Blue Team SOC Real World Case Studies | Complete Walkthrough | TryHackMe Boogeyman 1,2,3

Introduction

The article provides a detailed walkthrough of three cyberattack scenarios from the TryHackMe Boogeyman challenges. Each scenario focuses on phishing emails that led to system compromise via various methods like malicious attachments (e.g., shortcut files, VBA macros, HTA files). The post guides through the analysis process, investigating command lines, encoded payloads, and identifying threat actors’ tactics, tools, and persistence mechanisms. It demonstrates how SOC analysts uncover indicators of compromise and respond to threats.

HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes

Offensive Security Certified Professional Study Notes and Guide

What is Blue Team in Cyber Security?

In cybersecurity, the “Blue Team” refers to a group of security professionals responsible for defending an organization’s information systems. Their primary role is to protect, monitor, and respond to security incidents. Blue Teams focus on:

• Detecting vulnerabilities within systems and networks
• Implementing security measures like firewalls, intrusion detection systems, and encryption
• Monitoring for threats using security tools and logs
• Responding to incidents and mitigating attacks when they occur
• Performing regular security assessments to strengthen the organization’s defenses

They often work opposite the “Red Team,” which simulates attacks to test the Blue Team’s defenses.

What is SOC Analyst in Cyber Security

A SOC Analyst (Security Operations Center Analyst) is a cybersecurity professional who monitors and defends an organization’s IT infrastructure from cyber threats. Their main responsibilities include:

1. Monitoring Security Alerts: Continuously reviewing logs, alerts, and other system notifications from security tools like firewalls, intrusion detection/prevention systems, and SIEM (Security Information and Event Management) platforms.
2. Incident Detection and Response: Investigating potential security incidents and taking steps to contain, mitigate, and resolve them. This may involve isolating infected systems, analyzing malware, and coordinating with other teams to respond effectively.
3. Threat Hunting: Proactively searching for potential threats that have not been detected by automated tools by analyzing trends and unusual activity.
4. Reporting and Documentation: Creating reports on security incidents, vulnerabilities, and risks, and documenting their findings for future analysis or compliance.
5. Collaboration: Working with other security teams, such as the Blue Team, to strengthen defenses and implement security policies and best practices.

SOC Analysts typically work in a Security Operations Center, where they monitor and safeguard the organization’s digital environment 24/7.

Breakdown of The Attack Scenarios

Scenario 1: Phishing Email with a Shortcut File:
In the first scenario, a phishing email contains a Windows shortcut (.lnk) attachment. This attachment, once opened, executes a series of PowerShell commands to exfiltrate data from the target system. The email was sent to an employee of Quick Logistics LLC, and the analysis involves examining the email, its headers, and the attached files using tools like LinkParser to reveal encoded commands.

The investigation shows that the PowerShell command contacts a Command-and-Control (C2) server to download additional malicious files. The email also used a third-party mail relay service (Elastic Email) to appear legitimate and bypass spam filters. The analysts uncover the C2 domain and decode Base64 encoded payloads using tools like Echo and Base64.

Scenario 2: Word Document with a VBA Macro:
In the second scenario, a phishing email contains a Word document with an embedded VBA macro. When opened, the macro calls a C2 server to retrieve an executable payload. This payload creates a scheduled task on the victim’s machine, allowing persistent control over the system. The analysts utilize a variety of tools to extract and analyze the artifacts, including the C2 domain information.

Scenario 3:HTA File and Domain Compromise:
The third attack involves an HTA (HTML Application) file, which, when opened, retrieves a malicious payload from the internet. This payload executes a series of actions that culminate in the compromise of the organization’s main domain controller. The analysts use ElasticSearch and other tools to examine logs, analyze network traffic, and identify the attacker’s activities.

TryHackMe TryHackMe Boogeyman 1,2,3 Room Answers

Please visit here to check the room answers.

Video Walkthrough