Summit - TryHackMe Defensive Security Challenge

Summit – TryHackMe Defensive Security Challenge

January 20, 2026

This is a Walkthrough for the Summit Incident Response TryHackMe challenge room. The writeup is meant to offer short and concise solutions, and also offering an extended explanation right after the answer for those interested in finding out more about the solution to a specific task.

Introduction

The description of the room is the following:

Can you chase a simulated adversary up the Pyramid of Pain until they finally back down?

The room is essentially a threat detection and response simulator focusing on defending against increasingly harder threats by following the levels on the Pyramid of Pain. We will be receiving .exe files by email, and will have to run those through a built-in sandbox analysis tool.

The first email we get is one containing a file named sample1.exe

Task 1: What is the first flag you receive after successfully detecting sample1.exe?

Read the email and click on the attachment to download.
Go to the burger menu on the top left, then click on the Malware Sandbox tool. Choose sample1.exe

After a while, we will get the results. We got an information table and a Behaviour Analysis section. For this task, though, we have to focus on the table:

File Name	`sample1.exe`
File Size	202.50 KB
File Type	PE32+ executable (GUI) x86-64, for MS Windows
Analysis Date	September 5, 2023
OS	Windows 10x64 v1803
Tags	Trojan.Metasploit.A
MIME	application/x-dosexec
MD5	`cbda8ae000aa9cbe7c8b982bae006c2a`
SHA1	`83d2791ca93e58688598485aa62597c0ebbf7610`
SHA256	`9c550591a25c6228cb7d74d970d133d75c961ffed2ef7180144859cc09efca8c`

Following the Pyramid of Pain, the first level is “Hash value.”

Go to the burger menu, then click on Manage Hashes.
There are three options: MD5, SHA1, SHA256. Pick either, and input the corresponding hash.

We will get a message congratulating us on completing the task, and a new email containing flag 1 and the next malware sample.

Task 2: What is the second flag you receive after successfully detecting sample2.exe?

Read the new email and click on the sample2.exe attachment.
Analyze the file on the Malware Sandbox tool.

But by changing just one bit the hash value of a file can change completely, so it is easy to evade this method. The second level of the Pyramid of Pain corresponds to IP Addresses. The analysis will give us, again, an information table, a Behaviour Analysis section, and now a Network Activity. The latter is the one we will have to check now.

The results are as follows (Information Table and Behaviour Analysis sections omitted):

Network Activity

HTTP(S) requests

1 TCP/UDP connections

3 DNS requests

0 Threats

0

HTTP requests

PID	Process	Method	IP	URL
1927	sample2.exe	GET	154.35.10.113:4444	http://154.35.10.113:4444/uvLk8YI32

Connections

PID	Process	IP	Domain	ASN
1927	sample2.exe	154.35.10.113:4444	-	Intrabuzz Hosting Limited
1927	sample2.exe	40.97.128.3:443	-	Microsoft Corporation
1927	sample2.exe	40.97.128.4:443	-	Microsoft Corporation

If we take a look at the HTTP Request we can see the executable connects to and downloads a file from the 154.35.10.113 IP address. We now have to create a Firewall rule for this IP address.

Go to the Burger Menu, then click on the Firewall Manager tool. We need to fill some fields, which we will as follows:
Type: Egress
Source IP: Any
Destination IP: 154.35.10.113
Action: Deny

We will receive a congratulating message and a new email with flag 2.

Extra: Why not the other two IPs

According to the analysis, the file would make a connection to another two addresses: 40.97.128.3 and 40.97.128.4. These IP addresses, however, were identified to belong to Microsoft whereas the one we chose apparently belongs to a hosting service. Connecting to a Microsoft IP address is completely normal for business operations... not so much connecting to and downloading files from an IP address that belongs to a hosting service.

Task 3: What is the third flag you receive after successfully detecting sample3.exe?

Changing one's IP address is not particularly hard – the attacker mentions on their email message that they hired a new Cloud Service Provider and now have access to many more IPs. The third level of the Pyramid of Pain corresponds to Domain Names.

Read the new email and analyze the sample3.exe file.

Under Network Activity we will have a new section, DNS requests.

(output omitted)

Network Activity

HTTP(S) requests

2 TCP/UDP connections

4 DNS requests

2 Threats

0 HTTP requests

PID	Process	Method	IP	URL
1021	sample3.exe	GET	62.123.140.9:1337	http://emudyn.bresonicz.info:1337/kzn293la
1021	sample3.exe	GET	62.123.140.9:80	http://emudyn.bresonicz.info/backdoor.exe

Connections

PID	Process	IP	Domain	ASN
1021	sample3.exe	40.97.128.4:443	services.microsoft.com	Microsoft Corporation
1021	sample3.exe	62.123.140.9:1337	emudyn.bresonicz.info	XplorIta Cloud Services
1021	sample3.exe	62.123.140.9:80	emudyn.bresonicz.info	XplorIta Cloud Services
2712	backdoor.exe	62.123.140.9:80	emudyn.bresonicz.info	XplorIta Cloud Services

DNS requests

Domain	IP
services.microsoft.com	40.97.128.4
emudyn.bresonicz.info	62.123.140.9

The DNS requests section showed us the domain the executable is downloading files from, emudyn.bresonicz.info. The other one belongs to Microsoft, so we can assume it's safe.

Head to the Burger menu, and then click on DNS Rule Manager.
Click on Create DNS Rule
We have to fill some fields. Do so as follows:
- Rule name: (Any works. I named it “Deny Phishing Domain.”)
- Category: Phishing
- Domain Name: emudyn.bresonicz.info
- Action: Deny

We will receive a congratulating message and a new email with flag 3.

Task 4: What is the fourth flag you receive after successfully detecting sample4.exe?

Changing one's domain is harder than changing an IP address, as this requires purchasing a new domain and modifying DNS records. Still, a very determined hacker might still be willing to do so (and also, some DNS providers have loose standards). The next level of the Pyramid of Pain corresponds to Host and Network Artifacts.

Read the email and analyze sample4.exe.

The new email will contain a Registry Activity section after all the previous one. Let's take a look at that one.

(output omitted)

Registry Activity

Total events

3 Read events

1 Write events

2 Delete events

0 Modification events

(PID) Process: (3806) sample4.exe	Key: HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
Operation: write	Name: DisableRealtimeMonitoring
Value: 1
(PID) Process: (1928) explorer.exe	Key: HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation: write	Name: EnableBalloonTips
Value: 1
(PID) Process: (9876) notepad.exe	Key: HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.txt
Operation: read	Name: Progid
Value: txtfile

If we look at the first event, sample4.exe appears to be disabling Windows Defender Real-Time Protection by modifying the Windows Registry. This is the artifact, finding this is how we know we have a potentially infected host. We now have to create a rule that alerts us when this happens.

Go to the Burger Menu, then click on Sigma Rule Builder.
Click on Create Sigma Rule. A Sigma rule will be generated by an LLM based on the options we pick.
On the “I want to create a rule that focuses on:” section, pick Sysmon Event Logs.
On “I want to target this Sysmon event:”, pick Registry Modifications.
You have to fill some fields to generate the rule. Fill them as follows:
- Registry Key: HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
- Registry Name: DisableRealtimeMonitoring
- Value: 1
- ATT&CK ID: Defense Evasion (TA0005)
Click on the Validate Rule button.

Once it generates the Sigma rule, we will receive a congratulating message and a new email with flag 4.

Extra: why “alert” and not “respond”.

The reason we are creating a rule to alert rather than to respond like we did in the previous steps is because disabling Real Time Protection is, while unusual (and warned against on modern Windows), a potentially benign action. We alert the cybersecurity team when it occurs so they can investigate the situation and determine if it is expected or not, instead of just not allowing and potentially hindering a normal business operation.

Task 5: What is the fifth flag you receive after successfully detecting sample5.exe?

Knowing the artifacts an attacker leaves on a system means the attacker will have to change their tools and methodologies, which means they will have to spend even more resources to attack our system. We are now on the highest levels of the pyramid, the ones with the highest difficulty for the attacker to bypass, and at this point it's very likely they changed their target. Still, if the attacker persists, the second-to-last level of the Pyramid of Pain corresponds to detecting Tools.

Read the new email and click on sample5.exe According to the email, the “heavy lifting” and instructions now occur on their backend server, which means we will have significantly less information on the file's actions.

This time we don't have the results of an analysis, but a log of attempted connections:

I confess the first thing I noticed was that the length for a lot of the attempts: most of them were over 10 KB in length. Then I realized what the actual problem with this log was: most of them go to the same destination, with the exact same byte length.

The attacker is probably using a tool that fragments messages in 97 bytes. Let us create a Sigma rule to detect when this happens.

Go to Create Sigma Rule, then click on Sysmon Event Logs.
On “I want to target this Sysmon event:”, pick Network Connections.
Fill the requested fields as follows:
- Remote IP: Any
- Remote Port: Any
- Size (bytes): 97
- Frequency (seconds): 1800
- ATT&CK ID: Command and Control (TA0011)

Once it generates the Sigma rule, we will receive a congratulating message and a new email with flag 5.

Extra: why this rule

Like in the previous task, we need to alert rather than to block, as legitimate network traffic may match this criteria. We chose the Remote IP and Remote Port to be “Any” because we now the attacker can change their IP address, but this also causes that this rule could be triggered at any point. However, SOC analysts would notice how many messages with the same length would go to the same IP address, and the fact that it happens every 30 minutes without fail, and respond to it. This is a common Defense Evasion technique, as fragmented messages are stealthier than sending all the data meant to be exfiltrated at once, and would also stop Data Loss Prevention systems from being executed.

Task 6: What is the final flag you receive from Sphinx?

A top attacker might have enough money and time to invest in changing and/or building and learning new tools and methodologies. We are at the last level of the Pyramid of Pain, and this corresponds to the Tactics, Techniques, and Procedures of the attacker. If we can detect and respond to how an attacker operates, they have almost no chance to fight back.

Read the final email and open the attachment.

This time the attachment is a log of the commands the sample files run once opened:

dir c:\ >> %temp%\exfiltr8.log
dir “c:\Documents and Settings” >> %temp%\exfiltr8.log
dir “c:\Program Files\” >> %temp%\exfiltr8.log
dir d:\ >> %temp%\exfiltr8.log
net localgroup administrator >> %temp%\exfiltr8.log
ver >> %temp%\exfiltr8.log
systeminfo >> %temp%\exfiltr8.log
ipconfig /all >> %temp%\exfiltr8.log
netstat -ano >> %temp%\exfiltr8.log
net start >> %temp%\exfiltr8.log

This is showing us the sample files were using commands that display important system information (directory trees, user list, system info, network information) and redirect the output to a file named exfiltr8.log, located in the temp folder (common place to hide malware, as nearly everything has writing permissions here.) Let us generate a rule to detect the creation of this file.

Go to Create Sigma Rule, and then click on System Event Logs.
On “I want to target this Sysmon event:”, pick File Creation and Modification.
Fill the requested fields as follows:
- File Path: %temp%
- File Name: exfiltr8.log
- ATT&CK ID: Collection (TA0009)

Once it generates the Sigma rule, we will receive a congratulating message and a new email with the final flag.

Congratulations! The room is finished.

What I Learnt

Pyramid of Pain: this challenge allowed me to strengthen my knowledge on the framework, forcing me to think why each level has its corresponding difficulty, by thinking how an attacker could bypass a detection or deny rule.
Sigma rule structure: levels 3 to 5 involved generating a Sigma rule, which the SOC L1 learning path (this challenge was part of it) has no room on at this point.
Analyzing logs: task 5 was about to look for a specific pattern in a log file. Even if at first I focused on the wrong pattern, I managed to realize quite quickly what was I supposed to be looking for.
Learning how an attacker might hide their actions, and thinking of False Positives: some tasks involved the attacker hiding their signatures, or hiding their actions by modifying system files. For these I had to consider about False Positives as well, as some of their actions could be similar to normally benign actions, and creating an overly lax detection rule might make the SOC team focus on the wrong alert.