Blue Team Cyber Defender

  Learn about fundamentals, methodology, and tooling for endpoint security monitoring. Link - https://tryhackme.com/room/introtoendpointsecurity What is the normal parent process of services.exe? wininit.exe What is the name of the network utility tool introduced in this task? tcpview What is the PowerShell cmdlet for viewing Windows Event Logs? get-winevent Provide the command used to enter OSQuery CLI. osqueryi What does EDR mean? Provide the answer in lowercase. Endpoint detection and response Provide the flag for the simulated investigation activity. That’s it! See you in the next Room :)

  Learn the basics of Wireshark and how to analyse protocols and PCAPs. Link- https://tryhackme.com/room/wiresharkthebasics Which file is used to simulate the screenshots? http1.pcapng Which file is used to answer the questions? Exercise.pcapng Use the “Exercise.pcapng” file to answer the questions. Read the “capture file comments”. What is the flag? TryHackMe_Wireshark_Demo What is the total number of packets? 58620 What is the SHA256 hash value of the capture file? f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb Use the “Exercise.pcapng” file to answer the questions. View packet number 38. Which markup language is used under the HTTP protocol? extensible markup language What is the arrival date of the packet? (Answer format: Month/Day/Year) 05/13/2004 What is the TTL value? 47 What is the TCP payload size? 424 What is the e-tag value? Follow HTTP Stream 9a01a-4696–7e354b00 Use the “Exercise.pcapng” file to answer the questions. Search the “r4w” string in packet detai

  Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign. Link - https://tryhackme.com/room/pyramidofpainax Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools Conti What is the ASN for the third IP address observed? Host Europe GmbH What is the domain name associated with the first IP address observed? craftingalegacy.com Go to this report on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task. craftingalegacy.com What term refers to an address used to access websites? Domain Name What type of attack uses Unicode characters in the domain name to imitate the a known domain? Punycode attack Provide the redirected website for the shortened URL using a preview: https(

  This room explains the technical details behind the Meltdown vulnerability. Link - https://tryhackme.com/room/meltdownexplained what is it called when a program accesses a cache and finds the correct value? hit what is it called when a program accesses a cache and doesn’t find the correct value? miss What kind of memory does the virtual address contain(apart from user memory) kernel memory That’s it! See you in the next Room :)

  Understand the flaws of an application and apply your researching skills on some vulnerability databases. Link - https://tryhackme.com/room/vulnerabilities101 An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this? Operating System You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this? Application Logic What year was the first iteration of CVSS published? 2005 If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use? Note: We are looking for the acronym here. VPR If you wanted to use a framework that was free and open-source, what framework would that be? Note: We are looking for the acronym here. CVSS Using NVD, how many CVEs were submitted in July 2021? 1585 Who is the author of Exploit-DB? Offensive Security What type of vulnerability did we use to find the name and version of the applicatio

  Practice analyzing malicious traffic using Brim. Link - https://tryhackme.com/room/mastermindsxlq [Infection 1] Provide the victim’s IP address. Load infection1.pcap in Brim Check the source IP of “Http Requests” 192.168.75.249 The victim attempted to make HTTP connections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested. cambiasuhistoria.growlab.es, www.letscompareonline.com The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address. Check the “Http Requests” ww25.gocphongthe.com,199.59.242.153 How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)? Check “Unique DNS Queries” 7 Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP. Check the “Http Requests” /cgi-bin/JBbb8/ Provide the IP addr

Find out what happened by analysing a .pcap file and hack your way back into the machine Link - https://tryhackme.com/room/h4cked Download the Task file The attacker is trying to log into a specific service. What service is this? FTP There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? Hydra The attacker is trying to log on with a specific username. What is the username? jenny What is the user’s password? password123 What is the current FTP working directory after the attacker logged in? /var/www/html The attacker uploaded a backdoor. What is the backdoor’s filename? shell.php The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL? Follow tcp stream http://pentestmonkey.net/tools/php-reverse-shell Which command did the attacker manually execute after getting a reverse shell? Follow tcp stream whoami What is the computer’s hostname? Follow tcp stream w