#soc-level-1-path

🥳 SOC Level 1 🥳
In the Junior Security Analyst role, you will be a Triage Specialist. You will spend a significant portion of your time triaging or monitoring the event logs and alerts.

The responsibilities of a Junior Security Analyst or Tier 1 SOC Analyst include the following:

☑️ Monitor and investigate alerts (most of the time, it's a 24x7 SOC operations environment)
☑️ Configure and manage security tools
☑️ Develop and implement IDS signatures
☑️ Escalate the security incidents to the Tier 2 and Team Lead if needed

second!

https://tenor.com/view/ferret-ferret-dance-ferret-rave-pole-cat-noodle-cat-gif-16430831

Guess i'l have to pay for another year of tryhackme 😄

I think is a proble at this question

https://tryhackme.com/room/pyramidofpainax

or maybe im just dumb

I tried ||virus total||

with these ips

Pretty sure that's where I found the answer. Make sure you're looking at the correct bit of ||vt||

Super Excited for this path

Stuck on Pyramid of Pain room, task 9 right now, swear i have these right lol

If anyone completes this task 9 let me know, curious what i did wrong... i have matched all the answers based on the text from the room but still no luck

I am stuck on task 5 question 2 the ip address it stated no problems from virus total and metadefender

Wow you are really good

I ended up finding the answer on Any.Run and not one of the tools from Task 2 like it says

https://any.run/report/e2d2ebafc33d7c7819f414031215c3669bccdfb255af3cbe0177b2c601b0e0cd/90b76d7b-8df6-43c5-90ec-d4bbcfb4fa19

Later I try again thanks 😃

Gave +1 Rep to @tough sequoia

So that means the question is being created wrongly

or i missed something, but i have seen a few people with the question/issue so i think it may be the question yes

How you get the any run to work must I create an account?

i found the results when googling the IP, not sure how to view saved reports on any.run otherwise

Thanks for sharing the tips I feel like watching the tutorial from YouTube but felt like I am cheating

Gave +1 Rep to @tough sequoia

Im still stuck on task9, if there is a guide/answer for that in the youtube i would appreciate the link lol, finished everything else and thought i had this right

ah found it

LOL the youtube video (https://www.youtube.com/watch?v=q1d61X0TvHc) shows the guy trying task 9, the split view site saying he is wrong, then he just completes the task (since no answer is required)... guess that didnt help me

Will try again don't believe I can't get past that round

doing the pyramid of pain section task 5, are these not the same question just worded differently or do i need to rest my brain? 😄

one is the source file that the user ran and the other is the "dropped" file that the malware placed, they are different

at least from my memory of the room last night

yep, you're right. top one is the dropped file, the bottom is the source file the user interacted with

Where do I start looking for the source file the user interacted with?

Searching the IP from the screenshot i was able to find this data through an any.run report myself

I received my answer from VirusTotal, even though it does not indicate a problem with the IP. VirusTotal provides more information than just whether there is a problem or not. In this respect, maybe look around on the site again 😉

I'm having the same problem here. I am pretty sure, i got the correct mapping, but it keeps telling me, it is wrong. Is there anybody who got a working solution for this?

Hello very new to cyber security, going through soc 1 and having trouble finding name of ransomware on virus total

found it its conti

Did you ever find the answer to this?

Hellooo you all. I'm stuck in section 4, question 2. I would really think the answer to the question is simply URL but nope 😃
Question: What term refers to an address used to access websites?

Recommend using Spoiler tags || text ||

Nope, just clicked "completed" on the task, doesnt actually madder if you do the correct portion on the right

Hello all

Hope u r doing well

Is someone can help me to understand the following question:
What term refers to an address used to access website

In pyramid of pain room please

Well, how do you got a website?

By writing the url

Ok, and is inside the URL?

Before the TLD?

Ok thanks

Room completed thanks to u

@scenic token I'm pretty sure there is an issue with the static site on Pyramid of Pain. Two of the answers apply to Host/Network Artifacts and none of the answers seem to apply to "IP Addresses". I tried many different combinations and none produced a successful result. I know you don't even need to finish it to click the "completed" button but it seems like this task will cause some confusion for people who are trying to learn what each stage of the pyramid involves. Thanks for putting the room together!

Gave +1 Rep to @scenic token

Domain Name

Thank you Josh 👍

Gave +1 Rep to @lament scroll

any luck with this question?

yeh, was worked out just under my original comment, one is original file the end user interacted with and the other is the 'dropped" file

Where do I go for the full name of the G_jugk.exe malware

Can't find anything that matches the string it's looking for

NVM found it, f*** that was a bit annoying lol. My OSINT game is rustier than I thought, I guess.

hey im new to osint and cyber in general any tips on how to find the answer for 5.4

hello i am new to cyber any tips on getting better at osint so i can answer 5.4

I didnt get an answer still yet

i just can't answer number 4

Likewise me
The combination are too odds

Apparently the soc learning pathway is only for subscriber
Unfortunately I'm requested to pay 😩😩 it sucks

its just 90 for unlimitted access for a year and its not gonna take a year for me to finish this pathway

can you help me with 5.4

Hello, of course

so i am very knew to cyber

so i am new to cyber i have no idea what to do to try to find the answer

Do you answer to the previews question?

yea i answered the first 3

those were in the pics above so i was hoping the 4th one was too

Ok how do you find the name of the malicious doc?

maybe open the exe file

Try to put the name file on Google

You will find some interesting things

Did you find something?

when i put the file name of number 3 in google i don't see anything that points me in the direction of the filename

Click on any.run report

You will find the answer there

any other tips i don't really understand what im looking for

Im so upset that i been looking for the answer to 5.4 for 2 GOT D!!# days and it was in plain sight like that

thanks JIGSAW

ALL done JIGSAW thanks

can someone please help me with this

Use the tools introduced in task 2 and provide the name of the malware associated with the IP address

when i run the ip address on OPSWAT MetaDefender it says no threat detected

Don't forget that you can use Google can be used as a tools to gathering informations

Threat Intelligence Room: Task 3 UrlScan.io - "The Cisco Umbrella rank of the primary domain is 222829" and "This website contacted 17 IPs in 3 countries across 14 domains to perform 119 HTTP transactions." BUT, those do not give a woop! Instead, one has to look up the old answers in someone elses walkthrough, namely rank 345612 and 13 domains.

I am working on Threat Intelligence Room task 5 PhishTool. I do not understand how I get the IP from Email1.eml? It says use Cyberchef but how do I do that with no internet on the box? Is there a way to download the file to the attack box?

For this first exercise you do not need the phishtool. Open the email in Thunderbird (You have 5 new messages) -> View Headers -> ALL That is enough info to answer the questions.

If you're daring, you can actually just open it in vim and get all the answers 😅

Yep. Could.

https://xkcd.com/378/ Relevant 🙂

Muhhhahahahaaaaa. Thanks, you just made my day.

Gave +1 Rep to @trim widget

Hi I am doing Splunk 3 and I think I noticed a mistake? I describe it on the forum: https://tryhackme.com/forum/thread/60e4a83036963fcce57b4c0b#last
Q: : What is the name of the text file that was successfully uploaded into the S3 bucket while it was publicly accessible? Answer guidance: Provide just the file name and extension, not the full path.

We know the timestamp from the previous questions. We know bitbucket was publicly available between Timestamp:14:01:46 and 14:57:54 on 20/08/2018 .

If you check this timestamp, you won't find events. If you change it to All time, you will find correct Event.

**It is because the event, that is correct took place at 13:02:44. **

Is that question build incorrectly or I am wrong?

For the OpenCTI room: Filigran is the new home for OpenCTI and OpenEx research and development teams. As a result some documentation moved: the Public Knowledge Base can now be found at https://filigran.notion.site/OpenCTI-Public-Knowledge-Base-d411e5e477734c59887dad3649f20518 and several links in the room can not be found. Find them there.

hey, I'm stuck on this part too, how did you find the full name?

They enjoy utilizing any.run for this section is all I can say.

thanks! I'll check there. My OSINT game could also use some work

Gave +1 Rep to @craggy sorrel

Osint and enumeration can always be improved upon 🤙

completely

found it. thanks!!!

.

Hi

Hi guys, I am stuck on SOC task 3

can anyone help?

Still stuck?

Excuse me, has anyone here solved Task 9 in the Pyramid of Pain? I think it has some problems. Thanks for reading my question.

The second question in Task 5 of the Pyramid of pain has an issue. Virustotal does not associate the IP address to any malware.

Dig VirusTotal and you will find your answer.

I have already found it

Oh great!

I am just reporting an issue 🙂

👍

Thanks for the headsup! I got 222829 rank and 14 domains as well. It's an unfortunate question since these values can change over time yet the "correct" answer will not change. But I still got value out of knowing how to find this info. (ok so all of the answers are in the room's picture so I take back my criticism lol)

Gave +1 Rep to @hushed temple

Still doing my best to finish it 🤔🤔

I give up wth I am correct

Me too 😦

Oh my god when you are correct whoops check your answer 🤦and he clicked on completed

Is pyramid of pain task 9 bugged?

That is the fortunate/unfortunate fact about OSINT cases and knowledge. It will be ever-changing so we have to find ways to give you value for learning about the tool or subject

Yes i think it was always bugged from what google says, just move over it not worth it, make sure you understood what the rooms teaches you and that's that....

In the "Unified Kill Chain" room, Task 6 the first tactic is wrongly named "Lateral Movement". It should be "Pivoting"

Nice catch. Thanks 🙂

Gave +1 Rep to @haughty frost

I am doing Pyramid of Pain Task 5, but cant seem to figure out 3rd answer, i did manage to get questions 1,2,4 right though. Not sure if I am just blind or my brain is not working Q,Q

okay nvm, the answer has always been right infront of me

Is the box in threat intelligence tools intentionally set up so that it can't connect to the internet?
Noticed that yesterday and seems counter intuitive since you are supposed to use PhishTool and analyse the .eml provided.

Hello, I want to "export object" .txt file of HTTP2 using Wireshark (traffic is decrypted) but every time I try it refuses to open

^ Wireshark: Traffic Analysis > Task 8 > " Investigate the decrypted packets and find the flag! What is the flag?" Packet No. 1578 flag.txt?

hello on the page cyberkillchainzmt page you make a reference to persistence but the page is private : normal ??

https://tryhackme.com/room/persistence : room private ?? bug ??

Hey guys, I totally hit the wall with "Autopsy" module

Task 7: "What MD5 hash value of the binary is listed as an interest file" I Search for "Interesting File under "Keyword search" and nothing came up...

What is the "Interesting File" it's referring to?

Because there are so many

Never mind I figured it out! xD

Hello, on Sysinternals room, Task 9. I'm not able to find the answer for the question "Run the Strings tool on ZoomIt.exe. What is the full path to the .pdb file?"

I've found 2 paths but not the one which is needed for the question.

Please, could someone validate that the answer is there ? Thank you

https://tryhackme.com/room/snortchallenges1 im on task 2 and im stuck on 2 questsions "What is the SEQ number of packet 62" and the TTL of 65 ive noticed that examining the alerts every packet has the same SEQ number and the TTL are all 2 digit numbers and not 3 and cant get either of the questions right ?

I had the same experience, turns out there is a bug in the room where the answer is still left from a previous state of the room. I googled the exact ask and found a blog from the old room state and entered the old path.

was It normal that I have spend 8 hours solving pyramid of pain room? xDDD

bro im just learning

Hi all, I'm a little stumped on OpenCTI, task 4: What kill-chain execution phase is linked with the Command-Line Interface Attack Pattern? I listed all 7 phases of the kill-chain and even more, I don't seem to know what the question is looking for. Isn't command-line used most often in Installation phase? -TIA

ah, nm, I got it. It wanted a sub task specifically to the execution phase.

Had the same problem. Looks like ZoomIt.exe was updated and .pdb paths are different in the new version.
Solved it by locating older Sysinternals/ZoomIt.exe version then the one provided with the room.

Room: Incident handling with Splunk. The query index=botsv1 does not return anything. Are you supposed to add the data somehow? I cannot find it on the machine.

did you change the time filter as well? the default is last 24h which doesn't give you any results, but if you change it to all time you should see results

No that must be it. Thx!!

Path is rockin 🔥

wondering how to get an invite to the Persistence Room since it is private

hello

Pyramid Of Pain - Task2: Provide the ransomware name for the hash '63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be' using open-source lookup tools

i put the hash in the right tool online but the answers i am getting are not correct

Which tool are you using ?

hi, virustotal

Try using the other tool it will show you right at top

The task states to use both of the tools that were mentioned in the task. One may provide more information than the other etc..

The other tool is MetaDefender

i found the right answer! thnx

I might be overthinking the above note there so the answer is yes in my humble opinion

hey, for snort intro task 6, how do I find the referrer IP? I've tried a few different parameters with snort -r and I can't find anything that fits the answer

nvmd I got it, make sure you check the text portion of the packet you see with -X

lol

how do I find alerts generated for mx-2.pcap? Nothing I try will work

for snort intro task 8?

Help me task

Pyramid of pain

task 4 tinyURl is down

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

tiny is not open

Let's not self promote your medium articles here please, especially if your write up contains answers. @brisk sage

Sorry wasn’t sure thank you

Gave +1 Rep to @echo geyser

Hello all, I don't understand the question 2 in task 3 in the Windows Event logs room, help me please

pyramid or intro:

Hello All, I have got a question regarding Threat Intelligence Tools - task 5 PhishTool. I am starting machine, there is directory there with email to be anylzed - but cannot launch phishtool through browser - it looks like machine does not have access to internet - cannot launch any page. Do I understand something wrong?

Target machines generally don't have internet access.
So for that task you might have to use the attackbox (assumed you are subscriber, since only then you have internet access on it)
Or use your own VM.

You could then just transfer the files for analysis to either the attackbox or your own VM

Alright let's see how long would it take me to finish this path

@echo geyser via SCP?

For example, or just spin up a python server on the target machine and wget the files

Hello, I'm doing the hive project room. I uploaded the pcap file as an observable.
However I'm unable to get a flag from the provided url

Thanks 🙂

Gave +1 Rep to @echo geyser

Jesus I hate this path...

Don't do it then 😅 ?

well Ive told myself I´ll do every learningpath...
and here we are. I know I will never go into blue teaming or so. Its just like me and math in college I hate but Ive to to it

Did anybody answer this? I'm trying to do the PhishTool module but can't open up a browser connection in the room machine to analyse the email

Ok, got it, needed the attack box to spin up a server and wget the damn thing!

So, final question on threat intel tools asks: What malware family is associated with the attachment on Email3.eml?

I've discovered the same answer in my digging but coming up as incorrect everytime, can I get a sanity check please?

It starts with a "D" iirc I found it using VirusTotal

Ha I was so sure it began with a T! I've been on virus total, phihtool, Talos, malware bazaar but see nothing with a D! @sacred umbra

Got it!

Having an issue with task 5, getting the malware of the associated IP address. Virustotal and other queries haven't resulted in a name for the IP

Nevermind I found the answer clicking on the tabs

Now my google skills are failing miserably

All done, whilst google failed me, discord searching worked out in the end

And damn the pyramid of pain is actually just broken it seems

Yep, that's what I ended up doing as well 😄
Did not get a reply on the original q

Every day is a learning day eh @languid matrix

Hey. Did you manage to get the flag or did the issue persist?

@hushed goblet hello, I got the flag.:)

I just finished Pre-Security, and Intro to Security. I plan to start SOC Level 1 after I get off work today! I'm excited!

Does anyone who has already completed it have any review/advice?

ok im stuck on pyramid of pain using the AnyRun.

@hidden aspen how are you?

nevermind got it!!

ok cool, but please dont ping anyone like this for help 😉 haha

oops sorry was just saying hi?

okay, in #general chat then 😄

k sorry

ok so i'm genuinely stuck i'm using the MetaDefender to find the malware associated with URL but it says it's clean? -- Nevermind found it

love my training in the Soc level!

So does anyone know in the pyramid of pain how to find the dropped binary's file?

I'm stuck on Pyramid of Pain Task 5. It asks "Use the tools introduced in task 2 and provide the name of the malware associated with the IP address." When I look up the IP on Virustotal or OPSWAT, it comes back clean.

Does anyone know the answer? I'm seeing online that this is bugged, but would like the answer so I can continue on through.

I looked it up using the hash in the screenshot provided.

I will try that tonight TY

Gave +1 Rep to @oblique flicker

Hello, I'm doing the "snort challenge - live attacks" room.
I can't get the flag, despite being able to catch the malicious traffic

Can anyone help me please?

Hi everyone

i have a problem concerning

the phishing analysis fundamentals

room

i tried to decode the base64 encoded email2.txt

however terminal sends me a message saying invalide input

the command is base64 -d email2.txt > email4.txt

maybe my command is wrong

is anyone else having an issue with the Yara room, task 10, file2?

Hello, just did that room - no issues.

when I was running file2 through Loki, it didnt return any issues. huh, maybe just operator error. lol.

And you copied newly created Yara rule(created by yargen) to appropriate directory ?

Hi guys, when using -A fast mode on Snort, where is the alarm file located?

Hi, to find the name of the malware in the pyramid of pain - I pasted the hash in virustotal and got many different names. I found the correct answer from the number of asterisks in the answer format. In general, if you paste a hash and get many different names from different providers - how do you know which one is right?

I'm totally new in blue team. Would you say that this path show you the base knowledge for a real job?

look up ip > Relations > Communicating Files > Name

I’m interested in this too. Would it be reasonable to apply for entry level jobs after completing this pathway? I have completed other free/subscription trainings as well.

I’m not a soc analyst but a SIEM consultant- got the job with some tryhackme practice and studying for the CySA+ - so go for it

All rooms / challenges emulate the real world day to day role of a SOC Analyst. If you go through all rooms and comfortable with all tools and have a better understanding of what gap each tool fills and what problem it solves - You are well prepared for SOC level 1 role and ready to apply the knowledge in the field.

All the best for your learning journey 🥳

oh look at that! so am I! (studying for the cysa)

is there any way I can download excersie file from wireshark, zeek, snort rooms? VM is extremely slow for me (prob because I live far away from a data center)

is there a way to download tools or files from the tryhackme attackbox?

for example the wordlist files on the attackbox

How are you finding the course? What training are you using?

Room: Windows Event logs
Task 3:
Question: what event files would be read when using query-event command?
It has , no hint and the question is changed recently. I can’t figure it out, we can read any log file we want. I tried the command by it self and it said the command needs parameters. The question dost make sense at

Hi, did you guys experienced any issues answering the questions in Snort Challenge - The Basics Task 2?

Im working on that also

seems the answers are wrong

doesnt want to take the ACK number of packet 64

or

the SEQ number of 62

I've just finished the Jason Dion course and now I'm working on filling gaps with practice tests and such. I take the exam on Saturday.

yeaah, I've experienced the same.

Pleas any one have the answer to my question? I cant sleep

Good luck, I’ve just started Jason dion cysa+

Cool! Good luck, I’m about 50% through with the dion course

@nocturne cave @timber shore Thank you both. I think I'll do fine but I can tell you I've been lacking at some of the stuff, even after 2 months of studies. So take your time.

Gave +1 Rep to @next portal

What was the point of the flag in task 9 of pyramid of pain? Didn't need it to prove learning in the task...

Hello I am stuck on Pyramid of Pain, Task 2, Hash Value. I have tried all the names I can find. Any hints? Thanks

You've run the hash value through Virustotal[.]com?

I also had success just google searching the hash value and looking through the top results.

Found it. Thanks. Very frustrated. I think the question was poorly crafted. I tried many options including virustotal.com. The name that I found vs the "correct" name was and underscore character shown on the site

Gave +1 Rep to @paper cipher

This is a confusing question actually, but this is not something you run in PS. It's just a question of what logs it collects.

Can you pleas just give me then answer? @violet loom

*the

Pyramid of pain, task 5, question 2. So annoying to find, but finally found it. Tip: use the hash that you can find in the picture + use OPSWAT. It will be easier to figure it out a word with 6 characters.

THANK YOU!!!! I was just stuck on it for the past 30mins and went here to ask for help

Gave +1 Rep to @forest halo

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil has your answer if you're still needing it, just look around for query-events

Ma brother pleas give me the answer, not even one query left there that i didn’t use, the question dosnt make sense at all, its asking what fill would be read , like we can read any log file with it. Pleas give me the answer

@silk pike

There's several places with the answer, it's even in the screen shots. You're over complicating it, I promise. Read what's it's asking you and then use context clues to find the answer. I did it within minutes of seeing your question.

Threat Intelligence Tools task 3 threw me for a loop.

I see the correct answer to question 1 in the screenshots, but when you go to URLscan.io, the Cisco umbrella has changed.

Noooo nooooo i don’t believe it, it was this easy nooooooo , i was stuck with for like 3 days . Thank you my brother @silk pike

Gave +1 Rep to @silk pike

😉 all good, I've done that many times

Hello everyone. I need help on the ItsyBitsy room. Someone to help me in mp? Thanks you

Hi all! After some help on SNORT room Task 3 this question I was sure would either be open-source or rule-based but neither are working??

Oh can’t upload an image but it’s Task 3 question “According to the official description of the snort, what kind of NIPS is it?”

“Real-time” doesn’t work either and there’s nothing else in the official description 🤔

Read "Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike." very carefully, the answer you're looking for is right in front of your eyes.

Break down what NIPS stands for, it will make it easier.

you have to link your tryhackme account to the discord server in order to send screenshots

!docs verify

I'm stuck on this part, and not sure what I'm doing, I've looked up and down this channel and see many have asked for help on this,

I know this has been asked a few times, now, and yet I still can't find it, can someone point me in the right spot? or better yet is it a word on the page???? or a word I need to come up with????

Answer can be found In here, this part of the task.

I've went thought and added every 10 letter word I can fnd, and still nothing, Hours at this... and its proby something dumb....

Look for the part that refers to a nips.

But it uses the name, not the abbreviation.

https://tenor.com/view/confused-the-office-michael-scott-steve-carell-explain-this-to-me-like-im-five-gif-4527435

thats where I am at right now.... cause I am not seeing it, and if I trace back, to nips, and what it falls under anothing lines up,

The answer contains a hyphen.

how the hell would I, or could of found that/>????

Because it's ||full-blown|| 😄

and thank you, I ready to bash my head on the wall,

thank you, thank you, @primal igloo now I can get to the fun stuff,

Gave +1 Rep to @primal igloo

Happy Hacking.

This Yara task is whooping me!!! Anyone know of a good walkthrough video that breaks it down barney style?

I’m gonna do the Yara room when I get home from work lol then maybe I can help, or vice versa

@paper cipher I PM'd you

same issue. Did you figure it out?

Hi no i didn't , even the chef software doesn't decode it well

I found one post in this server that helped. It was harder to find than I expected.
||Decode the .txt file without the header, but then open the result as the file type the header said it should be.||

thlx but i couldn't see it is color y black

yara room was really pain 🥲

anyone done with snort room?

started just 10 mins ago

how much done?

NBA training period is also known as ...

stuck here

same a a more

hey guys, im doing Windows Event Logs. has anyone ever gotten the answer to task 3.2What event files would be read when using the query-events command?

the answer i get is: read events from an event log, log file or using structured query.

but it doesn't match the answer format

i got it no

now

The answer is written in the IPS section

Yes sir...something's wrong with my eye or my brain

no worries, happens sometimes. So you've found it?

yes

Hi all, anyone to help me out on task2 of the pyramid of pain, I am kinda stuck on this task though I have completed all the other tasks

Just tell us where you struggle so somebody can support you.

bro that's written just above :p 🤣

what's the syntax to use two protocols in snort

@modest flame

didn't see it ahah, wp bro

you mean filter ?

ya sorry...

What protocols do you want to specify ?

tcp and udp

all i find is syntax for filtering only one protocol

Have you tried to only specify ports or others protocols ?

i mean i you want to filter tcp+udp on port 53, just write "port 53"

no need to filter port but need to filter only protocols

is it possible to filer two protocols in one line?or do we have to make it two

wtf i don't get it imo

what do you have in your input file other than tcp and udp ? xD

*filter

typo..i mean filter

Which question is it ? in snort room?

task 9 Q4

letme try filtering two protocols separately

Has anyone completed the OOpenCTI room, i have a dumb question that I am stuck on

regarding structure of rule imo you'll need 2 lines

not working either after making it into two lines

nope...I've not

ya it works if we change the id

i did if you want

hhaha gg

So im pretty new to discord, should i post the question here or pm you

ah wait..i think it's not the right way todo

I'm stuck on the investigative scenario part of the room

you can do it here, for knowledge basis

this channel exists only for this :p

Well, the interesting part :p

Whhich question ? What have you already done for this ?

alright bet so I'm on the "How many malware relations are linked to this Attack technique?" and on the OpenCti page it shows 7 relations but the answer required shows it needs 3 characters

ahahah i where stuck on this question when i did it

i'll start the lab and i'm coming to help you

need to remember how is it ^^

no worries i appreciate it

I took a screenshot but idk how to put it in here

There is a + button juste at the left of the area where you can write

from here you can upload a file

or simply drag & drop you pic here

ill open the app on my phone cuz I'm not seeing it on the web browser

You need to verify, to post screenshots.

!docs verify

It took me longer than I'm proud to admit to figure that out

You're not the first, certainly won't be the last.

I appreciate it

hey @primal igloo are u familiar with snort rules ?

@amber owl have you tried to go inside "Related entities" tab ? (second on the right column)

Yup for me its blank

This is what I see

Really strange

Yeah it's been like that for me all morning that's why i was so lost

We should notify ad admin cause you are supposed to be able to see malware linked to this attack on the overview panel

I'm just not sure if the issue would be on the OpenCTI end, THM, or my personal end for some reason

i can't find it on my side

I had to restart my thm instance but once i do I'll try to see if i can find a place to make a report

now it won't even let me connect to the attack box instance

@modest flame i've figured it out. And yes we have to make it into two lines (one for tcp and UDP) with different id and we have to specify SAMEIP

Hey should i do soc level 1 for blue teaming is it worth ? Or what should I do for blue teaming

It's definitely worth to start with it and you can continue after with the Cyber Defense one...

Ok

Good morning, I am on task 3 of ATT&CK Framework question "This group overlaps (slightly) with which other group?" I have the previous question answered but this one got me stumped. Can someone point me the right direction.

You kind of have the answer in the information of the first group the task asks you to find.

Focus on these 2 questions:

What groups have used spear-phishing in their campaigns?

Based on the information for the first group, what are their associated groups?

Based on the answers from these questions you will find the answer for the below question also.

This group overlaps (slightly) with which other group?

I am just reading that now and I think I have just found the answer lol, thank you Alek.

ehh no worries i do the same when i get stuck, i reread the questions and take the steps one by one again...

Yea, I do a lot of reading and I somehow missed it. Like you said back to square one and read everything ;).

There are 2 questions there that are supposed to confuse you, it's part of the process i guess, you will get used to it 😄

I am seeing that and I need to slow down a little on my part lol.

yep there's no hurry in it, it's not a race take your time 🙂

the important part is to understand it, not finish it fast 😄

Exactly!

ya it's worth going for it and i'm doing it too but involves some reading stuff

That it does but also I have learnt to take your time as well. I do certainly enjoy the hunt for the answer and understanding what they entail.

Thanks!

Gave +1 Rep to @forest halo

Hey all, anyone here who works as a SOC analyst, trying to make a move into SOC from AppSec and looking for a mentor who can provide some insights 🙏

Hello there - Goodluck with the journey. Can you post your queries and people here would be able to help you out on this.

I am working on task 7 of the snort section and I keep getting an error after I run snort and try to run traffic through it. S5: Session exceeded configured max segs to queue 2621 using 2621 segs (server queue). 10.100.1.33 44484 --> 10.10.248.173 80 (0) : LWstate 0x40 LWFlags 0x2101 Has anyone else gotten this error?

I'm working through Threat Intelligence Tools, and when downloading the .eml file on task #7 my antivirus is picking it up as a trojan, anyone else had this issue?

is there something wrong with WindowsForensics1 Task-9 Q.1 which keeps on saying `incorrect'?

ahhh it's B...nevermind instead of B i wrote as 8

so you are downloading it in your main windows machine?

Yes.

Should I download it onto the attack box? The way it’s laid out I download onto my local machine.

@pine thicket

Well if you download malicious file to your main machine and got an AV, it's gonna say THIS FILE IS FOUND MALICIOUS and that's what AV is for.Ya you should use your VMware or attack box

lol. Should have known. Thanks.

room Yara, Task 5. there is no red or green boxes @scenic token

Yo, I'm trying to download the document for analysis from Threat Intelligence Tools Scenario 1 and the system keeps refusing to download on my machine what do i do?

DO NOT DOWNLOAD MALICIOUS TEST FILES FROM TRYHACKME TARGET MACHINES

they are meant to be solved on the target machine as that poses no risk

Thanks

Gave +1 Rep to @nimble oasis

still it will be the minimal amount of malicous file but you never know how your network and antivirus would react

or your computer

i have to analysis it so makes no sense reallty

*really

Never mind.. fixed it\

If I wanna study for the Security+ certification exam, should I be doing the SOC Level 1 learning path?? or do I try and do both?

I’d stick to the security+ path. It’s not overly complex but you definitely want to focus and make sure you pass and not have to pay the exam fee twice

@scenic token
pyramid of pain task 4 asks for the first malicious domain per anyrun, but since anyrun gives suspicious/malicious as different categorisations, the expected answer doesn't match with what anyrun would suggest is the best match.

These paths will help you to understand some concepts and practice tools, but they are not aligned with security+ exam objectives, and they don't cover all material you need for it.

Ohh ok, you're right. I just really wanted to start the 'SOC Level 1' learning path already because I've been wanting to use TryHackMe for so long 😅 also cause I'm interested in the security analyst path

Alright then, guess I'll have to pause where I'm currently at in the 'SOC Lv 1' learning path and focus on the security+ exam. Thanks for the feedback! What certs have you acquired? 🙂

Gave +1 Rep to @tulip gull

You can do the path, it will enrich your learning and will increase your skill, what is very important, just be mindful that it is not aligned with sec+. I have lfca, lfcs, and basic azure cert. And linux+, but it was an accident, haha.

Hi all, stuck in Threat intelligence tool taks 5..... how to access the phishtool in the VM? it has no internet connection out

Nicee, and thanks for letting me know! I'll come back to this later as I really wanna focus on passing the Sec+ exam 👍

Gave +1 Rep to @tulip gull

Great. Good luck and have fun during the process :)

How are you studying for the Sec+ exam ?I also am new and I want to get a cyber security job and I heard that was the basic intro cert.

I bought jason dion's udemy courses for like $15 and am currently watching professor messer's yt videos

Sysinternals Task 9, what is mistake? vm don't have D:\ disc, i try command prompt and PS

Hy Everyone! I need help in snort challenge room. I’m on Task 2 - Writing IDS Rule and Task 3 FTP Rule.
What is the SEQ number of packet 62? Write rules to detect "all TCP port 21" traffic in the given pcap.

What is the number of detected packets?

cannot connect machine to internet on Task 5 of Threat Intelligence tool? cannot access any website or even run update to fix the issue. Any solutions?

tried creating machine multiple times, but same issue, any mods here?

All target machines on tryhackme does not have an internet connection for safety reasons... You can solve the questions without an internet connection

I am struggling with that one as well. Any hint you can share please? Thanks!

Gave +1 Rep to @undone bridge

Is it better to start with cyber defense path or this one?

think this one is a lot newer and more aimed at beginners then cyber defense is

hey guys i am stuck in opencti room under soc level1 path, my machine browser wont access opencti ??

any idea how can i fix that

hello, i am trying to create a homelab for cybersec following the instructions from this tutorial : https://www.netsecfocus.com/home/lab/2022/07/31/Tjnulls_guide_to_building_a_Home_Lab.html

Should i install the GNS3 and pfsense in the same virtual machine?

I'm really struggling on the snort section of this path, rules don't seem to give results I need. Can someone help with the initial start of the snort basic challenge?

Read it carefully. Remember you need to look at traffic going BOTH ways for totals. Can't just any 80 <> any any to see all http traffic. -n and -d helps a lot on the rest of Task 2.

@compact karma I got it eventually, thanks

Gave +1 Rep to @compact karma

"You can use the "base64" tool. Read the log/alarm files and extract the bas64 command. base64 --decode filename.txt"

Any help what command can I use ?!

I don't want to use the manual way.

room Snort Challenge - The Basics

@nimble oasis

So, writing IDS rules(PNG) for the snort challenge "basics". In quotes because it's been a slog! I'm trying to find the software name embedded, managed to find a hex signature for PNGs to put in my rule, but I'm not getting a log to search through. Any help please? Am I the only one who has struggled hard with some of this room!

Did you make it through?

I think I just did a content search for png? FTP isn't an encrypted protocol

So have I, and I'm not getting the log

Free paid games?

Oh sure.

@hidden aspen can hook you up, she is an iOs guru.

:hammer: HyperTrizzz_#2935 has been banned.

thx @primal igloo 🙂

Gave +1 Rep to @primal igloo

Got it, trying to be too clever. Just searched for PNG instead and got what I was looking for.

We're you able to figure this out?

@scenic token I'm currently in SOC level1 path on task 9 of cyber-kill-chain. I believe you built this. Can you please give me a hint towards solving this? I've researched CKC and attempted different things but I'm still having trouble. Thank you. and Happy New Year. EDIT: I reloaded the page and re-entered everything and it finally worked!

Gave +1 Rep to @scenic token

Nope 👎

could someone plz highlight the error?>

why its not working

?

So if you make a standard alert type rule for tcp 21 (the FTP data port) with a "-l ." (That's lower case L for log, and a dot for current folder)

You can use the -r flag to replay the saved log through your created rule file, but use a -n <number> flag on the end to tell it to stop processing after -n packets.
That way the last packet displayed should be packet <number> and you can read the sequence off that.

According to my notes, it's Task 8 of the Snort basics room that explains the flags you need so you can have a little more in depth resources.

Hi colleagues, am stuck in snort challenge task 3 (failed FTP login attempts) i wrote the rules and see the log file created but it disappears in in seconds, any idea what am doing wrong?

Thanks but i got the right packet and right sequence number but my issue is that thm does not accept that answer.

Gave +1 Rep to @fringe quiver

Anyone in the Yara room. Im kinda stuck on task 8.6 and task 8.8. When I check the file2 it states it is clean

where did you place the yara rule file???

oh wait never mind that is later

for 8.6 check the yara rule file that is used against said task
for 8.8 use less to read the contents of file 2 and read the comment block in there

the hints will maybe help too

Okay thanks. Il try that

Im still stuck on 8.6. I can't seem to figure out which yara rule file was used

think loki states that in the output of the result for file 1

The only file I see is metaslsoft.php that is shown in the result. is that it?

no... probably better that you check the hint for said question

I've done the first machine task, answered all questions correctly but still not able to proceed. Someone help

So I am in Pyramid of Pain task 5, and the 2nd question says use the tools introduced in task 2 to be able to name the malware associated with the IP address that the victim system was trying to connect to. I have tried searching in virustotal and OPSWAT utilizing the IP address, those both came up empty. Then I tried using the MD5 hashes of the modified files to do the search, also turning up nothing. Looking for a hint here.

@olive jasper just took a peak, the answer is present but you won't find it jumping out at you. 1. what might the suspicious process execution suggest? 2. did you check for relations to the suspicious IP?

I think I figured it out. Thanks for the hints though! Appreciate it for sure!

Gave +1 Rep to @brazen sandal

!rank

could somebody explain the direction of the flow in the snort rules -> <>, because the official documentation doesn’t help me much. I don’t understand why we need to create two rules in order to catch HTTP traffic ( any any <> any 80 and any 80 <> any any )

I thought that bidirectional(<>) means the request and the response, which goes in both directions

And I though that alert tcp any any <> any 80 would be enough to catch all HTTP port 80 traffic

I'm doing the Phishing Analysis Tools, Phishing Emails 3 "What is the From email Address?" I found the email address, however there is no way to copy that long email address into the regular window and the VM has no internet? Any thoughts?

Hello everyone, I need some help with Task 2 - Writing IDS Rules (HTTP) in SOC Level 1 Snort Challenge - The Basics...... On the first question "What is the number of detected packets?", I get the answer 164. However, the right answer is 328, but I don't understand where they get that from! I would be very grateful if someone had an idea...

Are you using bidirectional flow? aka <> for both of your rules

no, I used "any 80 -> any any" in the first one and "any any -> any 80" in the second rule

Now try to use<> in botg

It worked! Thank you very much!

Yeah, that's weird, I'm still struggling with the direction of the flow, don't get how it works properly

Nor do I, unfortunately... 🙂

Anyone having issues with rdp to windows machines? I am unable to connect to windows vm from my local machine nor from the attackbox

When you try from your host machine, are you on the VM?

Are you connected to the VPN first ? (I don't know about the attack box) but VM are only present in the THM network and they are not publicly accessible so you need VPN, if you have Kali linux VM, you can install Remmina and access Windows machines from there

No I am directly trying from my laptop which is windows machine

Yes I am connected to the VPN. Wierd thing is I am able to ping the machine but unable to rdp into it. I am directly using rdp in my windows laptop.

I'd suggest not putting your host machine on the VPN, people can scan it etc.

Ohh no, but is it possible to have a vm on the machine to be on VPN??

Yes, if your system has the resources for it, that's probably the best idea.

Ok will try that but for the connection, it doesn't work in attack box as well. With remmina, its asking for password for some login key ring. If I cancel it, and it says can't connect to RDP server.

Just cancel the keyring login.

Can someone help me with task 7-scenario 1 of the threat intelligence room?

sure, are you still there?

i figured it out. Thanks though

Hello, I ma stuck on Task 3 #2:
What event files would be read when using the query-events command? I've ran the query /? and red through the MS docs, however I still can't seem to find the correct answer. Anyone help? Thanks

Gave +1 Rep to @olive jasper

Hello, i am at task 5 in Splunk (SIEM). Its about to find the correct password due to a successful connection. My way to it was actually to use the field "SPOILER ALERT" || "connection-type"|| to distinguish successful or unsuccessful connections. Would you reccomend another field or use the same?

In Room "Threat Intelligence Tools" in Task 5 "PhisTools" the VM has no connection to the internet, so im not able to analyse email1. I dont have a chance to get this email1... Any Recommendations?

open the VM. open Thunderbird. analyze the email.

If you're ever searching for help with the Snort "According to the official description of the snort, what kind of NIPS is it?" You're going to be upset when you find out what it is..

The answer to that is in the task.

unable to generate wazuh reports as the two agents are showing disconnected

hi guys, did anyone have issues with network service room with the question of "What would be the correct syntax to access an SMB share called "secret" as user "suit" on a machine with the IP 10.10.10.2 on the default port?". My answer is correct according to THM but when putting it into terminal , I keep receiving error of that syslog is deprecated and the host is unavailable

Is there anything I can do to fix this?

hey

why my answer is incorrect?

Name room is TI tools

Can you link the room?

@primal igloo https://tryhackme.com/room/threatinteltools

task 5

Look at what the question is asking,

and look at what you're entering.

3/4 octets has 4 characters.

It's asking you to defang it.

lol kek

its easy

sorry

@primal igloo I didn't understand what needed to be done

thx

I had the same problem, but thunderbird is the answer

Hi, I have some issues with Yara, when I type touch somefile then myfirstrule.yar it say command not found

touch somefile them myfirstrule.yar?

just do touch myfirstrule.yar

ok thanks

if you want a response here is one... shadow has not done this path yet so no clue what is wrong or how to answer your question

Is anyone having trouble finding the correct answers in Pyramid of Pain (Task 4 and 5)? I'd think the information could be better to find the malicious URL request...

Hi All, I can't start Sysmon on VM : Sysmon.exe -accepteula -i ..\Configuration\swift.xml Any idea ? Thanks !

I am currently working on task 4. It wants you to use the link in task 4 to go to the website. Look for DNS request (domain name server request) and copy the first domain name you see there. For the last question in task 4, type the URL that is given in a browser. The URL will redirect you to a new domain name or new URL website. Type the new URL in as the answer. Hope that helps!

Hi @spiral flame, thank you for your response. I was able to go further with task 4 but I'm still stuck with the last question about the shortened URL.

When I type the short URL as in "preview" It directs me to a tryhackme.com... Are you reffering to the URL in app.run.any?

Gave +1 Rep to @spiral flame

it say command no found

I need help with something

yes that is correct....for the last question in task 4, the answer is the complete URL for tryhackme website...include the https:// and include the last / at that is at the end of the URl also

Hi, currently working on the Snort room, Task 6, I'm not sure as to why I'm not able to run the commands given on the introduction "sudo snort -dev -l" to run the task for answers it keeps telling me that the "-l" requieres an argument, but there is no mention of any of this in the instructions, any help anyone can give me will be greatly appreciated. UPDATE I found a walk through of the lab and I was able to troubleshoot the issue.

also, I just finished task 5 for Pyramid of Pain.... for Task 5 questions 2 and 4 (tryhackme says to use google as the hint) I found this link that answers both those questions. The link is a page from app.any.run. From this page you will need to look for: 1) the file name .... and 2) the threat name .... to answer questions 2 and 4 from this task. Hope that helps! https://any.run/report/e2d2ebafc33d7c7819f414031215c3669bccdfb255af3cbe0177b2c601b0e0cd/90b76d7b-8df6-43c5-90ec-d4bbcfb4fa19

It got it working now... it redirected me to dashboard even though "tryhackme" was enough as answer.

I was able to find the correct answer on Google, but thanks anyway!

Gave +1 Rep to @spiral flame

I'm struggling with understanding Yara, yarGen, in task 9. I had the correct command to compare the generated yara file to 1ndex.php. I leveraged the commands from task 8 to run Loki against 1ndex.php and see the similar results as completed in task 8. I'm curious why this same approach, in the same directory, created the same results as in task 8, or before yarGen was run. Any help would be greatly appreciated. #soc-level-1-path

same but I can even running

I revisited the Yara task 9, moving the file2.yar file into the required Loki folder and ran the task 8 command with sudo privileges. @frank glade #soc-level-1-path

I can't even do the first one as it say command no found

I don't get it

review the spaces in the hint for Yara task 9. there's a command. Then there is a file name. Then a file location. @frank glade #soc-level-1-path

Hello all! In the room Snort Challenge - The Basic, task 2, question "What is the number of detected packets?", I can'i answer this question. My rules are OK. someone can help me? thanks

I'm in the sysinternals room. When I click the green Start Machine button, it does not open in a split screen. And there is not a blue Show Split Screen button at the top. How can I access the machine? I am on a mac.

Are you connected to the VPN?

Hello,

I'm doing the redline room and trying to import the analysissession1 to redline after running the script as admin privs. Im getting unknown error and opening it only shows me:
Timeline
Tags and comments
Acquisition history

While creating the script i edited it as the room states. Nevertheless due to the error in importing all the information needed to complete the task. (For example System information) show as not collected?

Anyone got tips or tricks for this. I noticed that the VM Local disck is really full so could that be effecting my issue?

No, I wasn't. I had to open the terminal on the linux attack box and use the command "remmina" to rdp into the windows box. but it was very tiny and I was unable to enlarge it. But PTL I was able to finish the room and progress. Thanks for your response.

Gave +1 Rep to @chilly trellis

Absolutely, if this sort of thing happens again, ping me soon as you can, maybe I can troubleshoot. Something that occurred to me later, also, was- which browser? Safari? And whatever browser, what extensions do you have enabled if any? That’s not crucial now but maybe next time it might give me some more clues

Also, sysinternals is a paid room isn’t it? I have to search each time because I’ve been on paid membership for years now, but you’re on paid right?

Yes. I am using Safari with no extensions. And I am a paid member. I just started on Dec. 1 with the Advent of Cyber Challenge. I got a lot out of that, so I signed up. But I'm going to have to take a break I think because I need to obtain a Security+ cert by Feb. 17.

Totally understandable

I’m not certain as to why you would have issue, unless something something browser configuration or non-paid attempting to use the attackbox more than 1x/day

In retrospect, I don’t think it would be relevant if the VPN were used or not, but I could be incorrect

Nonetheless, you’ll have to share your adventure with us and I sincerely hope you succeed!!

(In all fashions, but specifically Sec+ in this instance 😊)

Pushing my way through the snort rooms. Lol took longer then I expected.

Hello, the section for URL.scan.io doesn't have the correct information such primary domain. The correct answer can be found onder the section "domains" but I also noticed that the main IP of tryhackme.com is changed on urlscan.io keep this in mind! Have great day all

I'm really liking this path

Just got through the Yara room. 🥴 Gonna need to do more research on this lol it was a tough one for me.

hello guys, complete discord noob here. nice to meet y'all

starting journey toward cyber security any advise, help.

just start i think

if anybody in here wants to learn together cybersecurity hmu

Hey all, I think my mind is playing tricks on me. I am currently in the Threat Intelligence Tools > Abuse.ch >Q1 and I cant find the IP in the list on threatfox. I have all of the other questions answered but for some reason searching the IP or cntrl+f the IP brings up nothing. If anyone could point me in the right direction I would really appreciate it. I will check in after I get back from the job I am super late too! Thanks in advance

Its a good path. Alot of quality education in it.

You have to search for the IOC in the search bar. Don’t forget to use the proper search syntax

Thank you so much! I just got it done I really appreciate it.

Gave +1 Rep to @royal crest

Does the Soc 1 path correspond with any certs? BTL1 or Cysa+?

Hey guys. I am doing the SOC 1 path and I'm at the last task where I have the assign the correct statements to each level of the Pyramid of Pain. I am positive that I added them correctly, but it won't complete it. I googled it and there are statements saying that that part is broken. Is it right?

It can be,

It's not broken for me, and it never has been.

Okay, thanks. 🙂

Gave +1 Rep to @primal igloo

I did the Pyramid of Pain yesterday, and had no issues, have you managed to complete it yet?

I have the same problem

Hello guys currently doing the SOC level 1 course but have some difficulty on the Pyramid of Pain I don’t clearly understand how it works or how I should understand it
Can anyone explain it simply to me please ? Thank you

I'm having a problem with Pyramid of Pain --> Host Artifacts (Annoying): why the question 3 and 4 are exactly the same but won't accept the same answer?

Do you have problem with question 3 and 4?

Question 4 is looking for a different file name than question 3. I do agree that the question could've been worded better.

There's also a hint button there, that kinda helps.

I just have some problems understanding the pyramid : how i should read it as a defender or as a attacker. Other than that the questions are fine

Hey. The only issue I have in the Pyramid of Pain is the Practical (Task 9). It is still bugged, for me at least.

That part is still bugged - the questionnaire for that will not ask you for the flag anymore (as I remember) - you can simply mark it 'complete' 😁

I think the whole point of the Pyramid of Pain is for us to understand (as a Defender) how much it IMPACTS the attacker when we're able to detect the kind of attack they have executed. Like for Hash Values - it's on the lowest level because once it's detected by the defenders, it will only take the attackers a short amount of time to recalibrate/re-strategize their attack, unlike the higher levels were the attackers might need a lot more time to re-strategize and maybe even create a new way/tool to execute their attacks. Something like that.

Yep. I did press complete regardless the bug. The course is complete.

Yep, your reading of the Pyramid of Pain is correct.

Thank you for the confirmation I really struggled but with PM's explanation it's all good now thank you 😄

Gave +1 Rep to @meager dragon

I'm stuck in the Pyramid of Pain room, at Task 5 (Host Artifacts).

I got questions 3 and 4 exactly the same, but won't accept the same answer.

The answer for question 4 is different from question 3- it's looking for a different file (name). Click the Hint button, it helps a bit.

For Threat Intelligence Tools, Scenario 1: "From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H..."-
How do I obtain the hash of the email attachment of Email2.msg in the room machine? Is it a bash cmd or smth in Thunderbird?

Pls disregard- I found it in the File Properties. Thank you 🙂

Will do, thanks!

Gave +1 Rep to @meager dragon

Hi all,
Is this site not working anymore?
https://www.threatminer.org/host.php?q=23.22.63.114

doesn't seem to work for me either

Site was working fine for me on my phone.

yo

hello here i have a question

Hello, I have a question re: Snort Live Attacks Task 2 Question 2 & 3: "What is the name of the service under attack?"
I managed to stop the attack by using Snort in sniffer mode, then writing a rule based on what was observed, and blocking the malicious traffic. (I included the flag.txt in the screenshot below.)
But I don't understand why the answers to Question 2 & 3 are not http or 80, but rather ssh or 22, when all of the traffic I blocked was to port 80 and not 22, and looking through 40+ packets, I don't see any sign of ssh.

hi

i want some hep about one flag

whats the flag? :D

I can't insert an image here

May I send the link?

https://tryhackme.com/room/windowseventlogs

they ask me to Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider?

hey

can any one teach me cyber hacking

?

?

-unmute @wise slate Please do not spam the same characters

🔊 Unmuted Why do i exicet#8195

task 4 links to a doc at the top of the page: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-5.1
scrolling down to example 8 you'll see this. im sure ull be able to figure out what to do from here :D

Hey guys, I am trying to do the "Splunk Basics" room to prepare for a very important interview. The only problem is that I am not able to open Splunk... I am not sure how to do that. I opened the Kali Machine and that's it. I am new here so don't judge me 🙂 Can someone help? 😦

im trying to complete the sysinternal how do i connect to the vm?

You can connect to the windwos vm through RDP protocol, If you're using thm attackbox or thm kali linux, open a terminal and type remmina, then follow the steps

1. https://ibb.co/3TtXySj
2. https://ibb.co/3hk0dwr
3. https://ibb.co/g6Lp8vg
4. https://ibb.co/VmK7rtB
5. https://ibb.co/54SLhVD

That's for Linux users in general, for Windows users just use "Remote Desktop Connection" on Windows, follow this:
https://www.snel.com/support/learn-how-to-connect-to-your-server-via-rdp-on-windows-10/

Note: you need to be connected to thm network

Open Firefox and type the machine ip in the url section

In task 2 Connect with the Lab, click start machine, wait a minute then you'll get an ip address

Was this a recent change? In someone's video from June 2022 (https://www.youtube.com/watch?v=pBnHDHSAku8) it shows the machine name at the bottom (S3SITX). The RDP works fine, but seems like an unnecessary extra step.

In the Incident handling with Splunk room, Reconnaissance phase section, I just cannot find any information related to "What is the web scanner, the attacker used to perform the scanning attempts?". ||I know I suppose to find it in user-agent, but after look at http_user_agent list, I don't see any abnormality||

I'm planning to take the CYSA+ exam. Would taking this path be a good primer for taking the exam? I'm trying to find somewhere that I can get practical hands-on knowledge.

Yes

In the OpenCTI section (OpenCTI Dashboard 1), the URL link does not work.

Hi everyone i have one question for SOC Analyst job. What skill set should one Junior SOC Analyst have in order to land a job as a SOC Analyst?

Basically the ones shown in the path, but more deeply

THM is really good for beginner theory mixed with some practical, if you want easier practical PicoCTF is good, but you will probe need to do more practice and harder practice than there is in the path.

Thanks momo for the answer that helps a lot

Gave +1 Rep to @pale ginkgo

Glad to be of help! Fell free to ask me anymore questions, although I am more into pentesting rather than SOC

Ha

😎

You type out your emoji's lol?

nooooo...

Why would I do that

I saw the 8)

B)

than you edited

definitely not

you're seeing things

oh weird.

i am

it went from "B)" to the emoji

weird

must be lag

yup

must be

maybe

maybe the whixijoklial widget spun too fast

¯_(ツ)_/¯

I am too but i heard that its easier to get into pentesting working first as a SOC analyst and then switch to pentesting is that true?

im just trying to get into a SOC and stay there

SOC is usually an entry level job in cybersecurity, at least level 1 is, there are a lot of companies who hire only people who have at least some IT background experience but heard stories of some companies hiring without it also, not very often tho...

As for being easier to move over to pentesting after, very possible because you get a lot of knowledge doing SOC operations, you need to learn from both sides, you can't actually defend without knowing how attacks work, but you can also specialize on the defensive side of cyber, to advance and evolve in it also, incident response and so on...

They key is to start from somewhere, practice and keep learning and with time you will find out in what direction you will want to go next, or even if cyber is actually for you or not...

please point me in the direction of these socs

direction of getting hired or learning directions?

i guess hired?

well depends as i said of your background experience, certificates, knowledge

But if you already have these and feel confident you can start with a linkedin profile

i could show you my resume and linked in

Or other job seeking sites locally in your country

Well it's always a good start with a linkedin profile, it mostly is one of the best ways nowadays for IT folks but not only...

Start following cyber domain related things and build a network gradually, seek to improve the profile by scouting others and with time opportunities will come also, and most importantly, never stop learning, take breaks, as long as you need them, but never stop...

It never ends

currently doing this path to touch on splunk, and snort since all places are recommending SIEm experience

yes it's kind of mandatory

and splunk is a great resource since a lot of them are using it

as for work, im in the cyber division but i just apply patches and updates to vmware,linux,windows

just trying to level myself up

it's a big advantage to work in the domain, it makes things way easier

hello

Tnx for adding that Alek

But keep in mind guys it depends also on the company you are gonna work for, their expectations and SOC architecture, Security architecture as a whole, the first thing you need to see is their job description and after have a talk with them, because there are a lot of companies that offer SOC Analysts jobs and don't actually specify what level of experience they want, some of them want more incident response experience, some just some IT background and experience, some are impressed maybe by a cert or a completions of some sort, so it varies a lot depending of the companies needs, location, culture and so on, just fyi...

I mean don't get discouraged if you go through some interviews were you will get rejected or something...

Yea thats normal but in your opinion what are jobs below SOC analyst (the ones that you should get before SOC Analyst and like their requirements?)

hmmm not aware of any cyber jobs under SOC level 1 but saw a lot of people coming from other IT position, like IT Support for example, Operations sides and so on, i myself come from an IT operations side so i guess any prior IT experience could be good, but as i said, depends on the position you are gonna get hired, the companies expectations and security architecture but this is kind of the general consensus, at least from my experience and knowledge...

Tnx Alek for sharing that now i know but i wanted to ask you one more question 😅 sorry if i am asking too much , where would i get such experience to actually land a job as a SOC Analyst level 1. Is Tryhackme paths enough or would i need to learn more from somewhere else?

Well firstly as i already said, some IT background experience would be an advantage, whatever that is, support or operations or whatever...

Related to courses or certs or any other kind of cyber training this would be an advantage also of course but in my opinion some IT background or real experience would be way better.

In the end SOC L1 is an entry level job so besides the companies that falsy promote a SOC analyst job and have different expectations, you shouldn't have any problems in nailing such a job with minimum experience and knowledge in the domain.

Nice thank you man i really appreciate your time and answers you helped me a lot

Gave +1 Rep to @verbal parcel

hey all, im on pyramid of pain and does anyone explain what is the meaning of "dropped binary"?

Referring to: "The files modified/dropped by the malicious actor:" with a pic of the files

Warning: Contains Answers https://www.reddit.com/r/tryhackme/comments/yru6ke/pyramid_of_pain_issuequestion/j4hpstt/?context=3

thank you

Gave +1 Rep to @muted flare

Hey guys not sure if I'm doing something wrong or is it broken, but I'm on the CTI email phishing part and it says I need to use phishtool to scan the email1.eml, but the virtual machine seems to have internet disabled

Is there something wrong on my part or am I completely misunderstanding the task?

I was confused there too. I think as a workaround I ended up just copying the contents of the file to my own personal VM that I have running and then uploaded it to phishtools there. There’s probably some more correct method lol.

I'm pretty sure you're suppose to use the CyberChef in the vm browser.

please do not do this... the email.eml files are on none internet accessable machines for the safety of the user as some of them hold actual malware

nope you are not supposed to use phishtool... you are supposed to just use the view source option from thunderbird in said vm

Yeah, good point. I suppose I shouldn’t suggest it. I am aware it’s dangerous. Thus deleted the files immediately after. Not recommended! Also had it on a VM with a seperate network I could just blow away if anything happened

Hello everyone, I've been trying to finish the room Mitre for two days now. in task 5 the engage site does not work correctly for me, the page is displayed, the tabs etc but when for example I click on prepare and plan as requested it does not work? it seems buggy, I tried with different browsers 😟

I had the same issue. I ended up googling the answers because the prepare and plan just wouldn't work

hey guys , ive solved the whole room except this question .. i got the answer but i cant tell what is the right format. the question on task 4 Provide the BIOS Version for the workstation.
i got the answer : INTEL - 60440000 PhoenixBIOS 4.0 Release 6.0

anyhelp please

@pure nova

thank you for your reply
I see I'm not the only one having this problem 😌

Gave +1 Rep to @haughty vine

like hello

@oblique locust

I think this is not the bios version

this is what i got from the system information , and yes i used the right analysis file

Which room is it?

red line

and in the forum people have the same issue :((

anything happened ?

The bios you found is not the correct one

it is from the file inside the machine , there is no other files

Snort time ! Currently working on Network Security & Traffic Analysis module

I am facing some issues in the redline lab. For IOC Search collector, when i try to generate a report, I get "There is not enough space on the disk". Anyone know a fix for it ?

I am stuck in a room for the SOC level one, its the ATT&CK® Emulation Plans section on the sandworm question, it does not like they way I am typing the answer??

Anyone getting this error when launching ICMP traffic script ? Snort Room Task 6

[Fixed] added sudo

Are you adding all the dots and commas?

@nocturne cave thanks I finally got it yesterday 🙂

Gave +1 Rep to @pale plaza

Sysmon room TASK 6 directions say to open Hunting_LSASS.evtx but it’s not on the Desktop in the Practice folder??

Bit late, but if you have not got this sorted out, I did this with the Mimikatz.evtx

PS C:\Users\THM-Analyst> Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Mimikatz.evtx

For anyone who was having an issue with the Mitre Engage website to complete task 5 in the Mitre room of the Cyber Defence Frameworks module, the site is now working again so you should be able to complete it

Thanks. I kinda figured that but couldn’t find the exact event they showed in their example

Gave +1 Rep to @sinful nimbus

Snort dropping packets

Day 5 of attacking Snort room. I'm definitely putting this on my resume. A newly attained skillset, if you can get through the snort modules and develop your rule writing skills it can be beneficial

Has anyone who has completed this path found work in a SOC, or similar role?

I just finished this path, and am going to begin a job hunt soon. Looking for some advice as I am currently not in the tech field (I’m a teacher) 😄.

Gerald Auger from simply cyber released a video about Soc related interview questions, i can't tell if it's good but i enjoy his content so i'd give it a try

Thanks, @plush plume ! I've watched his videos in the past, they're very good.

Gave +1 Rep to @plush plume

While I'll definitely do some interview question prep, I'm currently more concerned with how to get a SOC or SOC adjacent interview first lol

Snort is another level of security.

The firefox of the VM of the task 5 PhishTool for the Threat Intelligence Toools does not work

Snort Challenge - Live attacks (brute force). How do you justify it being SSH. It could be port 80 because there is traffic back and forth in port 80 so can it not be brute for on a login page? .There are more packets from port 80 than port 22.

you can see the traffic on port 80 though

actually read it

so if it's not a ton of passwords tried in short succession it's most likely not a bruteforce

Hello guys anyone having problem with accessing the web when you deploying the machine in Task 5 Phishtool from the room Threat Intelligence Tools

I have the same issue brother I tested other Machines and all working fine

sigh

@quaint badge @nocturne cave

you are not meant to use phishtool

that was just an example of a tool you can use

you are meant to use thunderbird that is on the target machine to solve the questions for the remaining tasks

and/or copy the hash from the target machine to plug into some of the sites that are given too

you are not mean to copy the emails or eml files over

as those actually contain malicious files if you check the hash on virustotal

Ok, thanks 👀🫡

no problem

this is just the 34th time someone makes this mistake

Hey thank you for the reply yes I just completed the task with my way but I wanted to ask here for the issue! Thanks again 😄

Gave +1 Rep to @nimble oasis

Some people are beginners no need to be rude 😄

sorry sorry.... did not mean to come out as rude... was just wanting to point out it is a common problem and there should be something done to make less people miss this

No problem thank you again for the reply and help 😄

Gave +1 Rep to @nimble oasis

👍

woot woot! just finished Snort room

great room, great resources! Thanks @radiant knoll

Gave +1 Rep to @radiant knoll

Congrats! It was my favorite room, but also the one that stressed me out the most.

yeahhhh! same!! it was challenging! Love the snort rules and options you can do with. I feel like a legit SOC analyst with Snort.

Now i look forward to the Snort-The Basics

gonna teach me how to analyze and stop malicious traffic with Snort ! this atta be good !

Also the resrouces and Cheat Sheet they provided. This is unmatched

exactly what I did

It's a really good tool to have under your belt. Can't wait to add 🙂

What did you guys put on your resume about Snort?? Shamelessly asking so I can add it to mine 🙂

I'm putting it under my skillset then taking it to Zojja in Careers channel and see what she tells me there

But then again, this isn't until I'm done with all the snort modules and I have implemented my own snort rules and detection system on my own internal networks and systems

I have one for Ubuntu WSL2 running already as a live feed

Also going to add my write ups for this. I finally edited and created one of the many write ups I have from THM

Quick sneak peak of my write up for Snort-The Basics

Still editing in progress

Itsybitsy ||pastebin.com/ytg0ah6a|| link no longer works 😦

agreed. probably the hardest rooms on this path is snort and snort live. It was kicking my ass.