This is my TryHackMe walkthrough, created to document my learning journey and share solutions with the community. The writeups include a mix of hints, step-by-step explanations, and final answers to help players who get stuck, while still encouraging independent problem-solving.

Pyramid Of Pain Room - Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.

Overview

Walkthrough

1. Introduction

No hints needed!

2. Hash Values (Trivial)

  • Analyse the report associated with the hash “b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d” here. What is the filename of the sample?

=> Answer: Sales_Receipt 5606.xls

3. IP Address (Easy)

  • Read the following report to answer this question. What is the first IP address the malicious process (PID 1632) attempts to communicate with? 

Guide Image

=> Answer: 50.87.136.52

  • Read the following report to answer this question. What is the first domain name the malicious process ((PID 1632) attempts to communicate with?

Guide Image

=> Answer: craftingalegacy.com

4. Domain Names (Simple)

  • Go to this report on app.any.run and provide the first suspicious domain request you are seeing, you will be using this report to answer the remaining questions of this task.

=> Answer: craftingalegacy.com

  • What term refers to an address used to access websites?

=> Answer: Domain Name

  • What type of attack uses Unicode characters in the domain name to imitate the a known domain?

=> Answer: Punycode attack

  • Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

=> Answer: https://tryhackme.com/

5. Host Artifacts (Annoying)

  • A process named regidle.exe makes a POST request to an IP address based in the United States (US) on port 8080. What is the IP address?

Guide Image

=> Answer: 96.126.101.6

  • The actor drops a malicious executable (EXE). What is the name of this executable?

Guide Image

=> Answer: G_jugk.exe

  • Look at this report by Virustotal. How many vendors determine this host to be malicious?

=> Answer: 9

6. Network Artifacts (Annoying)

  • What browser uses the User-Agent string shown in the screenshot above?

=> Answer: Internet Explorer

  • How many POST requests are in the screenshot from the pcap file?

=> Answer: 6

7. Tools (Challenging)

  • Provide the method used to determine similarity between the files 

=> Answer: Fuzzy Hashing

  • Provide the alternative name for fuzzy hashes without the abbreviation 

=> Answer: context triggered piecewise hashes

8. TTPs (Tough)

  • Navigate to ATT&CK Matrix webpage. How many techniques fall under the Exfiltration category?

=> Answer: 9

  • Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

  • Visit https://attack.mitre.org/groups/G0114/

=> Answer: Cobalt Strike

9. Practical: The Pyramid of Pain

  • Complete the static site. What is the flag?

=> Answer: THM{PYRAMIDS_COMPLETE}

10. Conclusion

No hints needed!