Blue Team Cyber Defender

  Introductory room for the DFIR module Link - https://tryhackme.com/room/introductoryroomdfirmodule What does DFIR stand for? Digital Forensics and Incident Response DFIR requires expertise in two fields. One of the fields is Digital Forensics. What is the other field? Incident Response. Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion? At what stage of the IR process are disrupted services brought back online as they were before the incident? recovery At what stage of the IR process is the threat evicted from the network after performing the forensic analysis? eradication What is the NIST-equivalent of the step called “Lessons learned” in the SANS process? Post-incident Activity That’s it! See you in the next Room :)

  Learn about the four core features of the Diamond Model of Intrusion Analysis: adversary, infrastructure, capability, and victim. Link - https://tryhackme.com/room/diamondmodelrmuwwg42 What is the term for a person/group that has the intention to perform malicious actions against cyber resources? Adversary Operator What is the term of the person or a group that will receive the benefits from the cyberattacks? Adversary Customer What is the term that applies to the Diamond Model for organizations or people that are being targeted? Victim Personae Provide the term for the set of tools or capabilities that belong to an adversary. Adversary Arsenal To which type of infrastructure do malicious domains and compromised email accounts belong? Type 2 Infrastructure What type of infrastructure is most likely owned by an adversary? Type 1 Infrastructure What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to ach

  Introducing cyber threat intelligence and related topics, such as relevant standards and frameworks. Link - https://tryhackme.com/room/cyberthreatintel What does CTI stand for? Cyber Threat Intelligence IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification? Technical Intel At which phase of the lifecycle is data made usable through sorting, organising, correlation and presentation? processing During which phase do security analysts get the chance to define the questions to investigate incidents? direction What sharing models are supported by TAXII? collection and channel When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on? action on objectives What was the source email address? vipivillain@badbank.com What was the name of the file downloaded? flbpfuh.exe After building the threat profile, what message do you receive? After solving below you get code That’s it! See y

  Learn about fundamentals, methodology, and tooling for endpoint security monitoring. Link - https://tryhackme.com/room/introtoendpointsecurity What is the normal parent process of services.exe? wininit.exe What is the name of the network utility tool introduced in this task? tcpview What is the PowerShell cmdlet for viewing Windows Event Logs? get-winevent Provide the command used to enter OSQuery CLI. osqueryi What does EDR mean? Provide the answer in lowercase. Endpoint detection and response Provide the flag for the simulated investigation activity. That’s it! See you in the next Room :)

  Learn how to interact with the win32 API and understand its wide range of use cases Link- https://tryhackme.com/room/windowsapi Does a process in the user mode have direct hardware access? (Y/N) n Does launching an application as an administrator open the process in kernel mode? (Y/N) n What header file imports and defines the User32 DLL and structure? winuser.h What parent header file contains all other required child and core header files? windows.h What overarching namespace provides P/Invoke to .NET? system What memory protection solution obscures the process of importing API calls? aslr Which character appended to an API call represents an ANSI encoding? a Which character appended to an API call represents extended functionality? ex What is the memory allocation type of 0x00080000 in the VirtualAlloc API call? MEM_RESET Do you need to define a structure to use API calls in C? (Y/N) n What method is used to import a required DLL? dllimport What type of method is used to reference

  Learn the basics of Wireshark and how to analyse protocols and PCAPs. Link- https://tryhackme.com/room/wiresharkthebasics Which file is used to simulate the screenshots? http1.pcapng Which file is used to answer the questions? Exercise.pcapng Use the “Exercise.pcapng” file to answer the questions. Read the “capture file comments”. What is the flag? TryHackMe_Wireshark_Demo What is the total number of packets? 58620 What is the SHA256 hash value of the capture file? f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb Use the “Exercise.pcapng” file to answer the questions. View packet number 38. Which markup language is used under the HTTP protocol? extensible markup language What is the arrival date of the packet? (Answer format: Month/Day/Year) 05/13/2004 What is the TTL value? 47 What is the TCP payload size? 424 What is the e-tag value? Follow HTTP Stream 9a01a-4696–7e354b00 Use the “Exercise.pcapng” file to answer the questions. Search the “r4w” string in packet detai

  Understand how antivirus software works and what detection techniques are used to bypass malicious files checks. Link - https://tryhackme.com/room/introtoav What was the virus name that infected John McAfee’s PC? brain Which PC Antivirus vendor implemented the first AV software on the market? mcafee Antivirus software is a _____-based security solution. host Which AV feature analyzes malware in a safe and isolated environment? emulator An _______ feature is a process of restoring or decrypting the compressed executable files to the original. unpacker What is the sigtool tool output to generate an MD5 of the AV-Check.exe binary? f4a974b0cf25dca7fbce8701b7ab3a88:6144:AV-Check.exe Use the strings tool to list all human-readable strings of the AV-Check binary. What is the flag? THM{Y0uC4nC-5tr16s} Which detection method is used to analyze malicious software inside virtual environments? dynamic detection That’s it! See you in the next Room :)

  Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign. Link - https://tryhackme.com/room/pyramidofpainax Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools Conti What is the ASN for the third IP address observed? Host Europe GmbH What is the domain name associated with the first IP address observed? craftingalegacy.com Go to this report on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task. craftingalegacy.com What term refers to an address used to access websites? Domain Name What type of attack uses Unicode characters in the domain name to imitate the a known domain? Punycode attack Provide the redirected website for the shortened URL using a preview: https(

  Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation. Link - https://tryhackme.com/room/redteamengagements What CIDR range is permitted to be attacked? 10.0.4.0/22 Is the use of white cards permitted? (Y/N) Y Are you permitted to access “*.bethechange.xyz?” (Y/N) N How many explicit restriction are specified? 3 What is the first access type mentioned in the document? phishing Is the red team permitted to attack 192.168.1.0/24? (Y/N) N How long will the engagement last? 1 Month How long is the red cell expected to maintain persistence? 3 Weeks What is the primary tool used within the engagement? Cobalt Strike When will the engagement end? 11/14/2021 What is the budget the red team has for AWS cloud cost? $1000 Are there any miscellaneous requirements for the engagement? (Y/N) N What phishing method will be employed during the initial access phase? Spearphishing What site will be utilized for communication between the client and red

Introduction to Windows Registry Forensics Link - https://tryhackme.com/room/windowsforensics1 What is the most used Desktop Operating System right now? Microsoft Windows What is the short form for HKEY_LOCAL_MACHINE? HKLM What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM? C:\Windows\System32\Config What is the path for the AmCache hive? C:\Windows\AppCompat\Programs\Amcache.hve What is the Current Build Number of the machine whose data is being investigated? 19044 Which ControlSet contains the last known good configuration? 1 What is the Computer Name of the computer? THM-4n6 What is the value of the TimeZoneKeyName? Pakistan Standard Time What is the DHCP IP address 192.168.100.58 What is the RID of the Guest User account? 501 When was EZtools opened? 2021–12–01 13:00:34 At what time was My Computer last interacted with? 2021–12–01 13:06:47 What is the Absolute Path of the file opened using notepad.exe? C:\Program Files\Amazon\Ec2ConfigSe

  Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. Link - https://tryhackme.com/room/jrsecanalystintrouxo What was the malicious IP address in the alerts? 221.181.185.159 To whom did you escalate the event associated with the malicious IP address? Will Griffin After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you? That’s it! See you in the next Room :)

  This room is an introduction to red teaming Link - https://tryhackme.com/room/redteamrecon Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay) Nay During a penetration test, are you concerned about being detected by the client? (Yay/Nay) Nay Highly organised groups of skilled attackers are nowadays referred to as … Advanced Persistent Threats The goals of a red team engagement will often be referred to as flags or… crown jewels During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTPs. What does TTP stand for? Tactics, techniques and procedures The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay) Nay What cell is responsible for the offensive operations of an engagement? Red Cell What cell is the trusted agent considered part of? White Cell If an adversary deployed Mimikatz on a target machine, where