Pyramid Of Pain

Pyramid of pain

Pyramid of pain is about determining the level of difficulty it will cause for an attacker to change the indication associated with them and their group

The pyramid is at the top indicates the most difficult part to change and lowest is the easiet.

Hashes

Hashes is a way of authenticating the legitimate of file, message etc. It takes one input and generates a fixed sized hash value. A hash algorthim is considered to be not secure if 2 files can have same hash value.

If the attacker tries to use a known malware the hash of the malware can be compared against already known malware hashes in a database to detect if its malicious.

Tools you can use to do hash lookups:

• VirusTotal
• MetaDefender Cloud - OPSWAT

Powershell script to get file hash
Get-FileHash .\Filename.txt -Algorthim MD5

IP

Ip address are used to uniquely identify devices connect to a network in order to receive and send information over the network. In the pyramid of pain, ip addresses are indicated with color green. From defense prespective you can block, deny, drop requests from certain ip addresses but this wont work on experienced attacker they can just change to a new ip address.

Websites to find harmful ip adresses

• https://app.any.run/submissions

Domain names

Domain Names can be thought as simply mapping an IP address to a string of text

many DNS providers have a very low standards and they provide APIs which makes it even easier for an attacker to change the domain.

Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding.

Url shortening links:

• bit.ly
• goo.gl
• ow.ly
• s.id

Network Artifacts (Yellow zone)

A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests.

Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort.

If you can detect the custom User Agent strings that the attacker is using, you might be able to block them, creating more obstacles and making their attempt to compromise the network more annoying.

Tools (challengin)

Attacker usually use utlities such as:

• Malicious macro documents for spear phishing attempts
• A backdoor that can be used to establish C2
• Any custom .exe and .dll files, payloads, password crackers

TTPS (Tough)

TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an attacker to achieve their goal, starting from phishing attempts to persistence and data exfiltration.