Blue Team Cyber Defender

  Learn the basics of Wireshark and how to analyse protocols and PCAPs. Link- https://tryhackme.com/room/wiresharkthebasics Which file is used to simulate the screenshots? http1.pcapng Which file is used to answer the questions? Exercise.pcapng Use the “Exercise.pcapng” file to answer the questions. Read the “capture file comments”. What is the flag? TryHackMe_Wireshark_Demo What is the total number of packets? 58620 What is the SHA256 hash value of the capture file? f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb Use the “Exercise.pcapng” file to answer the questions. View packet number 38. Which markup language is used under the HTTP protocol? extensible markup language What is the arrival date of the packet? (Answer format: Month/Day/Year) 05/13/2004 What is the TTL value? 47 What is the TCP payload size? 424 What is the e-tag value? Follow HTTP Stream 9a01a-4696–7e354b00 Use the “Exercise.pcapng” file to answer the questions. Search the “r4w” string in packet detai

  Understand how antivirus software works and what detection techniques are used to bypass malicious files checks. Link - https://tryhackme.com/room/introtoav What was the virus name that infected John McAfee’s PC? brain Which PC Antivirus vendor implemented the first AV software on the market? mcafee Antivirus software is a _____-based security solution. host Which AV feature analyzes malware in a safe and isolated environment? emulator An _______ feature is a process of restoring or decrypting the compressed executable files to the original. unpacker What is the sigtool tool output to generate an MD5 of the AV-Check.exe binary? f4a974b0cf25dca7fbce8701b7ab3a88:6144:AV-Check.exe Use the strings tool to list all human-readable strings of the AV-Check binary. What is the flag? THM{Y0uC4nC-5tr16s} Which detection method is used to analyze malicious software inside virtual environments? dynamic detection That’s it! See you in the next Room :)

  Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. Link - https://tryhackme.com/room/jrsecanalystintrouxo What was the malicious IP address in the alerts? 221.181.185.159 To whom did you escalate the event associated with the malicious IP address? Will Griffin After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you? That’s it! See you in the next Room :)

  Learn the different indicators of phishing attempts by examining actual phishing emails. Link- https://tryhackme.com/room/phishingemails1tryoe What phrase does the gibberish sender email start with? noreply What is the root domain for each URL? Defang the URL. devret[.]xyz This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email? Citrix What should users do if they receive a suspicious email or text message claiming to be from Netflix? forward the message to phishing@netflix.com What does BCC mean? Blind Carbon Copy What technique was used to persuade the victim to not ignore the email and act swiftly? Urgency What is the name of the executable that the Excel attachment attempts to run? regasms.exe That’s it! See you in the next Room :)

  Learn all the components that make up an email. Link- https://tryhackme.com/room/phishingemails1tryoe Email dates back to what time frame? 1970s What port is classified as Secure Transport for SMTP? 465 What port is classified as Secure Transport for IMAP? 993 What port is classified as Secure Transport for POP3? 995 What email header is the same as “Reply-to”? Return-Path Once you find the email sender’s IP address, where can you retrieve more information about the IP? http://www.arin.net/ In the above screenshots, what is the URI of the blocked image? https://i.imgur.com/lsw0tdi.png In the above screenshots, what is the name of the PDF attachment? payment-updateid.pdf In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF? Use Cyberchef from Base64 and save the output as a pdf file. Open the pdf. THM{BENIGN_PDF_ATTACHMENT} What trusted entity is this email masquerading as? Decode the subject

Learn how to use DNS, advanced searching, Recon-ng, and Maltego to collect information about your target. Link - https://tryhackme.com/room/redteamrecon When was thmredteam.com created (registered)? (YYYY-MM-DD) 2021–09–24 To how many IPv4 addresses does clinic.thmredteam.com resolve? 2 To how many IPv6 addresses does clinic.thmredteam.com resolve? 2 How would you search using Google for xls indexed for http://clinic.thmredteam.com? filetype:xls site:clinic.thmredteam.com How would you search using Google for files with the word passwords for http://clinic.thmredteam.com? passwords site:clinic.thmredteam.com What is the shodan command to get your Internet-facing IP address? shodan myip How do you start recon-ng with the workspace clinicredteam? recon-ng -w clinicredteam How many modules with the name virustotal exist? 2 There is a single module under hosts-domains. What is its name? migrate_hosts censys_email_address is a module that “retrieves email addresses from the TLS certificates

  You are involved in an incident response engagement and need to analyze an infected host using Redline. Link - https://tryhackme.com/room/revilcorp Upload the analysis file in Redline What is the compromised employee’s full name? John Coleman What is the operating system of the compromised host? Windows 7 Home Premium 7601 Service Pack 1 What is the name of the malicious executable that the user opened? WinRAR2021.exe What is the full URL that the user visited to download the malicious binary? (include the binary as well) http://192.168.75.129:4748/Documents/WinRAR2021.exe What is the MD5 hash of the binary? 890a58f200dfff23165df9e1b088e58f What is the size of the binary in kilobytes? 164 What is the extension to which the user’s files got renamed? .t48s39la What is the number of files that got renamed and changed to that extension? 48 What is the full path to the wallpaper that got changed by an attacker, including the image name? C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp The