THM-Advent of Cyber 2024 Day4

I’m all atomic inside!

The Story

SOC-mas is approaching! And the town of Warewille started preparations for the grand event.

Glitch, a quiet, talented security SOC-mas engineer, had a hunch that these year’s celebrations would be different. With looming threats, he decided to revamp the town’s security defences. Glitch began to fortify the town’s security defences quietly and meticulously. He started by implementing a protective firewall, patching vulnerabilities, and accessing endpoints to patch for security vulnerabilities. As he worked tirelessly, he left “breadcrumbs,” small traces of his activity.

Unaware of Glitch’s good intentions, the SOC team spotted anomalies: Logs showing admin access, escalation of privileges, patched systems behaving differently, and security tools triggering alerts. The SOC team misinterpreted the system modifications as a sign of an insider threat or rogue attacker and decided to launch an investigation using the Atomic Red Team framework.

Lets Connect By RDP

xfreerdp /v:10.10.1.109 /u:Administrator /p:Emulation101!

Answer the questions below

1- What was the flag found in the .txt file that is found in the same directory as the PhishingAttachment.xslm artefact?

Question Hint

Follow the instructions step by step.

Now we will go and see if the file exists or not

Open CMD

We found the file mentioned in the question, and we will display its content now

2- What ATT&CK technique ID would be our point of interest?

Hint: Google Is Your Friend

3- What ATT&CK subtechnique ID focuses on the Windows Command Shell?

Hint: Google Is Your Friend

4- What is the name of the Atomic Test to be simulated?

Question Hint

Replace the subtechnique placeholder in the command Invoke-AtomicTest subtechnique -ShowDetails with the one found in question 3. Look for Atomic Test Names in regards to malware.

Type the command below

And Run:

5- What is the flag found from this Atomic Test?

Question Hint

Save the PDF and read it’s content.

Type the command below

Invoke-AtomicTest T1059.003 -TestNumber 4

And Run This Command

Now type the file name and save it