TryHackMe Walkthrough – Incident Response – Identification & Scoping

Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.

The learning path consist of the following rooms:

  • Preparation
  • Identification & Scoping
  • Threat Intel & Containment
  • Eradication & Remediation
  • Lessons Learned
  • Tardigrade

In this post I will be walking through Identification & Scoping.

Task 1: Introduction

Question 1: No answer needed.

Task 2: Identification: Unearthing the Existence of a Security Incident

Question 1: What is the Subject of Ticket#2023012398704232?

Follow the directions in the reading to dismiss all the Windows Office warnings. Once outlook opens on the VM scroll down the inbox to the first message from John Sterling that’s the one with the correct ticket number from the question. In the message thread scroll to the first message and you will see the ticket information including the subject.

Answer: weird error in outlook

Question 2: According to your colleague John, the issue outlined on Ticket#2023012398704232 could be related to what?

This one took me a while to find. We are looking for an email from John Sterling, where he says what the issue is related to. That email came in at 3:19pm. In the email John says “Could this issue be related to the missing email security (e.g., …

Answer: SPF, DKIM & DMARC records

Question 3: Your colleague requested what kind of data pertaining to the machine WKSTN-02?

This one is in the last email from 6:44pm. John says, “Additionally, can you retrieve the …

Answer: web proxy logs

Task 3: Scoping: Understanding the Extent of a Security Incident

Question 1: Based on Ticket#2023012398704231 and Asset Inventory shown in this task, who owns the computer that needs Endpoint Protection definitions updated?

Reading the email we can see that the ticket Oliver got has the IP of the affected machine listed which ends in 153. Find that in the table in the reading to see that it is …

Answer: Derick Marshall

Question 2: Based on the email exchanges and SoD shown in this task, what was the phishing domain where the compromised credentials in Ticket#2023012398704232 were submitted?

The answer is in the reading. The question says what is the phishing domain. Look in the last table for Domain and Threat Type is phishing.

Answer: b24b-158-62-19-6.ngrok-free.app

Question 3: Based on Ticket#2023012398704233, what phishing domain should be added to the SoD?

Paying close attention to the ticket number in the email, we see this is a different one. So look for an email with the subject matching this new ticket number. Oliver got that at 4:02pm. Answer is in the ticket description…

Answer: kennaroads.buzz

Task 4: Identification and Scoping Feedback Loop: An Intelligence-Driven Incident Response Process

Question 1: Concerning Ticket#2023012398704232 and according to your colleague John, what domain should be added to the SoD since it was used for email spoofing?

This answer is in the email received at 3:19pm. Your looking for a domain with only 2 characters in the forwarded email at the bottom of the thread.

Answer: emkei.cz

Question 2: Concerning the available artefacts gathered for analysis of Ticket#2023012398704232, who is the other user that received a similar phishing email but did not open a ticket nor report the issue?

Again, hunting through emails to find this. At 6:37pm Oliver got an email that answer this question.

Answer: alexander.swift@swiftspend.finance

Question 3: Concerning Ticket#2023012398704232, what additional IoC could be added to the SoD and be used as a pivot point for discovery?

We know most of the players at this point, and we’ve read all the emails, so let’s open those attachments that Damian sent.

We can see a new email address highlighted in the above screenshot.

Answer: sales.tal0nix@gmail.com

Question 4: Based on the email exchanges and attachments in those exchanges, what is the password of the compromised user?

Let’s open the other attachment, which is more information about workstation 2. Here we will do a simple Find and see if we get lucky.

What a terrible password.

Answer: Passw0rd!

Task 5: Conclusion

Question 1: No answer needed