Today I’m going to be doing another free Sherlock from Hack the Box called Electric Breeze 1. As you might remember from my last post, Sherlocks are what Hack the Box calls their investigative Capture the Flags (because you’re investigating like Sherlock Holmes, get it?!?).
The scenario says this:
Your security team must always be up-to-date and aware of the threats targeting organizations in your industry. As you begin your journey as a Threat Intelligence Intern, equipped with some SOC experience, your manager has assigned you a task to test your research skills and how effectively you can leverage the MITRE ATT&CK framework. * Conduct thorough research on Volt Typhoon. * Use the MITRE ATT&CK framework to map adversary behavior and tactics into actionable insights. Impress your manager with your assessment, showcasing your passion for threat intelligence.
Unlike the last one, that means that there is nothing to download or start with. We’re just going to do some research and become more familiar and acquainted with some of the Blue Team research tools that are out there.
Task 1: Based on MITRE’s sources, since when has Volt Typhoon been active?
First, we need to look up Volt Typhoon on the MITRE page. Googling MITRE Volt Typoon brought me to this page as my first result. The answer is right in the first paragraph at the top.
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam
Task 1 Answer: 2021
Task 2: MITRE identifies two OS credential dumping techniques used by Volt Typhoon. One is LSASS Memory access (T1003.001). What is the Attack ID for the other technique?
I did a CTRL-F and searched for T1003 to find that part of the page. That brought me right to the two OS Credential Dumping techniques and we can see what the other one is.
Task 2 Answer: T1003.003
Task 3: Which database is targeted by the credential dumping technique mentioned earlier?
If we look at that image again, we can see that they “used ntds.util to create domain controller installation media containing usernames and password hashes“. If you didn’t know what NTDS is, here’s a good succinct definition from Semperis.com, “NTDS.DIT, which stands for the New Technology Directory Services Directory Information Tree, is the database for Active Directory Domain Services (AD DS).” Given the number of characters in the textbox on HTB, we know the answer.
Task 3 Answer: Active Directory
Task 4: Which registry hive is required by the threat actor to decrypt the targeted database?
This one I just knew the hives usually used if you’re attacking a Windows Machine and trying to crack passwords. But if you scroll up the page and find other places that the ntds.dit was referenced, you find this quote. The number of characters tell you which one they are looking for.
Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.
Task 4 Answer: SYSTEM
Task 5: During the June 2024 campaign, an adversary was observed using a Zero-Day Exploitation targeting Versa Director. What is the name of the Software/Malware that was used?
If we do a CTRL-F for 2024, we find this referencing the June 2024 attack on Versa Director.
If we click that hyperlink for C0039 and read, we find this “Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.”
Task 5 Answer: VersaMem
Task 6: According to the Server Software Component, what type of malware was observed?
Scroll down a little bit under Techniques Used and we find “Server Software Component: Web Shell”
Task 6 Answer: Web Shell
Task 7: Where did the malware store captured credentials?
Click the link for VersaMem from that page. Under Techniques Used, we says “VersaMem staged captured credentials locally at /tmp/.temp.data.”
Task 7 Answer: /tmp/.temp.data
Task 8: According to MITRE’s reference, a Lumen/Black Lotus Labs article(Taking The Crossroads: The Versa Director Zero-Day Exploitation.), what was the filename of the first malware version scanned on VirusTotal?
Scroll to the bottom of that VersaMem page under the References section and click the link they describe. You find this early in the article, “The VersaMem web shell is a sophisticated JAR web shell that was uploaded to VirusTotal on June 7, 2024, with the filename “VersaTest.png” and currently has zero anti-virus (AV) detections.”
Task 8 Answer: VersaTest.png
Task 9: What is the SHA256 hash of the file?
Scroll down a bit in the article. They show an image of it from VirusTotal with the hash below it.
Task 9 Answer: 4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37
Task 10: According to VirusTotal, what is the file type of the malware?
We can just go to VirusTotal and search that hash now that we have it and we get here. The answer is right at the top (and also in the quote back in Task 8).
Task 10 Answer: jar
Task 11: What is the ‘Created by’ value in the file’s Manifest according to VirusTotal?
Click the Details tab and scroll down to the Manifest section
Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven 3.6.0 Built-By: versa Build-Jdk: 11.0.19 Agent-Class: com.versa.vnms.ui.TestMain Can-Redefine-Classes: true Can-Retransform-Classes: true Main-Class: com.versa.vnms.ui.TestMain Premain-Class: com.versa.vnms.ui.TestMain
Task 11 Answer: Apache Maven 3.6.0
Task 12: What is the CVE identifier associated with this malware and vulnerability?
Go back to the detection tab on Virus total and under the DrWeb analysis, it calls it Exploit.CVE-2024-39717.1. That gives you the Exploit in the middle there.
Task 12 Answer: CVE-2024-39717
Task 13: According to the CISA document(https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) referenced by MITRE, what is the primary strategy Volt Typhoon uses for defense evasion?
Go read that link. Under the section titled “Defense Evasion”, it says “Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion, which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities.” (Note: LOTL means “Living of the Land”, meaning that the attackers use tools that are already on the system or network instead of installing additional tools from outside the machine/network.)
Task 13 Answer: LOTL
Task 14: In the CISA document, which file name is associated with the command potentially used to analyze logon patterns by Volt Typhoon?
To the document again, “Specifically, in one incident, analysis of the PowerShell console history of a domain
controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File ‘C:\users\public\documents\user.dat’.”
Task 14 Answer: C:\users\public\documents\user.dat
Thats it. A lot of questions/tasks on this one and we just had to do a little research across MITRE, VirusTotal, and a few articles. This really highlights one of the largest, most important tasks if you’re on the Blue Team – research. You have to know about threats and threat actors and stay up to date. Then, you need to understand the things that we researched here so you can tune your rules to be able to identify if these attacks or attackers are targeting you.
