πππ―ππ§π π¨π ππ²πππ« 2024: πππ² 2 β ππ§π―ππ¬ππ’π πππ’π§π ππ‘π πππ²π¨π«βπ¬ πππ₯π°ππ«π ππππ«π π’π§ πππ«ππ―π’π₯π₯π
Advent of Cyber 2024: Day 2 β The Mystery of Mayor Malware in Wareville
Find the room here: https://tryhackme.com/r/room/adventofcyber2024
Itβs the most wonderful time of the yearβ¦ but for the SOC team in Wareville, itβs a stressful one. With a flood of alerts from new detection rules, the team is struggling to determine if these are real threats or just false alarms. As Christmas approaches, the townβs SOC analysts are overwhelmed, and rumors are swirling: Is Mayor Malware behind these strange alerts?
True Positives vs. False Positives: The Classic Dilemma
SOC analysts must distinguish between True Positives (TPs) β actual cyber threats β and False Positives (FPs) β non-malicious events. Misclassifying a TP could allow an attack to slip through, while mistaking an FP for a TP wastes valuable time. In this case, the alerts are about suspicious encoded PowerShell commands run across multiple machines. Could this be Mayor Malwareβs doing, or something else?
Context Is Everything
When alerts trigger, SOC analysts have a superpower: they can check with users to confirm whether activities are legitimate. This is crucial, but tricky when no clear paper trail exists. Context helps analysts assess if actions are authorized, unusual, or even malicious. In Warevilleβs case, the use of a generic admin account and a suspicious IP address (linked to Glitch) raises alarms.
Correlation: Building the Story
By correlating events β successful logins, PowerShell executions, and IP addresses β the analysts uncover a disturbing pattern: a brute-force attack on admin accounts, followed by PowerShell commands being executed. It seems like someone accessed the system and fixed an ongoing issue β but who?
Glitch: Hero or Villain?
After digging deeper, the SOC team discovers that Glitch, a known troublemaker, had logged in using outdated credentials and executed a Windows update command (Install-WindowsUpdate -AcceptAll -AutoReboot
). Initially suspected of malicious activity, it turns out Glitch was trying to fix a vulnerability, not exploit it. The encoded PowerShell command wasnβt maliciousβit was an attempt to patch the systems.
Conclusion: The Mystery Unraveled
The confusion stemmed from a misinterpreted alert and the use of a generic admin account. Glitch wasnβt the villain here β they were trying to help. But who alerted the SOC? Was the Mayorβs warning just a misunderstanding, or part of a larger game?
In cybersecurity, appearances can be deceiving. Context, correlation, and a thorough investigation are key to uncovering the truth. In the end, the SOC team learned that sometimes, the hero might be the last person youβd expect.
Takeaways:
- Always analyze the context around alerts.
- Correlate multiple events to build a clear picture.
- Donβt jump to conclusions based on surface-level data.
#CyberSecurity #SOCAnalysis #PowerShell #IncidentResponse #TryHackMe