Blue Team Cyber Defender

  Introductory room for the DFIR module Link - https://tryhackme.com/room/introductoryroomdfirmodule What does DFIR stand for? Digital Forensics and Incident Response DFIR requires expertise in two fields. One of the fields is Digital Forensics. What is the other field? Incident Response. Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion? At what stage of the IR process are disrupted services brought back online as they were before the incident? recovery At what stage of the IR process is the threat evicted from the network after performing the forensic analysis? eradication What is the NIST-equivalent of the step called “Lessons learned” in the SANS process? Post-incident Activity That’s it! See you in the next Room :)

  Learn about the four core features of the Diamond Model of Intrusion Analysis: adversary, infrastructure, capability, and victim. Link - https://tryhackme.com/room/diamondmodelrmuwwg42 What is the term for a person/group that has the intention to perform malicious actions against cyber resources? Adversary Operator What is the term of the person or a group that will receive the benefits from the cyberattacks? Adversary Customer What is the term that applies to the Diamond Model for organizations or people that are being targeted? Victim Personae Provide the term for the set of tools or capabilities that belong to an adversary. Adversary Arsenal To which type of infrastructure do malicious domains and compromised email accounts belong? Type 2 Infrastructure What type of infrastructure is most likely owned by an adversary? Type 1 Infrastructure What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to...

  Learn how to interact with the win32 API and understand its wide range of use cases Link- https://tryhackme.com/room/windowsapi Does a process in the user mode have direct hardware access? (Y/N) n Does launching an application as an administrator open the process in kernel mode? (Y/N) n What header file imports and defines the User32 DLL and structure? winuser.h What parent header file contains all other required child and core header files? windows.h What overarching namespace provides P/Invoke to .NET? system What memory protection solution obscures the process of importing API calls? aslr Which character appended to an API call represents an ANSI encoding? a Which character appended to an API call represents extended functionality? ex What is the memory allocation type of 0x00080000 in the VirtualAlloc API call? MEM_RESET Do you need to define a structure to use API calls in C? (Y/N) n What method is used to import a required DLL? dllimport What type of method is used to ...

  Learn the basics of Wireshark and how to analyse protocols and PCAPs. Link- https://tryhackme.com/room/wiresharkthebasics Which file is used to simulate the screenshots? http1.pcapng Which file is used to answer the questions? Exercise.pcapng Use the “Exercise.pcapng” file to answer the questions. Read the “capture file comments”. What is the flag? TryHackMe_Wireshark_Demo What is the total number of packets? 58620 What is the SHA256 hash value of the capture file? f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb Use the “Exercise.pcapng” file to answer the questions. View packet number 38. Which markup language is used under the HTTP protocol? extensible markup language What is the arrival date of the packet? (Answer format: Month/Day/Year) 05/13/2004 What is the TTL value? 47 What is the TCP payload size? 424 What is the e-tag value? Follow HTTP Stream 9a01a-4696–7e354b00 Use the “Exercise.pcapng” file to answer the questions. Search the “r4w” string in packet d...

  Understand how antivirus software works and what detection techniques are used to bypass malicious files checks. Link - https://tryhackme.com/room/introtoav What was the virus name that infected John McAfee’s PC? brain Which PC Antivirus vendor implemented the first AV software on the market? mcafee Antivirus software is a _____-based security solution. host Which AV feature analyzes malware in a safe and isolated environment? emulator An _______ feature is a process of restoring or decrypting the compressed executable files to the original. unpacker What is the sigtool tool output to generate an MD5 of the AV-Check.exe binary? f4a974b0cf25dca7fbce8701b7ab3a88:6144:AV-Check.exe Use the strings tool to list all human-readable strings of the AV-Check binary. What is the flag? THM{Y0uC4nC-5tr16s} Which detection method is used to analyze malicious software inside virtual environments? dynamic detection That’s it! See you in the next Room :)

  Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign. Link - https://tryhackme.com/room/pyramidofpainax Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools Conti What is the ASN for the third IP address observed? Host Europe GmbH What is the domain name associated with the first IP address observed? craftingalegacy.com Go to this report on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task. craftingalegacy.com What term refers to an address used to access websites? Domain Name What type of attack uses Unicode characters in the domain name to imitate the a known domain? Punycode attack Provide the redirected website for the shortened URL using a preview: ht...

  Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation. Link - https://tryhackme.com/room/redteamengagements What CIDR range is permitted to be attacked? 10.0.4.0/22 Is the use of white cards permitted? (Y/N) Y Are you permitted to access “*.bethechange.xyz?” (Y/N) N How many explicit restriction are specified? 3 What is the first access type mentioned in the document? phishing Is the red team permitted to attack 192.168.1.0/24? (Y/N) N How long will the engagement last? 1 Month How long is the red cell expected to maintain persistence? 3 Weeks What is the primary tool used within the engagement? Cobalt Strike When will the engagement end? 11/14/2021 What is the budget the red team has for AWS cloud cost? $1000 Are there any miscellaneous requirements for the engagement? (Y/N) N What phishing method will be employed during the initial access phase? Spearphishing What site will be utilized for communication between the client and...

Introduction to Windows Registry Forensics Link - https://tryhackme.com/room/windowsforensics1 What is the most used Desktop Operating System right now? Microsoft Windows What is the short form for HKEY_LOCAL_MACHINE? HKLM What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM? C:\Windows\System32\Config What is the path for the AmCache hive? C:\Windows\AppCompat\Programs\Amcache.hve What is the Current Build Number of the machine whose data is being investigated? 19044 Which ControlSet contains the last known good configuration? 1 What is the Computer Name of the computer? THM-4n6 What is the value of the TimeZoneKeyName? Pakistan Standard Time What is the DHCP IP address 192.168.100.58 What is the RID of the Guest User account? 501 When was EZtools opened? 2021–12–01 13:00:34 At what time was My Computer last interacted with? 2021–12–01 13:06:47 What is the Absolute Path of the file opened using notepad.exe? C:\Program Files\Amazon\Ec2ConfigSe...

  Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. Link - https://tryhackme.com/room/jrsecanalystintrouxo What was the malicious IP address in the alerts? 221.181.185.159 To whom did you escalate the event associated with the malicious IP address? Will Griffin After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you? That’s it! See you in the next Room :)

  An introduction to security awareness; why its important, the impact of being attacked, different threat actors and basic account security. Link - https://tryhackme.com/room/securityawarenessintro How many people were affected by eBay being hacked? 145 million What data was leaked from Playstation being hacked? names, addresses, e-mail, birth dates Who would most likely be interested in exploiting a business? Cybercriminals Who would most likely be interested in exploiting a personal computer for fun? Thrill-seekers Who would most likely be interested in exploiting a website to deliver a message? Hacktivists That’s it! See you in the next Room :)

  Learn the different indicators of phishing attempts by examining actual phishing emails. Link- https://tryhackme.com/room/phishingemails1tryoe What phrase does the gibberish sender email start with? noreply What is the root domain for each URL? Defang the URL. devret[.]xyz This email sample used the names of a few major companies, their products, and logos such as OneDrive and Adobe. What other company name was used in this phishing email? Citrix What should users do if they receive a suspicious email or text message claiming to be from Netflix? forward the message to phishing@netflix.com What does BCC mean? Blind Carbon Copy What technique was used to persuade the victim to not ignore the email and act swiftly? Urgency What is the name of the executable that the Excel attachment attempts to run? regasms.exe That’s it! See you in the next Room :)

  You are involved in an incident response engagement and need to analyze an infected host using Redline. Link - https://tryhackme.com/room/revilcorp Upload the analysis file in Redline What is the compromised employee’s full name? John Coleman What is the operating system of the compromised host? Windows 7 Home Premium 7601 Service Pack 1 What is the name of the malicious executable that the user opened? WinRAR2021.exe What is the full URL that the user visited to download the malicious binary? (include the binary as well) http://192.168.75.129:4748/Documents/WinRAR2021.exe What is the MD5 hash of the binary? 890a58f200dfff23165df9e1b088e58f What is the size of the binary in kilobytes? 164 What is the extension to which the user’s files got renamed? .t48s39la What is the number of files that got renamed and changed to that extension? 48 What is the full path to the wallpaper that got changed by an attacker, including the image name? C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp...