms)

Delivery

Delivery: Choosing the method for transmitting the payload or malware

Phishing
Infected SB drives in public places
Watering hole attack

Exploitation

💡the techniques that a malicious actor uses after gaining initial access to the victim’s machine to move deeper into a network to obtain sensitive data

These are examples of how an attacker carries out exploitation:

victim triggers the exploit by opening the email attachment or clicking on a malicious link
Using a zero-day exploit.
Exploit software, hardware, or even human vulnerabilities.
An attacker triggers the exploit for server-based vulnerabilities

Installation

Once the attacker gets access to the system, he would want to re-access it if he loses the connection to it, if he gets detected and the initial access is removed, or if the system is later patched. This is done by installing a persistent backdoor that will let the attacker access the system he compromised in the past.

Persistence can be achieved through:

Installing a web shell on the webserver
Installing a backdoor on the victim’s machine (the attacker can use Meterpreter to install a backdoor on the victim’s machine).
Creating or modifying Windows services (An attacker can use the tools like sc.exe, Reg, or a known service name to modify service configurations)
Adding the entry to the “run keys” for the malicious payload in the Registry or the Startup Folder.

The attacker can also use the Timestomping technique to avoid detection by the forensic investigator and also to make the malware appear as a part of a legitimate program. The Timestomping technique lets an attacker modify the file’s timestamps, including the modify, access, create and change times

Command & Control

The compromised endpoint would communicate with an external server set up by an attacker to establish a command & control channel. After establishing the connection, the attacker has full control of the victim’s machine.

The most common C2 channels used by adversaries:

The protocols HTTP on port 80 and HTTPS on port 443 — this type of beaconing blends the malicious traffic with the legitimate traffic and can help the attacker evade firewalls.
DNS (Domain Name Server). The infected machine makes constant DNS requests to the DNS server that belongs to an attacker, this type of C2 communication is also known as DNS Tunneling.

Actions on Objectives (Exfiltration)

Here, the attacker takes action on their original objectives. The attacker can achieve the following:

Collect the credentials from users.
Perform privilege escalation
Internal reconnaissance (e.g.. interacting with internal softwares to find more vulnerabilities)
Lateral movement through the company’s environment.
Collect and exfiltrate sensitive data.
Deleting the backups and shadow copies
Overwrite or corrupt data.

Task 9 Practice Analysis

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

Cyber Defence Frameworks

On December 19th, 2013, Target released a statement confirming the breach, stating that approximately 40 million credit and debit card accounts were impacted between Nov. 27 and Dec. 15, 2013. Target had to pay a fine of $18.5 million under the terms of the multistate settlement agreement. This is considered to be the largest data breach settlement in history.

How did the data breach happen? Deploy the static site attached to this task and apply your skills to build the Cyber Kill Chain of this scenario. Here are some tips to help you complete the practical:

1. Add each item on the list in the correct Kill Chain entry form on the Static Site Lab:

exploit public-facing application
data from a local system
PowerShell
dynamic linker hijacking
spearphishing attachment
fallback channels

2. Use the ‘Check answers’ button to verify whether the answers are correct (where wrong answers will be underlined in red).

Room Answers

Remeber: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

What is the name of the Intel Gathering Tool that is a web-based interface to the common tools and resources for open-source intelligence? -
What is the definition for the email gathering process during the stage of reconnaissance?
This term is referred to as a group of commands that perform a specific task. You can think of them as subroutines or functions that contain the code that most users use to automate routine tasks. But malicious actors tend to use them for malicious purposes and include them in Microsoft Office documents. Can you provide the term for it? -
What is the name of the attack when it is performed against a specific group of people, and the attacker seeks to infect the website that the mentioned group of people is constantly visiting. -
Can you provide the name for a cyberattack targeting a software vulnerability that is unknown to the antivirus or software vendors? -
Can you provide the technique used to modify file time attributes to hide new or changes to existing files? -
Can you name the malicious script planted by an attacker on the webserver to maintain access to the compromised system and enables the webserver to be accessed remotely? -
What is the C2 communication where the victim makes regular DNS requests to a DNS server and domain which belong to an attacker. -
Can you provide a technology included in Microsoft Windows that can create backup copies or snapshots of files or volumes on the computer, even when they are in use? -
What is the flag after you complete the static site?
Click the green button labeled “View Site”
Next to each link, there is a line to fill in the blanks
Fill in the blanks with the list provided by TryHackMe, which is related to the Target hack of 2013.
Click the green Check answers button at the bottom of the cyber kill chain.
The answer will pop-up in a new window in the middle of the cyber kill chain practical side.

Originally published at https://cyberrey.notion.site/Cyber-Defence-Frameworks-8105cfc703b84603ba467762fb114de1?pvs=4