Happy December 5th! I worked through the challenge yesterday and put together some notes for the writeup, but unfortunately I didn’t have time to polish it up and post it, so it’s a day late. If you’re not caught up yet or you want to know more about the event, check out my Day 1 article. No answers will posted in these articles as per the rules of Advent of Cyber but I explain my process of finding them without spoiling the flag. To go along with the holiday season and this event of daily challenges, I’m going to try my best to complete the new challenge each day, and some days I might post writeup here. This won’t be a daily thing as each days challenge is pretty long, and I am fastly approaching finals week but I’ll post here when possible. Lets get into yesterdays challenge!
Day 4: I’m all atomic inside!
Yesterdays learning objectives were:
Learn how to identify malicious techniques using the MITRE ATT&CK framework
Learn about how to use Atomic Red Team tests to conduct attack simulations
Understand how to create alerting and detection rules from the attack tests
We start off yesterdays challenge learning about detection gaps, blue teamers will rarely be able to detect every attack or step in the attack kill chain, and it’s the reality they face: there are gaps in their detection. Two main reasons for these gaps:
Security is a cat-and-mouse game
The line between anomalous and expected behaviour is often very fine and even sometimes has significant overlap
From there we do some more reading on how to define and improve their detection rules to close those gaps they experience. Some topics and things to know before moving onto creating new detection rules is, Cyber Attacks and the Cyber Kill Chain, the MITRE ATT&CK framework, and the Atomic Red Team library. The Cyber Kill Chain explains the fairly standard process that all cyber attacks follow. The MITRE ATT&CK framework is a collection of tactics, techniques, and procedures that have been seen to be used by real threat actors. It’s discussed in a theoretical manner, which is where the Atomic Red Team library is useful. It’s a collection of simple red team test cases that are mapped to the framework, can be used to test for detection gaps, and be executed by any blue team.
Now we move onto a section in the task where you can follow along with McSkidy to learn more about using Atomic and get some guidance for the commands to use later when finding some answers for the questions. The process for finding the flag for question 1 was shown during this section of the task so make sure you get that before moving on and using the cleanup command.
After walking through that you will get to the challenge portion of the task, it is to identify the correct atomic test to run that will take advantage of a command and scripting interpreter, conduct the test, and extract valuable artifacts that would be used to craft a detection rule.
Questions
Question 1: What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?
Like mentioned previously, following along with McSkidy will reveal how and where to find the flag, they reveal the path where the file is or if you find the event with the link, clicking it will open up the file and will reveal it as well. BUT take note that in real life scenarios you should not click to keep your machine safe.
Question 2: What ATT&CK technique ID would be our point of interest?
This one will require searching it up on the internet, searching MITRE ATT&CK technique ID for Command and Scripting Interpreter will get you the answer.
Question 3: What ATT&CK subtechnique ID focuses on the Windows Command Shell?
This one also requires searching it up, searching MITRE ATT&CK subtechnique ID Command shell, and then going to the MITRE website will get you the answer.
Question 4: What is the name of the Atomic Test to be simulated?
To find this answer run the command, Invoke-AtomicTest [subtechnique ID] -ShowDetails, scroll till you see “BEGIN TEST” and then a few lines under it, you will see the “Atomic Test Name”, which is where you will find the answer.
Question 5: What is the name of the file used in the test?
Scrolling down a little farther from where you found the above info, looking for “Command (with inputs)” will reveal the name of the file used.
Question 6: What is the flag found from this Atomic Test?
To find this, run the command, Inoke-AtomicTest [subtechnique ID] -TestNumbers 4. The number 4 for this command was found earlier by the previous command just under where you found the test name. When you run this command, name the file, save it, and then check your file explorer to find it. From there it will reveal the flag.
Question 7: Learn more about the Atomic Red Team via the linked room.
Conclusion
This had some similarities to what I have been doing in class recently which has been awesome, it’s a great chance \to practice more of what I have been learning and a chance to get more familiar with some common programs used in industry. This challenge was also great because it showed initial steps to help for beginners, but again like in previous days once you got to the questions you had to think for yourself, which I really like for learning more and solidifying my understanding.