TryHackMe – TheHive Project Walkthrough

Task 1 & 2 are easy “I read this” ones, so let’s skip to…

Task 3

Question 1: Which open-source platform supports the analysis of observables within TheHive?

In the reading under “Observable Enrichment with Cortex” bullet it explains that

One of the main feature integrations TheHive supports is Cortex

Answer: Cortex

Task 4

Question 1: Which pre-configured account cannot manage any cases?

Start the machine and start an attackbox to work from.

You need to wait at least 5 minutes for the box to be ready. Use the url in the instruction to access the site then use the credentials provided to login.

Good now ignore all that. The answers to all of Task 4 questions are in the reading.

Read the admin profile carefully. Usually admin profile has the best permissions, but in this case they can not manage cases.

Answer: admin

Question 2: Which permission allows a user to create, update or delete observables?

Answer is in the reading, look through the list of permissions.

Answer: manageObservable

Question 3: Which permission allows a user to execute actions?

Again, answer is in the reading. Look through the same list of permissions.

Answer: manageAction

Task 5

Follow along with the reading.

Question 1: Where are the TTPs imported from?

Answer is in the reading. Just below the New Case Window demonstration.

Answer: MITRE ATT&CK

Question 2: According to the Framework, what type of Detection “Data source” would our investigation be classified under?

Click on the Technique link in the example:

This provides more information in the next window:

Look under data sources and you will see…

Answer: network traffic

Question 3: Upload the pcap file as an observable. What is the flag obtained from https://10.10.187.248//files/flag.html

Go the the URL above and take out the “s” from https. The file then displays the flag…

Answer: THM{FILES_ARE_OBSERVABLERS}