The TryHackMe Carnage room presents one of the most realistic attack scenarios available for free — a complete Emotet infection chain followed by Cobalt Strike post-exploitation and a malspam campaign generating 1,439 SMTP packets.
This write-up focuses on three techniques that make the biggest practical difference in real SOC investigations.
Dataset: TryHackMe Carnage room — controlled training environment.
Attack Chain Overview
Zip email → XLS macro → payload from 3 domains
↓
Cobalt Strike C2 (Host header spoofed as Verisign)
↓
Post-infection C2 → maldivehost.net
↓
IP recon → api.ipify.org (17:00:04 UTC)
↓
Malspam → 1,439 SMTP packets
Technique 1 — Hex Inspection for Zip Contents
Filter: HTTP response for documents.zip → View → Packet Bytes
Zip central directories are stored at the end of the archive. Checking the hex from the bottom found chart-1530076591.xls immediately — without downloading or executing anything.
The 10-digit epoch timestamp filename is a known Emotet naming pattern. Recognizing this from hex alone is a core analyst skill.
Answer: chart-1530076591.xls
Technique 2 — Time-Bounded TLS SNI Hunting
tls.handshake.type == 1 returned 181 Client Hello packets. Too many to check manually.
Solution: Use the infection timestamp as a filter boundary.
First malicious HTTP: 16:44:38 UTC → narrow TLS filter to 16:45:11–16:45:30 UTC
181 packets → 5 packets. Each SNI checked on VirusTotal:
-
finejewels.com.au→ malicious -
thietbiagt.com→ malicious -
new.americold.com→ malicious
The SNI field in TLS Client Hello is plaintext — you see the destination domain without decrypting anything. Time-bounding with the infection timestamp is what makes this technique practical.
MITRE: T1573.001
Technique 3 — Cobalt Strike Host Header Masquerading
Filter: ip.dst == 185.106.96.158 && http
Host: oscp.verisign.com
Actual destination: 185.106.96.158 (Cobalt Strike C2)
The Host header claimed Verisign. The actual IP had nothing to do with Verisign.
Cobalt Strike's malleable C2 profiles allow operators to set any HTTP header to any value — attackers routinely spoof trusted domains (verisign.com, microsoft.com, windowsupdate.com) to blend with enterprise traffic.
Detection: Cross-reference Host domain with actual destination IP. Mismatch where Host is a trusted domain but IP is external and flagged = confirmed masquerading.
MITRE: T1036
Technique 4 — SMTP Forensics
frame contains "MAIL FROM"
Lesson: smtp contains "FROM" returned wrong results. Always search for the complete field name.
1,439 SMTP packets from an internal host = machine enrolled in Emotet malspam botnet. The infected machine was sending phishing emails on the attacker's behalf.
MITRE: T1071.003
Cobalt Strike Identification — Full Workflow
- Filter
http.request.method == "GET"→ Statistics → Conversations → TCP → sort by frequency - Note top recurring external IPs
- Check each on VirusTotal → Community tab (not just detection — community notes confirm Cobalt Strike)
- Cross-reference Host header with actual destination IP for masquerading
C2 servers: 185.106.96.158 (survmeter.live), 185.125.204.174 (securitybusinpuff.com)
IOC Table
| Type | Value | Role |
|---|---|---|
| Domain | attirenepal.com | Initial zip |
| File | documents.zip → chart-1530076591.xls | Macro payload |
| Domain | finejewels.com.au | Secondary payload |
| Domain | thietbiagt.com | Secondary payload |
| Domain | new.americold.com | Secondary payload |
| IP | 185.106.96.158 | Cobalt Strike C2 |
| IP | 185.125.204.174 | Cobalt Strike C2 |
| Domain | maldivehost.net | Post-infection C2 |
| farshin@mailfa.com | Malspam sender |
MITRE ATT&CK
| ID | Technique |
|---|---|
| T1566.001 | Phishing: Spearphishing Attachment |
| T1059.005 | VBA Macro |
| T1105 | Ingress Tool Transfer |
| T1071.001 | Web Protocols |
| T1573.001 | Encrypted Channel |
| T1036 | Masquerading |
| T1016 | System Network Config Discovery |
| T1583 | Acquire Infrastructure |
| T1071.003 | Mail Protocols |
Detection Rules (Splunk SPL)
Rule 1 — Cobalt Strike Host Header Masquerading
index=network http.request.method=GET
| where http.host LIKE "%.verisign.com"
OR http.host LIKE "%.microsoft.com"
OR http.host LIKE "%.windowsupdate.com"
| eval dest_internal=if(match(dest_ip,"^(10\.|192\.168\.)"),1,0)
| where dest_internal=0
| stats count by src_ip, dest_ip, http.host
Rule 2 — TLS to Suspicious TLD
index=network ssl.handshake.type=1
| eval tld=mvindex(split(ssl.handshake.extensions_server_name,"."), -1)
| where tld IN ("live","xyz","top","pw","online","site","club","icu")
| stats count by src_ip, ssl.handshake.extensions_server_name
| sort -count
Rule 3 — Internal Malspam Detection
index=network sourcetype=stream:smtp
| stats count as smtp_count by src_ip
| where smtp_count > 50
| join src_ip [search index=network http.request.method=POST
| stats count by src_ip]
| table src_ip, smtp_count, count
Three Key Takeaways
Time-bound your TLS filters. The infection timestamp reduces 181 packets to 5. Always know your starting timestamp before filtering TLS.
Cobalt Strike hides in the Host header. Cross-referencing the Host domain with the actual destination IP catches it every time — no threat intel feed required.
1,439 SMTP packets means you're already losing. The machine is sending phishing on behalf of the attacker. Detecting this early is why malspam volume thresholds matter in SIEM rules.
Full Report on GitHub
👉 github.com/himanshumodi3108/cybersec-portfolio
TryHackMe Carnage room — controlled training environment.
Himanshu Kumar Modi · Associate at PwC India · SOC Analyst in Training
LinkedIn · Cybersecurity Portfolio
Top comments (0)