TryHackMe Walkthrough – Incident Response – Preparation

Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.

The learning path consist of the following rooms:

  • Preparation
  • Identification & Scoping
  • Threat Intel & Containment
  • Eradication & Remediation
  • Lessons Learned
  • Tardigrade

In this post I will walkthrough the Preparation room.

Task 1: Introduction

Question 1: No answer needed

Task 2: Incident Response Capability

Question 1: What is an observed occurrence within a system?

The answer is in the reading. Look at the first bullets in this task.

Answer: Event

Question 2: What is described as a violation of security policies and practices?

This answer is also in the reading, in the same place as question 1.

Answer: Incident

Continue reading TryHackMe Walkthrough – Incident Response – Preparation

TryHackMe – SOC Level 1 Path Complete!

In this post I’d like to talk a bit about TryHackMe and my experience working through the SOC Level 1 learning path.

TryHackMe is a learning platform that sends users to virtual machines (VM) they can access through their web browser. Extremely low barrier to entry! Absolutely no previous knowledge is required. I’m not sponsored and TryHackMe did not ask me to write this.

I’m a big fan of theirs. I think the learning paths and rooms (think learning modules) are fantastic hands-on learnings! I learned

  • Cyber Defense Frameworks
  • Cyber Threat Intelligence
  • Network Security and Traffic Analysis
  • Endpoint Security Monitoring
  • Security Information and Event Management (SIEM)
  • Digital Forensics and Incident Response
  • Phishing

Each room walks the learner through hands-on learning.  I learned all these tools:

  • yara
  • opencti
  • misp
  • mitre
  • cyberkillchain
  • snort
  • zeek
  • brim
  • wireshark
  • sysmon
  • sysinternals
  • osquery
  • wazuh
  • splunk
  • autopsy
  • redline
  • linux (a lot!)
  • thehive
  • phishing

And even more! It’s a great platform. As of this writing it is $14 a month. If you’re not going to use it, don’t sign up, but if you really want to learn these tools and more it’s a great place to get started. You can spend as much time as you want learning these tools in real environments. You can’t break anything because it’s all VMs that start fresh each time the are launched. Getting the chance to work on these environments without setting up all these VMs is a huge time savings.

If you want to play around in there for free you can do that too. There is plenty of free content to get started with and see if you want to pay for the premium rooms and features. It’s worth checking out.

TryHackMe Walkthrough – The Greenholt Phish

Task 1: Just another day as a SOC analyst

Only one task for this room.

Question 1: What date was the email received? (answer format: M/DD/YY)

I opened the email in Thunderbird.

Answer: 6/10/20

Question 2: Who is the email from?

In the From…

Answer: Mr. James Jackson

Question 3: What is his email address?

Also in the From…


Continue reading TryHackMe Walkthrough – The Greenholt Phish

TryHackMe Walkthrough – Phishing Prevention

Task 1: Introduction

Question 1: After visiting the link in the task, what is the MITRE ID for the “Software Configuration” mitigation technique?

Follow the link to Look for Software Configuration and the ID is there.

Answer: M1054

Task 2: SPF (Sender Policy Framework

Question 1: Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?

Follow the link to the page and then click on the here in: “More in-depth information on the differences between “~” and “–” can be found here

This gives you the…

Anwser: ~

Question 2: What is the meaning of the -all tag?

This answer is on that second webpage as well. Scroll down a little and to see the difference between ~all and -all.

  • “softfail” in the case of “~”
  • fail” in the case of “-“

Answer: fail

Continue reading TryHackMe Walkthrough – Phishing Prevention

TryHackMe Walkthrough – Phishing Analysis Tools

Task 1: Introduction

Question 1: No answer needed

Task 2: What information should we collect?

Question 1: No answer needed

Task 3: Email header analysis

Question 1: What is the official site name of the bank that tried to resemble?

This should be self-explanatory, google capitol one to see what their domain is.


Continue reading TryHackMe Walkthrough – Phishing Analysis Tools

TryHackMe Walkthrough – Phishing Emails in Action

Task 1: Introduction

Question 1: No answer needed

Task 2: Cancel your PayPal order

Question 1: What phrase does the gibberish sender email start with?

This answer is in the reading. Look at the email address highlighted with a red circle 2.

Answer: noreply

Continue reading TryHackMe Walkthrough – Phishing Emails in Action

TryHackMe Walkthrough – Phishing Analysis Fundamentals

Task 1: Introduction

Question 1: No answer needed.

Task 2: The Email Address

Question 1: Email dates back to what time frame?

Answer is in the reading. Second paragraph.

Answer: 1970s

Continue reading TryHackMe Walkthrough – Phishing Analysis Fundamentals

TryHackMe – Intro to Malware Analysis Walkthrough

In this walkthrough we will go step by step to answer the questions.

Task 1: Introduction

No questions here, so let’s keep moving.

Task 2: Malware Analysis

Question: Which team uses malware analysis to look for IOCs and hunt for malware in a network?

The answer can be found in the reading in “The purpose behind Malware Analysis” section. Specifically, the Threat Hunt bullet.

Threat Hunt teams analyze malware to identify IOCs, which they use to hunt for malware in a network.

Answer: threat hunt teams

Continue reading TryHackMe – Intro to Malware Analysis Walkthrough

TryHackMe – TheHive Project Walkthrough

Task 1 & 2 are easy “I read this” ones, so let’s skip to…

Task 3

Question 1: Which open-source platform supports the analysis of observables within TheHive?

In the reading under “Observable Enrichment with Cortex” bullet it explains that

One of the main feature integrations TheHive supports is Cortex

Answer: Cortex

Continue reading TryHackMe – TheHive Project Walkthrough

TryHackMe Velociraptor Walk-Through

First task that has any questions is…

Task 2

Question 1: Using the documentation, how would you launch an Instant Velociraptor on Windows?

It’s in the documentation. Scroll to “Instant Velociraptor” and you will find…

Answer: Velociraptor.exe gui

Task 3

Question 1: What is the hostname for the client?

Open the Ubuntu terminal and run:

./velociraptor-v0.5.8-linux-amd64 --config velociraptor.config.yaml frontend -v

Let that run for a while….

Then launch Chrome and click on the short cut under the search bar called Velociraptor

If you get the warning about your connection not being private, click the advanced button, then proceed to

Enter the sign-in information given in task 3 instructions.

Once it comes up click on the magnifying glass next to the search bar:

Then this loads…

Boom! Hostname.


Question 2: What is listed as the agent version?

From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.



Question 3: In the Collected tab, what was the VQL command to query the client user accounts?

Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:


LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()

Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?

If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:

In the screenshot above you can see the column header name is Stdout.

Answer: Stdout

Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?

This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…


[powershell -ExecutionPolicy Unrestricted -encodedCommand RwBlAHQALQBEAGEAdABlAA==]

Task 4

Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?

The answer for this is in the screenshots for the instructions:

Answer: Ubuntu on Windows Subsystem for Linux

Question 2: Review the output. How many files were uploaded?

I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:

I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.

Answer: 20

Task 5

Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)

The answer to this is in the documentation. Read the paragraph under VFS accessors.

Answer: ntfs accessor

Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)

This answer is also in the documentation same section.

Answer: registry accessor

Question 3: What is the name of the file in $Recycle.Bin?

Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.

Answer: desktop.ini

Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?

Alright, Click C: again followed by Users > Administrator > Documents.

The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.


Task 6

Question 1: What is followed after the SELECT keyword in a standard VQL query?

The answer to this question is found in the documentation. Read the Whitespace section.

Answer: Column Selectors

Question 2: What goes after the FROM keyword?

Keep reading same sentence to get the next anwser.

Answer: VQL Plugin

Question 3: What is followed by the WHERE keyword?

Just keep reading.. Just keep reading… next sentence has the next answer.

Answer: filter expression

Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…

After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.

Answer: ?

Question: What plugin would you use to run PowerShell code from Velociraptor?

Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…

Answer: execve()

Task 7

Question 1: What are the arguments for parse_mft()?

It’s in the documentation. Look under time analysis for…

Answer: parse_mft(filename=”C:/$MFT”, accessor=”ntfs”)

Question 2: What filter expression will ensure that no directories are returned in the results?

Once again answer in the documentation. Filesystem doc under Glob Results.

Answer: IsDir

Task 8

Start the new machine.

Question 1: What is the name in the Artifact Exchange to detect Printnightmare?

Start up Velociraptor by opening a DOS shell and typing…

cd desktop
Velociraptor.exe gui

Let’s check the documentation. Using search I found.

Answer is in the documentation! Again!

Answer: Windows.Detection.PrintNightmare

Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)

Replace the **** per the instructions.


SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE

Question 3: What is the name of the DLL that was  placed by the attacker?

We have to create a notebook and plugin some VQL that we build using the previous answer as a template:

SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE

29 rows later, we see a oddly named DLL as the last row…

Answer: nightmare.dll

Question 4: What is the PDB entry?

Once you have the above, just look at the PDB line.

Answer: C:\Users\caleb\source\repos\nightmare\x64\Release\nightmare.pdb