Blue Team Cyber Defender

Introduction to Windows Registry Forensics Link - https://tryhackme.com/room/windowsforensics1 What is the most used Desktop Operating System right now? Microsoft Windows What is the short form for HKEY_LOCAL_MACHINE? HKLM What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM? C:\Windows\System32\Config What is the path for the AmCache hive? C:\Windows\AppCompat\Programs\Amcache.hve What is the Current Build Number of the machine whose data is being investigated? 19044 Which ControlSet contains the last known good configuration? 1 What is the Computer Name of the computer? THM-4n6 What is the value of the TimeZoneKeyName? Pakistan Standard Time What is the DHCP IP address 192.168.100.58 What is the RID of the Guest User account? 501 When was EZtools opened? 2021–12–01 13:00:34 At what time was My Computer last interacted with? 2021–12–01 13:06:47 What is the Absolute Path of the file opened using notepad.exe? C:\Program Files\Amazon\Ec2ConfigSe

  Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. Link - https://tryhackme.com/room/jrsecanalystintrouxo What was the malicious IP address in the alerts? 221.181.185.159 To whom did you escalate the event associated with the malicious IP address? Will Griffin After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you? That’s it! See you in the next Room :)

  This room explains the technical details behind the Meltdown vulnerability. Link - https://tryhackme.com/room/meltdownexplained what is it called when a program accesses a cache and finds the correct value? hit what is it called when a program accesses a cache and doesn’t find the correct value? miss What kind of memory does the virtual address contain(apart from user memory) kernel memory That’s it! See you in the next Room :)

  Introduction to x64 Assembly on Windows. Link- https://tryhackme.com/room/win64assembly What is 0xA in decimal? 10 What is decimal 25 in hexadecimal? Include the prefix for hexadecimal. 0x19 How many bytes is a WORD? 2 How many bits is a WORD? 16 What is the result of the binary operation: 1011 AND 1100? 1000 What is the result of the binary operation: 1011 NAND 1100? Include leading zeroes. 0111 How many bytes is RAX? 8 How many bytes is EAX? 4 What instruction returns from a function? ret What instruction will call/execute a function? call What instruction could be used to save a register in a way that it can later be restored? PUSH If two equal values are compared to each other, what will ZF be set to as result of the comparison? 1 In fastcall, what 64-bit register will hold the return value of a function? RAX In fastcall, what register is the first function parameter passed in? RCX In what order is data taken off of or put onto the stack? Provide the acronym. LIFO That’s it! See

  Learn how to use Redline to perform memory analysis and to scan for IOCs on an endpoint. Link - https://tryhackme.com/room/btredlinejoxr3d Who created Redline? FireEye What data collection method takes the least amount of time? Standard Collector You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators? IOC Search Collector What script would you run to initiate the data collection process? Please include the file extension. RunRedlineAudit.bat If you want to collect the data on Disks and Volumes, under which option can you find it? Disk Enumeration What cache does Windows use to maintain a preference for recently executed code? Prefetch Where in the Redline UI can you view information about the Logged in User? System Information Provide the Operatin

  Practice analyzing malicious traffic using Brim. Link - https://tryhackme.com/room/mastermindsxlq [Infection 1] Provide the victim’s IP address. Load infection1.pcap in Brim Check the source IP of “Http Requests” 192.168.75.249 The victim attempted to make HTTP connections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested. cambiasuhistoria.growlab.es, www.letscompareonline.com The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address. Check the “Http Requests” ww25.gocphongthe.com,199.59.242.153 How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)? Check “Unique DNS Queries” 7 Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP. Check the “Http Requests” /cgi-bin/JBbb8/ Provide the IP addr

  A Walkthrough room to teach you the basics of bash scripting Link - https://tryhackme.com/room/bashscripting What piece of code can we insert at the start of a line to comment out our code? # What will the following script output to the screen, echo “BishBashBosh” BishBashBosh What would this code return? Jammy is 21 years old How would you print out the city to the screen? echo $city How would you print out the country to the screen? echo $country How can we get the number of arguments supplied to a script? $# How can we get the filename of our current script(aka our first argument)? $0 How can we get the 4th argument supplied to the script? $4 If a script asks us for input how can we direct our input into a variable called ‘test’ using “read” read test What will the output of “echo $1 $3” if the script was ran with “./script.sh hello hola aloha” hello aloha What would be the command to print audi to the screen using indexing. echo “${cars[1]}” If we wanted to remove tesla from the