TryHackMe Walkthrough – Phishing Prevention

Task 1: Introduction

Question 1: After visiting the link in the task, what is the MITRE ID for the “Software Configuration” mitigation technique?

Follow the link to Look for Software Configuration and the ID is there.

Answer: M1054

Task 2: SPF (Sender Policy Framework

Question 1: Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?

Follow the link to the page and then click on the here in: “More in-depth information on the differences between “~” and “–” can be found here

This gives you the…

Anwser: ~

Question 2: What is the meaning of the -all tag?

This answer is on that second webpage as well. Scroll down a little and to see the difference between ~all and -all.

  • “softfail” in the case of “~”
  • fail” in the case of “-“

Answer: fail

Task 3: DKIM (DomainKeys Identified Mail

Question 1: Which email header shows the status of whether DKIM passed or failed?

We can find the answer in the last screenshot in the reading. right above the dkim=pass that is highlighted. We see…

Answer: Authentication-Results

Task 4: DMARC (Domain-Based Message Authentication, Reporting, and Conformance)

Question 1: Which DMARC policy would you use not to accept an email if the message fails the DMARC check?

Follow this link from the reading to find the answer.

Consider an example DMARC TXT RR for the domain “” that reads:


In this example, the sender requests that the receiver outright reject all non-aligned messages and send a report, in a specified aggregate format, about the rejections to a specified address. If the sender was testing its configuration, it could replace “reject” with “quarantine” which would tell the receiver they shouldn’t necessarily reject the message, but consider quarantining it.

Answer: p=reject

Task 5: S/MIME (Secure/Multipurpose Internet Mail Extensions

Question 1: What is nonrepudiation? (The answer is a full sentence, including the “.”)

For this one you need to again, navigate to another webpage:

On the second bullet point you can see the definition of nonrepudiation…

Answer: The uniqueness of a signature prevents the owner of the signature from disowning the signature.

Task 6: SMTP Status Codes

Question 1: What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

Use the SMTP link to find the answer to this one. We are looking for a response code…

Answer: smtp.response.code

Question 2: Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)

filter in wireshark using the above answer plus the status code 220

smtp.response.code == 220

Answer: <domain> service ready

Question 3: One packet shows a response that an email was blocked using What were the packet number and status code? (no spaces in your answer)

Easiest way to do this it to do a string search for In wireshark to do a stirng search go to Edit > Find Packet

Then change the drop down to string and type in your search string.

Answer: 156,553

Question 4: Based on the packet from the previous question, what was the message regarding the mailbox?

I tried “requested action not taken” but it s actually the second bit of the message…

Answer: requested action not taken

Question 5: What is the status code that will typically precede a SMTP DATA command?

Check out:

Answer: 354

Task 7: SMTP Traffic Analysis

Question 1: What port is the SMTP traffic using?

I just wanted to see what the standard SMTP port was:

For example, port 25, the standard SMTP port for moving messages between mail servers, is often blocked by ISPs and cloud providers (including Google Cloud Platform, which is what Kinsta uses).

Answer: 25

Question 2: How many packets are specifically SMTP?

For this we go to the search field in Wireshark and simply type in smtp. The answer will be “displayed” at the bottom of the screen.

Answer: 512

Question 3: What is the source IP address for all the SMTP traffic?

We can see this by just looking at the destination ips listed in wireshark.


Question 4: What is the filename of the third file attachment?

We are looking for imf, so put that in the search bar. The third file attachment is in packet 685.

Drill down until you find the file name.

Answer: attachment.scr

Question 5: How about the last file attachment?

Same thing but for the last packet 1309.

Answer: .zip

Task 8: SMTP and C&C Communication

Question 1: Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Click on the link in the reading. Scroll down to the bottom of the Procedure Examples and you will see which one uses SMTP for C2.

Answer: Zebrocy

Task 9: Conclusion

Question 1: Per the playbook, what framework was used for the IR process?

Click the link to the site and you will see the framework mentioned is…

Answer: NIST