HTB: Sherlock — SalineBreeze-1

Scenario

Your manager has just informed you that, due to recent budget cuts, you’ll need to take on additional responsibilities in threat analysis. As a junior threat intelligence analyst at a cybersecurity firm, you’re now tasked with investigating a cyber espionage campaign linked to a group known as Salt Typhoon. Apparently, defending against sophisticated Nation-State cyber threats is now a “do more with less” kind of game. Your Task: Conduct comprehensive research on Salt Typhoon, focusing on their tactics, techniques, and procedures. Utilize the MITRE ATT&CK framework to map out their activities and provide actionable insights. Your findings could play a pivotal role in fortifying our defenses against this adversary. Dive deep into the data and show that even with a shoestring budget, you can outsmart the cyber baddies.

Initial Analysis

All of the answers we get either from MITRE website or searching the web. OSINT basically.

Questions

This write up won’t be too elaborate.

1. Starting with the MITRE ATT&CK page, which country is thought be behind Salt Typhoon?

Show solution

China

2. According to that page, Salt Typhoon has been active since at least when? (Year)

Show solution

2019

3. What kind of infrastructure does Salt Typhoon target?

Show solution

network

4. Salt Typhoon has been associated with multiple custom built malware, what is the name of the malware associated with the ID S1206?

Show solution

JumbledPath

5. What operating system does this malware target?

Show solution

Linux

6. What programming language is the malware written in?

Show solution

go

7. On which vendor’s devices does the malware act as a network sniffer?

Show solution

cisco

8. The malware can perform ‘Indicator Removal’ by erasing logs. What is the MITRE ATT&CK ID for this?

Show solution

T1070.002

Show solution

CVE-2022-3236

10. The blog demonstrates how the group modifies the registry to obtain persistence with a backdoor known as Crowdoor. Which registry key do they target?

Show solution

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

11. What is the MITRE ATT&CK ID of the previous technique?

Show solution

T1112

12. On November 25th, 2024, TrendMicro published a blog post detailing the threat actor. What name does this blog primarily use to refer to the group?

Show solution

Earth Estries

13. The blog post identifies additional malware attributed to the threat actor. Which malware do they describe as a ‘multi-modular backdoor…using a custom protocol protected by Transport Layer Security’

Show solution

GHOSTSPIDER

14. Most of the domains the malware communicates with have a .com top-level domain. One uses a .dev TLD. What is the full domain name for the .dev TLD?

Show solution

telcom.grishamarkovgf8936.workers.dev

15. What is the filename for the first GET request to the C&C server used by the malware?

Show solution

index.php

16. On September 30th, 2021, a blog post was released on Securelist by Kaspersky. What was the threat actor’s name at that time?

Show solution

GhostEmperor

17. What is the name of the malware that this article focuses on?

Show solution

Demodex

18. What type of malware is the above malware?

Show solution

rootkit

19. The first stage consists of a malicious PowerShell dropper. What type of encryption is used to obfuscate the code?

Show solution

AES

Show solution

0x220300

Scenario#

Initial Analysis#

Questions#

1. Starting with the MITRE ATT&CK page, which country is thought be behind Salt Typhoon?#

2. According to that page, Salt Typhoon has been active since at least when? (Year)#

3. What kind of infrastructure does Salt Typhoon target?#

4. Salt Typhoon has been associated with multiple custom built malware, what is the name of the malware associated with the ID S1206?#

5. What operating system does this malware target?#

6. What programming language is the malware written in?#

7. On which vendor’s devices does the malware act as a network sniffer?#

8. The malware can perform ‘Indicator Removal’ by erasing logs. What is the MITRE ATT&CK ID for this?#

9. On December 20th, 2024, Picus Security released a blog on Salt Typhoon detailing some of the CVEs associated with the threat actor. What was the CVE for the vulnerability related to the Sophos Firewall?#

10. The blog demonstrates how the group modifies the registry to obtain persistence with a backdoor known as Crowdoor. Which registry key do they target?#

11. What is the MITRE ATT&CK ID of the previous technique?#

12. On November 25th, 2024, TrendMicro published a blog post detailing the threat actor. What name does this blog primarily use to refer to the group?#

13. The blog post identifies additional malware attributed to the threat actor. Which malware do they describe as a ‘multi-modular backdoor…using a custom protocol protected by Transport Layer Security’#

14. Most of the domains the malware communicates with have a .com top-level domain. One uses a .dev TLD. What is the full domain name for the .dev TLD?#

15. What is the filename for the first GET request to the C&C server used by the malware?#

16. On September 30th, 2021, a blog post was released on Securelist by Kaspersky. What was the threat actor’s name at that time?#

17. What is the name of the malware that this article focuses on?#

18. What type of malware is the above malware?#

19. The first stage consists of a malicious PowerShell dropper. What type of encryption is used to obfuscate the code?#

20. The malware uses Input/Output Control codes to perform various tasks related to hiding malicious artifacts. What is the code used by the malware to hide its service from the list within the services.exe process address space?#

Scenario

Initial Analysis

Questions

1. Starting with the MITRE ATT&CK page, which country is thought be behind Salt Typhoon?

2. According to that page, Salt Typhoon has been active since at least when? (Year)

3. What kind of infrastructure does Salt Typhoon target?

4. Salt Typhoon has been associated with multiple custom built malware, what is the name of the malware associated with the ID S1206?

5. What operating system does this malware target?

6. What programming language is the malware written in?

7. On which vendor’s devices does the malware act as a network sniffer?

8. The malware can perform ‘Indicator Removal’ by erasing logs. What is the MITRE ATT&CK ID for this?

9. On December 20th, 2024, Picus Security released a blog on Salt Typhoon detailing some of the CVEs associated with the threat actor. What was the CVE for the vulnerability related to the Sophos Firewall?

10. The blog demonstrates how the group modifies the registry to obtain persistence with a backdoor known as Crowdoor. Which registry key do they target?

11. What is the MITRE ATT&CK ID of the previous technique?

12. On November 25th, 2024, TrendMicro published a blog post detailing the threat actor. What name does this blog primarily use to refer to the group?

13. The blog post identifies additional malware attributed to the threat actor. Which malware do they describe as a ‘multi-modular backdoor…using a custom protocol protected by Transport Layer Security’

14. Most of the domains the malware communicates with have a .com top-level domain. One uses a .dev TLD. What is the full domain name for the .dev TLD?

15. What is the filename for the first GET request to the C&C server used by the malware?

16. On September 30th, 2021, a blog post was released on Securelist by Kaspersky. What was the threat actor’s name at that time?

17. What is the name of the malware that this article focuses on?

18. What type of malware is the above malware?

19. The first stage consists of a malicious PowerShell dropper. What type of encryption is used to obfuscate the code?

20. The malware uses Input/Output Control codes to perform various tasks related to hiding malicious artifacts. What is the code used by the malware to hide its service from the list within the services.exe process address space?