Blue Team Cyber Defender

  Learn about the four core features of the Diamond Model of Intrusion Analysis: adversary, infrastructure, capability, and victim. Link - https://tryhackme.com/room/diamondmodelrmuwwg42 What is the term for a person/group that has the intention to perform malicious actions against cyber resources? Adversary Operator What is the term of the person or a group that will receive the benefits from the cyberattacks? Adversary Customer What is the term that applies to the Diamond Model for organizations or people that are being targeted? Victim Personae Provide the term for the set of tools or capabilities that belong to an adversary. Adversary Arsenal To which type of infrastructure do malicious domains and compromised email accounts belong? Type 2 Infrastructure What type of infrastructure is most likely owned by an adversary? Type 1 Infrastructure What meta-feature does the axiom “Every malicious activity contains two or more phases which must be successfully executed in succession to ach

  Learn how to interact with the win32 API and understand its wide range of use cases Link- https://tryhackme.com/room/windowsapi Does a process in the user mode have direct hardware access? (Y/N) n Does launching an application as an administrator open the process in kernel mode? (Y/N) n What header file imports and defines the User32 DLL and structure? winuser.h What parent header file contains all other required child and core header files? windows.h What overarching namespace provides P/Invoke to .NET? system What memory protection solution obscures the process of importing API calls? aslr Which character appended to an API call represents an ANSI encoding? a Which character appended to an API call represents extended functionality? ex What is the memory allocation type of 0x00080000 in the VirtualAlloc API call? MEM_RESET Do you need to define a structure to use API calls in C? (Y/N) n What method is used to import a required DLL? dllimport What type of method is used to reference

Introduction to Windows Registry Forensics Link - https://tryhackme.com/room/windowsforensics1 What is the most used Desktop Operating System right now? Microsoft Windows What is the short form for HKEY_LOCAL_MACHINE? HKLM What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM? C:\Windows\System32\Config What is the path for the AmCache hive? C:\Windows\AppCompat\Programs\Amcache.hve What is the Current Build Number of the machine whose data is being investigated? 19044 Which ControlSet contains the last known good configuration? 1 What is the Computer Name of the computer? THM-4n6 What is the value of the TimeZoneKeyName? Pakistan Standard Time What is the DHCP IP address 192.168.100.58 What is the RID of the Guest User account? 501 When was EZtools opened? 2021–12–01 13:00:34 At what time was My Computer last interacted with? 2021–12–01 13:06:47 What is the Absolute Path of the file opened using notepad.exe? C:\Program Files\Amazon\Ec2ConfigSe

  Learn all the components that make up an email. Link- https://tryhackme.com/room/phishingemails1tryoe Email dates back to what time frame? 1970s What port is classified as Secure Transport for SMTP? 465 What port is classified as Secure Transport for IMAP? 993 What port is classified as Secure Transport for POP3? 995 What email header is the same as “Reply-to”? Return-Path Once you find the email sender’s IP address, where can you retrieve more information about the IP? http://www.arin.net/ In the above screenshots, what is the URI of the blocked image? https://i.imgur.com/lsw0tdi.png In the above screenshots, what is the name of the PDF attachment? payment-updateid.pdf In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF? Use Cyberchef from Base64 and save the output as a pdf file. Open the pdf. THM{BENIGN_PDF_ATTACHMENT} What trusted entity is this email masquerading as? Decode the subject

Learn how to use DNS, advanced searching, Recon-ng, and Maltego to collect information about your target. Link - https://tryhackme.com/room/redteamrecon When was thmredteam.com created (registered)? (YYYY-MM-DD) 2021–09–24 To how many IPv4 addresses does clinic.thmredteam.com resolve? 2 To how many IPv6 addresses does clinic.thmredteam.com resolve? 2 How would you search using Google for xls indexed for http://clinic.thmredteam.com? filetype:xls site:clinic.thmredteam.com How would you search using Google for files with the word passwords for http://clinic.thmredteam.com? passwords site:clinic.thmredteam.com What is the shodan command to get your Internet-facing IP address? shodan myip How do you start recon-ng with the workspace clinicredteam? recon-ng -w clinicredteam How many modules with the name virustotal exist? 2 There is a single module under hosts-domains. What is its name? migrate_hosts censys_email_address is a module that “retrieves email addresses from the TLS certificates

  You are involved in an incident response engagement and need to analyze an infected host using Redline. Link - https://tryhackme.com/room/revilcorp Upload the analysis file in Redline What is the compromised employee’s full name? John Coleman What is the operating system of the compromised host? Windows 7 Home Premium 7601 Service Pack 1 What is the name of the malicious executable that the user opened? WinRAR2021.exe What is the full URL that the user visited to download the malicious binary? (include the binary as well) http://192.168.75.129:4748/Documents/WinRAR2021.exe What is the MD5 hash of the binary? 890a58f200dfff23165df9e1b088e58f What is the size of the binary in kilobytes? 164 What is the extension to which the user’s files got renamed? .t48s39la What is the number of files that got renamed and changed to that extension? 48 What is the full path to the wallpaper that got changed by an attacker, including the image name? C:\Users\John Coleman\AppData\Local\Temp\hk8.bmp The

  Get started with Cyber Security in 25 Days — Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas. Link - https://tryhackme.com/room/adventofcyber3 After finding Santa’s account, what is their position in the company? The Boss! After finding McStocker’s account, what is their position in the company? Build Manager After finding the account responsible for tampering, what is their position in the company? Mischief Manager What is the received flag when McSkidy fixes the Inventory Management System? Register an account, and verify the cookies using the Developer Tools in your browser. What is the name of the new cookie that was created for your account? user-auth What encoding type was used for the cookie value? hexadecimal What object format is the data of the cookie stored in? JSON Manipulate the cookie and bypass the login portal. What is the value of the administrator cookie? (username = admin) What team environment is not respondi

  Apply your analytical skills to analyze the malicious network traffic using Wireshark. Link - https://tryhackme.com/room/c2carnage After loading the pcap file in wireshark. Change the time display preferences. What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss) check the HTTP traffic 2021–09–24 16:44:38 What is the name of the zip file that was downloaded? Check the contents of the packet documents.zip What was the domain hosting the malicious zip file? attirenepal.com Without downloading the file, what is the name of the file in the zip file? Right click the packet and follow HTTP stream chart-1530076591.xls What is the name of the webserver of the malicious IP from which the zip file was downloaded? LiteSpeed What is the version of the webserver from the previous question? PHP/7.2.34 Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity? finejew