HackTheBox Write-Up: ElectricBreeze-1

The Sherlock scenario is below:

Your security team must always be up-to-date and aware of the threats targeting organizations in your industry. As you begin your journey as a Threat Intelligence Intern, equipped with some SOC experience, your manager has assigned you a task to test your research skills and how effectively you can leverage the MITRE ATT&CK framework. * Conduct thorough research on Volt Typhoon. * Use the MITRE ATT&CK framework to map adversary behavior and tactics into actionable insights. Impress your manager with your assessment, showcasing your passion for threat intelligence.

Task 1

Based on MITRE's sources, since when has Volt Typhoon been active?

2021

Source: Volt Typhoon - Mitre

Task 2

MITRE identifies two OS credential dumping techniques used by Volt Typhoon. One is LSASS Memory access (T1003.001). What is the Attack ID for the other technique?

T1003.003

Source: OS Credential Dumping: NTDS

Task 3

Which database is targeted by the credential dumping technique mentioned earlier?

Active Directory

Source: OS Credential Dumping: NTDS

Task 4

Which registry hive is required by the threat actor to decrypt the targeted database?

System

Source: OS Credential Dumping: NTDS

Task 5

During the June 2024 campaign, an adversary was observed using a Zero-Day Exploitation targeting Versa Director. What is the name of the Software/Malware that was used?

VersaMem

Source: VersaMem - Mitre

Task 6

According to the Server Software Component, what type of malware was observed?

Web Shell

Source: VersaMem - Mitre

Task 7

Where did the malware store captured credentials?

/tmp/.temp.data

Source: VersaMem - Mitre

Task 8

According to MITRE’s reference, a Lumen/Black Lotus Labs article(Taking The Crossroads: The Versa Director Zero-Day Exploitation.), what was the filename of the first malware version scanned on VirusTotal?

VersaTest.png

Source: Taking The Crossroads: The Versa Director Zero-Day Exploitation < this is a wonderful read. I highly recommend reading the full article.

Task 9

What is the SHA256 hash of the file?

4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37

Source: VirusTotal

Task 10

According to VirusTotal, what is the file type of the malware?

jar

Source: VirusTotal

Task 11

What is the 'Created by' value in the file's Manifest according to VirusTotal?

Apache Maven 3.6.0

Source: VirusTotal

Task 12

What is the CVE identifier associated with this malware and vulnerability?

CVE-2024-39717

Source: VersaMem - Mitre

Task 13

According to the CISA document(https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) referenced by MITRE, what is the primary strategy Volt Typhoon uses for defense evasion?

LOTL

Source: CISA

Task 14

In the CISA document, which file name is associated with the command potentially used to analyze logon patterns by Volt Typhoon?

C:\users\public\documents\user.dat

Source: CISA

That's it! With a little investigating, this Sherlock is solved. If you enjoyed this post, consider signing up for my email list! I post every week.