I’m a rule follower, so I can’t write up the walkthrough for this TryHackMe room. This one will be a video. Click play above to follow along.
TryHackMe | Advent of Cyber 2023 | Day 1
Tag: walkthrough
TryHackMe Walkthrough – Incident Response – Identification & Scoping
Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.
The learning path consist of the following rooms:
- Preparation
- Identification & Scoping
- Threat Intel & Containment
- Eradication & Remediation
- Lessons Learned
- Tardigrade
In this post I will be walking through Identification & Scoping.
Task 1: Introduction
Question 1: No answer needed.
Task 2: Identification: Unearthing the Existence of a Security Incident
Question 1: What is the Subject of Ticket#2023012398704232?
Follow the directions in the reading to dismiss all the Windows Office warnings. Once outlook opens on the VM scroll down the inbox to the first message from John Sterling that’s the one with the correct ticket number from the question. In the message thread scroll to the first message and you will see the ticket information including the subject.
Answer: weird error in outlook
Continue reading TryHackMe Walkthrough – Incident Response – Identification & ScopingTryHackMe Walkthrough – Incident Response – Preparation
Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.
The learning path consist of the following rooms:
- Preparation
- Identification & Scoping
- Threat Intel & Containment
- Eradication & Remediation
- Lessons Learned
- Tardigrade
In this post I will walkthrough the Preparation room.
Task 1: Introduction
Question 1: No answer needed
Task 2: Incident Response Capability
Question 1: What is an observed occurrence within a system?
The answer is in the reading. Look at the first bullets in this task.
Answer: Event
Question 2: What is described as a violation of security policies and practices?
This answer is also in the reading, in the same place as question 1.
Answer: Incident
Continue reading TryHackMe Walkthrough – Incident Response – PreparationTryHackMe Walkthrough – The Greenholt Phish
Task 1: Just another day as a SOC analyst
Only one task for this room.
Question 1: What date was the email received? (answer format: M/DD/YY)
I opened the email in Thunderbird.
Answer: 6/10/20
Question 2: Who is the email from?
In the From…
Answer: Mr. James Jackson
Question 3: What is his email address?
Also in the From…
Answer: info@mutawamarine.com
Continue reading TryHackMe Walkthrough – The Greenholt PhishTryHackMe Walkthrough – Phishing Prevention
Task 1: Introduction
Question 1: After visiting the link in the task, what is the MITRE ID for the “Software Configuration” mitigation technique?
Follow the link to https://attack.mitre.org/techniques/T1598/#mitigations. Look for Software Configuration and the ID is there.
Answer: M1054
Task 2: SPF (Sender Policy Framework
Question 1: Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?
Follow the link to the page and then click on the here in: “More in-depth information on the differences between “~” and “–” can be found here“
This gives you the…
Anwser: ~
Question 2: What is the meaning of the -all tag?
This answer is on that second webpage as well. Scroll down a little and to see the difference between ~all and -all.
- “softfail” in the case of “~”
- “fail” in the case of “-“
Answer: fail
Continue reading TryHackMe Walkthrough – Phishing PreventionTryHackMe Walkthrough – Phishing Analysis Tools
Task 1: Introduction
Question 1: No answer needed
Task 2: What information should we collect?
Question 1: No answer needed
Task 3: Email header analysis
Question 1: What is the official site name of the bank that capitai-one.com tried to resemble?
This should be self-explanatory, google capitol one to see what their domain is.
Answer: capitalone.com
Continue reading TryHackMe Walkthrough – Phishing Analysis ToolsTryHackMe Walkthrough – Phishing Emails in Action
Task 1: Introduction
Question 1: No answer needed
Task 2: Cancel your PayPal order
Question 1: What phrase does the gibberish sender email start with?
This answer is in the reading. Look at the email address highlighted with a red circle 2.
Answer: noreply
Continue reading TryHackMe Walkthrough – Phishing Emails in ActionTryHackMe Walkthrough – Phishing Analysis Fundamentals
Task 1: Introduction
Question 1: No answer needed.
Task 2: The Email Address
Question 1: Email dates back to what time frame?
Answer is in the reading. Second paragraph.
Answer: 1970s
Continue reading TryHackMe Walkthrough – Phishing Analysis FundamentalsTryHackMe – Intro to Malware Analysis Walkthrough
In this walkthrough we will go step by step to answer the questions.
Task 1: Introduction
No questions here, so let’s keep moving.
Task 2: Malware Analysis
Question: Which team uses malware analysis to look for IOCs and hunt for malware in a network?
The answer can be found in the reading in “The purpose behind Malware Analysis” section. Specifically, the Threat Hunt bullet.
Threat Hunt teams analyze malware to identify IOCs, which they use to hunt for malware in a network.
Answer: threat hunt teams
Continue reading TryHackMe – Intro to Malware Analysis WalkthroughTryHackMe – TheHive Project Walkthrough
Task 1 & 2 are easy “I read this” ones, so let’s skip to…
Task 3
Question 1: Which open-source platform supports the analysis of observables within TheHive?
In the reading under “Observable Enrichment with Cortex” bullet it explains that
One of the main feature integrations TheHive supports is Cortex
Answer: Cortex
Continue reading TryHackMe – TheHive Project Walkthrough