【TryHackMe】Red Team Threat Intel：Walkthrough

概要

TryHackMe「Red Team Threat Intel」のWalkthroughです。

Task5

Q2.How many Command and Control techniques are employed by Carbanak?

Hint.https://mitre-attack.github.io/attack-navigator//#layerURL=https://attack.mitre.org/groups/G0008/G0008-enterprise-layer.json

AmmyyAdmin,Team VieweなどをC2に使用したと情報があります。

A.2

Q3.What signed binary did Carbanak use for defense evasion?

Hint."Defense Evasion" tactic

rundll32.exeを利用して防御回避をしています。

A.Rundll32

Q4.What Initial Access technique is employed by Carbanak?

Hint."Initial Access" tactic

A.Valid Accounts

Task7

Q1.To complete the challenge, you must submit one technique name per kill chain section.Once the chain is complete and you have received the flag, submit it below.

Hint.PowerShell, Spearphishing Attachment, External Remote Services, BITS Jobs, DNS, Keylogging

A.THM{7HR347_1N73L_12_4w35om3}

Q2.What web shell is APT 41 known to use?

下記サイトからASPXSpyが使用されたと分かります。

A.ASPXSpy

Q3.What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers?

A.certutil

Q4.What tool does APT 41 use to mine and monitor SMS traffic?

A.**MESSAGETAP **