ElectricBreeze-1 HTB Sherlock Writeup

Hello everyone, this is a writeup on the HTB Sherlock ElectricBreeze-1.

Difficulty : Very Easy

Sherlock Description

Your security team must always be up-to-date and aware of the threats targeting organizations in your industry. As you begin your journey as a Threat Intelligence Intern, equipped with some SOC experience, your manager has assigned you a task to test your research skills and how effectively you can leverage the MITRE ATT&CK framework. Conduct thorough research on Volt Typhoon. Use the MITRE ATT&CK framework to map adversary behavior and tactics into actionable insights. Impress your manager with your assessment, showcasing your passion for threat intelligence.

Task 1:

Based on MITRE’s sources, since when has Volt Typhoon been active?

→ Open MITRE ATT&CK web page. On the CTI → Groups, search for Volt Typhoon. You will find the answer in the main description.

2021

Task 2:

MITRE identifies two OS credential dumping techniques used by Volt Typhoon. One is LSASS Memory access (T1003.001). What is the Attack ID for the other technique?

→ On the same page, scroll down to Techniques used. On the Tactic ID T1003, you will find the other technique and its Attack ID.

T1003.003

Task 3:

Which database is targeted by the credential dumping technique mentioned earlier?

→ Navigate the the Tactic ID and select the NTDS options. You will find the answer in the description.

Active Directory

Task 4:

Which registry hive is required by the threat actor to decrypt the targeted database?

→ On the same page, scroll down to Procedure Examples. You will find the answer in the content below to it.

SYSTEM

Task 5:

During the June 2024 campaign, an adversary was observed using a Zero-Day Exploitation targeting Versa Director. What is the name of the Software/Malware that was used?

→ Navigate to the Volt Typhoon page. Scroll down to the Campaigns and select the 2024 campaign. On the new page, scroll down to the software section and you will find the answer.

VersaMem

Task 6:

According to the Server Software Component, what type of malware was observed?

→ On the same page, scroll up to the Techniques used sections. At the bottom of the section, you will find the malware observed.

web shell

Task 7:

Where did the malware store captured credentials?

→ On the same page, on the Reference section, click on the link and on the article, you will find the path.

/tmp/.temp.data

Task 8:

According to MITRE’s reference, a Lumen/Black Lotus Labs article(Taking The Crossroads: The Versa Director Zero-Day Exploitaiton.), what was the filename of the first malware version scanned on VirusTotal?

→ On the article, search for virustotal ad you will find the filename.

VersaTest.png

Task 9:

What is the SHA256 hash of the file?

→ On the article page, scroll down and you will find an image. On the description of the image, you will find the SHA256 value of the file.

4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37

Task 10:

According to VirusTotal, what is the file type of the malware?

→ On the same page, scroll down to the another image andyou will find the file type.

jar

Task 11:

What is the ‘Created by’ value in the file’s Manifest according to VirusTotal?

→ On the same page, scroll down till you find the MANIFEST.MF sections. You will find the Created by value on the screenshot uploaded in the article.

Apache Maven 3.6.0

Task 12:

What is the CVE identifier associated with this malware and vulnerability?

→ On the same page, scroll down to the conclusion sections and you will find the CVE.

CVE-2024–39717

Task 13:

According to the CISA document(https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) referenced by MITRE, what is the primary strategy Volt Typhoon uses for defense evasion?

→ Copy he link provided and paste it in the web. You will provided with document. On the index page, search for Defense Evasion tactic and navigate to the page. You will find the strategy.

LOTL

Task 14:

In the CISA document, which file name is associated with the command potentially used to analyze logon patterns by Volt Typhoon?

→ On the document, scroll down to the Discovery Tactic, you will find the command.

C:\users\public\documents\user.dat

Thank you..

Follow my socials → https://www.linkedin.com/in/nirmal-s-738a60203/