π€ππ―πžπ§π­ 𝐨𝐟 π‚π²π›πžπ« 2024: πƒπšπ² 2 β€” 𝐈𝐧𝐯𝐞𝐬𝐭𝐒𝐠𝐚𝐭𝐒𝐧𝐠 𝐭𝐑𝐞 πŒπšπ²π¨π«β€™π¬ 𝐌𝐚π₯𝐰𝐚𝐫𝐞 π’πœπšπ«πž 𝐒𝐧 π–πšπ«πžπ―π’π₯π₯𝐞

Zulqarnain Ahmed
2 min readDec 2, 2024

Advent of Cyber 2024: Day 2 β€” The Mystery of Mayor Malware in Wareville

Find the room here: https://tryhackme.com/r/room/adventofcyber2024

It’s the most wonderful time of the year… but for the SOC team in Wareville, it’s a stressful one. With a flood of alerts from new detection rules, the team is struggling to determine if these are real threats or just false alarms. As Christmas approaches, the town’s SOC analysts are overwhelmed, and rumors are swirling: Is Mayor Malware behind these strange alerts?

True Positives vs. False Positives: The Classic Dilemma

SOC analysts must distinguish between True Positives (TPs) β€” actual cyber threats β€” and False Positives (FPs) β€” non-malicious events. Misclassifying a TP could allow an attack to slip through, while mistaking an FP for a TP wastes valuable time. In this case, the alerts are about suspicious encoded PowerShell commands run across multiple machines. Could this be Mayor Malware’s doing, or something else?

Context Is Everything

When alerts trigger, SOC analysts have a superpower: they can check with users to confirm whether activities are legitimate. This is crucial, but tricky when no clear paper trail exists. Context helps analysts assess if actions are authorized, unusual, or even malicious. In Wareville’s case, the use of a generic admin account and a suspicious IP address (linked to Glitch) raises alarms.

Correlation: Building the Story

By correlating events β€” successful logins, PowerShell executions, and IP addresses β€” the analysts uncover a disturbing pattern: a brute-force attack on admin accounts, followed by PowerShell commands being executed. It seems like someone accessed the system and fixed an ongoing issue β€” but who?

Glitch: Hero or Villain?

After digging deeper, the SOC team discovers that Glitch, a known troublemaker, had logged in using outdated credentials and executed a Windows update command (Install-WindowsUpdate -AcceptAll -AutoReboot). Initially suspected of malicious activity, it turns out Glitch was trying to fix a vulnerability, not exploit it. The encoded PowerShell command wasn’t maliciousβ€”it was an attempt to patch the systems.

Conclusion: The Mystery Unraveled

The confusion stemmed from a misinterpreted alert and the use of a generic admin account. Glitch wasn’t the villain here β€” they were trying to help. But who alerted the SOC? Was the Mayor’s warning just a misunderstanding, or part of a larger game?

In cybersecurity, appearances can be deceiving. Context, correlation, and a thorough investigation are key to uncovering the truth. In the end, the SOC team learned that sometimes, the hero might be the last person you’d expect.

Takeaways:

  • Always analyze the context around alerts.
  • Correlate multiple events to build a clear picture.
  • Don’t jump to conclusions based on surface-level data.

#CyberSecurity #SOCAnalysis #PowerShell #IncidentResponse #TryHackMe

--

--

Zulqarnain Ahmed
Zulqarnain Ahmed

Written by Zulqarnain Ahmed

0 Followers

🌟 SMIU'23 | Web Developer | AI Enthusiast | Social media expert at @Tecverse-SMIU 🌟

No responses yet