#soc-level-1-path

task 3

Ohhh that on e

I cant really think of another reason why it is more suspicious than all the others

they couldn't have given it a better name. that sure was a pain for me as well

let me catch up

other than what i assumed

okay

Probably because of this: So, the primary concept of a Fast Flux network is having multiple IP addresses associated with a domain name, which is constantly changing

but the domain name isnt changing

its stati isnt it?

PID 1632 all have different IP addresses but its also trying to connect to different websites

I would think that if they would be all target the same IP

not different IP

That's cause i think it's implementing the RRDNS

what is RRDNS?

In that room they provide a great article and explanation on the constant changing of IP addresses and what you are seeing is

Round Robin DNS

round robin

okay let me look at it a nd read it again

Source: https://unit42.paloaltonetworks.com/fast-flux-101/

i w as thinking that a fat flux is a bunch of cpmromised network trying to connect to a website like when someone is trying to DDOS a website

Read the above article to get a better explanation of the constant changing IP addresses

and RRDNS

okay thanks

I still need to redo this room and get a better understanding of it again, as i may come off a bit misleading on my advice there. So please take it with a grain of salt

okay thanks

i definitely mistakened botnet and fast flux

oh nice

hope you can find the answer to your question soon

thanks

okay it helpsd me understand fat flux but not why that is the answer sadly

from what i understand is that fast flux uses botnet to query the RRDNS. so when 1 of the RRDNS is taken down, the website will contact another website for the DNS so on and so forth until it connects.

i really thinkg for task 3 its really based on the ASN, most of those ASN are known TLD and one of them isnt

Ahhh you talking about this part

I see they do all have different IP addresses,

At this point i think the answer is all them

labeled with 'suspicious' and 'malicious'

I think THM just wants the first answer not all of them

yeah that part

ohh okay

i did notice that every so often the change the answer

Yeah also noticed there are two that are from the US and the answer definitely doesnt' fit the second US IP address so that only leaves one US IP address as the answer

what does a US ip look mlike vs another?

Yeah so if you look here there are two US IP addresses both with different hex values in the first octet set

I realise why they call it the pyramid of pain... last task is a pain to complete 😄

The Practical?

yes. where you need to allign the statements with the levels of the pyramid.

I never found out the answer! Sorry for getting back so late, but I thought maybe they just wanted the first answer too lol. & its cool you noticed the answer changes? so it kinda makes more sense why that was the answer

Hi
the room: Threat Intelligence Tools
task 4, first question, I try to use the tip, nut it`s not give me something 😐

also if I try to search only the IP address so I get that:

same result if I try search: 212.192.246.30:5555

yea it was outdated for me so i had to google the answer

as it was changed iirc

or one of the questions were in that module at least

so probably from when they make the room until now, how to use it, it`s little change, and probably in the market has another tool, GUI or CLI that use it in the daily

because it`s funny, first I just try to search about the IP address, and then I read the tip ahhh ok I need to give him a kind of flag(like in Wireshark and other tools, or in shodan.io) so I write: ||IOC:<IP ADDDRESS>|| and get error so yeah, probably something change there

its lowercase ioc

syntax isnt IOC

but iox

ioc

iirc

yea thats it, just tried it now

|| ioc:ipaddrhere ||

^ syntax

thank you it`s working 🙂

I so hate the lower\uppercase

about Phishtool can I do free account?
it`s prefer to use in my own account?

yes

i believe so

Does Splunk use American Calendar on THM ?

so 5/11/22 would be 11th of may 2022?

https://tryhackme.com/room/zeekbro
Is there a way to connect remotely in this room? i connect via web interface and it is very slow

A VM is attached to this room. You don't need SSH or RDP; the room provides a "Split View" feature. Exercise files are located in the folder on the desktop. Log cleaner script "clear-logs.sh" is available in each exercise folder.

Probably not.

Hi, question about Wireshark 3: traffic analysis module

i am on the section HTTP traffic on the user-agent section and they want me to spot the frame number with a minute spelling difference in the user-agent field

but, for the life of me I cannot find it, I have been staring for hours. Can someone nudge me in the right direction

nevermind, I finally found it lmao

for some reason whenever I post it here I always find it right away, I should do that more often

Does anyone have a hint for Task 8 in the mitre room. I'm trying to answer "Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)". Now I'm absolutely certain I've got the right answer (||abnormal or malicious behavior||), which I've verified with several writeups and searching this discord. Has anyone completed this recently, and can tell me what I'm doing wrong?

The question changed! I refreshed the site in utter defeat and it changed. I guess they updated it, and I was just unlucky to be mid-room. At least I know now I'm not insane

I'm in MITRE right now ? what question in Task 8

i was talking about the one that now reads: "Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?"

but I figured it out after i refreshed the site. I guess they just updated the question, so my answer was naturally wrong

Yeah, that must be the case. I don't see the new revised question on my end since i already finished the room

what is wrong with this question? MITRE room Task8
Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)

answer from MITRE is: abnormal or malicious behavior
and it match the format but still give me incorrect

You talkin this question ?

no I have it as this "Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
"

I don't have this question

in MITRE room

that's probably why

yeah

now is updated i don't know how and why

you might need to refresh or wait for it to update. Not sure how that works. The previous user if you scroll up had the same issue

should report it as bug

apparently they refreshed their paged and it regenerated a new question

yes worked with me now

so there you go

the answer may now be something that starts with M******

already answered

thanks and please report this issue the question in not updated

Can i please get help with the velociraptor room task 3 last question I'm submitting the right answer but it saying it's not

refresh page works for me, if you have an instance open on a VM or another computer and your main host you’ll get this issue

So close the module page in one or just refresh from time to time

Hi guys on the TI tools room task 5 talks about an email1.eml that we are supposed to use with thunderbird. My email1.eml just shows that it is bolded but not downloadable. Am I missing something?

And just for reference this is what my attackbox looks like

Nothing from email folders or thunderbird

Never mind. Turns out I was in the wrong box. Did not realize that there was another one that loaded until I went to show split screen

Has anyone completed Task 4 of Wireshark: Traffic Analysis room? I've been stuck on the final Task 4 question for a couple of days now, only question left to complete at this point.

how long on average does it take to complete this path?

Average user: 56 hours.

is pyramid of pain static website broken? i think i understand everything but it keep saying whoops...

Anyone having an issue running the Velociraptor lab? I was able to complete Task 3 a few days ago and now I can't gain access through Chrome. I've opened the Ubuntu server and started Velociraptor based on commands.txt and see at the end: "velociraptor-v0.5.8-linux-amd64: error: startFrontend: x509: certificate has expired or is not yet valid: current time 2023-05-18T07:09:24-07:00 is after 2023-05-17T22:36:52Z" . In Chrome I see "site cannot be reached, 127.0.0.1 refused".

I am having the same issue with Velociraptor lab, I been working on a solution for the certificate expiration issue without luck.

Just received message through tech support room, they will be updating certificate.

Hi all, I'm currently doing the Volatility room and 3rd question in Task 10 asks you "What process can be considered suspicious in Case 001?" I managed to get it right by educated guessing, but I don't full understand why it's considered suspicious. Is it because of its parent process? or am I just missing something obvious?

May I see a screenshot?

sure, here's the output of psscan

💀

Looks like alg could be the case

Anyone solve tryhackme PhishTool room

the task in the room about emails???

this one????: https://tryhackme.com/room/threatinteltools

Yes this is in Threat Intel

Task 5

PhishTool

@short rivet

i.e you are supposed to just use thunderbird to find the answer to all the questions

you are not supposed to be using phishtool at all in that room

it is just an example tooling that you might encounter at a later date

Yes I am using PhishTool but it is not working

Bro but in task they ask to use PhishTool

do they??? did you read the scenario part????

and no there is no way to get the .eml file of the target machine... and there should not be as it actually containes malicious code

same with the 2 following emails later in the room

it is as isolated as it can be

But bro where I get Email1.eml file

it is on the target machine and the target machine has thunderbird... you are meant to open it on the target machine in split view and get the answers you need using thunderbird on the target machine

In thunderbird what should I add in Setup your Existing Email Address

just click the cancel button and it will open the email file

Yes it get open

@nocturne cave do you have they answer for this?

the answer may now be something that starts with M******

You might want to refresh the page a few times as the question has been updated.

I am on the room: Threat Intelligence Tools
Task 5, question 4.

After I copy the source file emil1.eml, and from clipboard I go to CyberChef, and past the contains, choose parse IPV4 header and found the IP address is: ||25.4.13.12||

But its worng, what can I do to get the correct answser?Its something different?

Look at the format for question 4.

25.4.13.12

Isn't going to fit in there

I look at the format and think it`s not correct what I found

NEVERMIND

I found it!

thanks 🙂

the "correct" answer is reader_sl.exe but yeah, not entirely sure why. It is the only process who's parent is explorer.exe, but surely that alone doesn't make it suspicious.

Yeah not sure why lol

iinstead of the . but [.] for each one

MITRE room 8th question

Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?

PLS HELP 😭 😅

Did you open the technique page? U will find a section "mitigations", u should be able to find the answer there

I looked but couldn't find

So you opened the page by clicking on this?

Should be right here if u scroll down a little 🙂

Thank you 😊

Hi Im on the room: Threat Intelligence Tools, for task 7, how I can know "he attached file can also be identified by the Detection Alias that starts with an H..." if I dont have internet on the room, I mean browser to uplade the file and know litlle more about it?
I try to copy the source message and past it on Cyberchef but it`s not gives me any information

same thing about task 8

I try to guess but I think its macro but its not, also not trojan or adware

so how I need to answers for both task 7,8?

same problem..

I copied issue over to the tech-support room. @scenic token is working on updating the Certificate.

Windows Events Logs Task 3

Question :
What event files would be read when using the query-events command?

My answer is wrong.
PLS HELP 🥹

What are you putting in?

Read events from an event log, log file or using structured query.

You're putting all that in?

Yes

Ok.

Your answer is right.

You're just putting in too much information

Look at the number of * in the answer box.

That is a hint towards the number of characters & format.

I am trying but I can not 😦

Dm me please.

im in the opencti room and the URL wont work

anyone have this problem

Are you just clicking on the link from the page?

No I was opening the link in the attack box

Done

Hi everyone, is there a list (official or otherwise) of blue team related rooms on tryhackme?
I finished the SOC Analyst path and almost done with the Cyber Defense one, and I want to practice some rooms that are just blue team type of stuff (splunk, windows events, pcap analysis, checking logs for attack/malwares, etc.).
For example I just finished the Investigating windows series, but there's no filter for "defense" practical room in the search page and it's not that straightforward to search for them.
So I'm wondering if someone curated a list of rooms that one case use to practice everything learned in the blue team paths

I don't really know if there's a list out there, but what you could do is use the search function here on Discord and search for "Blue" in the #announcements channel, it'll give you all the releases of blue rooms

that's great, haven't thought about that, thank you!

Gave +1 Rep to @hard void

You're welcome 🙂

Have you looked at the website "malware traffic analysis" ? It has alot of malware samples and pcap files that you can analyse.

thanks for the suggestion, I'll look into that!

Gave +1 Rep to @wheat wedge

Hello new to infosec is soc level 1 training from thm would be applicable on my real job scenarios i will be starting very very soon on my first job.

What's your new role?

IDK what is the problem but I cannot connect to this machine I tried all the possible ways (I tried another machine and it is worked perfectly )
https://tryhackme.com/room/opencti

Seems like an ongoing problem - skip or move past for now

Hi, everyone,
I'm taking this course and I can't find the answer in this section:
MITRE > ATT&CK® Framework > What groups have used spear-phishing in their campaigns? (format: group1,group2)
Maybe I'm not answering it correctly, but I'm stuck.
Could you give me an idea or help/suggestion?
thanks

Navigate to the ATT&CK website and take a look around

thx for your answer, that's what I actually do 🙂

Have u found the answer?

...

nope

I'm searching again

Maybe I wrongly used MITRE tool

Look under procedures, here you usually find more info how/what adversaries perform certain attacks, software, ...

I'm French, so I'll try to understand under the line 😉

#soc-level-1-path

what do i do

#soc-level-1-path

Is there a way to copy paste from the browser VM into my machine? The VM doesn't have internet and some questions ask you to check a hash on VT etc

Ah think I figured it out, need to full screen the VM and a browser pop up appears for copy paste permissions

Why can't I access internet in tryhackme attackbox even though subscribed

Hi I`m on the room OpenCTI, task 4
I try to reach the machine,
I try from my own windows machine, click on the button stat machine and then run the Attackbox and get error on the broswer.
so I run my Linux, connect to my THM VPN, and run the machine, from my linux machine,
and get error too

this is ping from my linux:

maybe it`s because I use my hotspot from my phone?

Hello there,
Just for tips, I can get file from VM THM by changing user's password and make an ssh connection when I'd like to copy/paste file

?

it was just a tips to copy/paste file from THM VM and local machine

I already try this..

Can I just get any tips to solve a question ?
From Threat Intelligence Tools > Cisco > Q2 :
maybe I don't understand the question, because every answers failed 😢

depends which lab you are doing, some have internet access and some don't

Did you type in the URL properly?
And connected with VPN properly if using own machine?

Url should be http and :8080 at the end

Hi, i had a question about emails. Not from a room but it's because of the phishtool room.
I'm used to test email by clicking on "view original" . I'm also used to copy in a txt what the source code i see when clicking there. I can then upload the txt in an analysing tools like phishtools.
Recently, my AV analysed my txt file and got rid of the attachment.
How dangerous is a txt file of a mail containing a malware as an attachement?

I fixed the problem

It's a security related reason. not a subscription reason.

I'm getting no search results for index=botsv1, are we inputing any data into splunk first, before seraching this?

Is there a reason why piping or redirecting Snort output to grep or .txt doesn't work in the browser VMs? always get no output / empty text file

Make sure time is properly selected to like "all time"

Im on threat intelligence tools, task 5, PhishTool, and I dont know how to go about answering the question.
This is the question:

https://gyazo.com/ec451c2dc6458fbde3c102d5dd37659f

but when i try to open thunderbird all i get is this image

https://gyazo.com/6880d2e72280c9f872bea19dcb5e91ef

and my question is where do i navigate to to ingest the Email1.eml file that i need to inspect

thanks

There should be a folder on the desktop that contains Email1.eml

I also had issues with this lab, I had to restart the VM a few times before it appeared

can't remember the folder name / path but if you do a search in this channel it's been mentioned previously

and make sure you're in the right VM, sometimes it shows you the attack box but there's other VM's to select at the bottom

can't remember if it was in another VM for this one

see, I know where the file is, im just confused how I can examine it like the question is asking me

when click on the thunderbird app, two tabs open in firefox. one asking me to sign up with an email, and the second showing the screen thats in my second screenshot above.

if you goto the file is there an option to open in thunderbird?

you don't need to configure an email account, just cancel that step

thank you that did work

anyone help me i need to join in this tutorial https://tryhackme.com/resources/blog/free_path but i dont have an account premuim

anyone help me

if you aren't subscribed you can't join certain rooms. Either subscribe or skip the room that requires you to have a subscription

hi! in the Cisco Talos tasks in the Threat Intel room, I'm told:

Task
Use the .eml file you’ve downloaded in the previous task, PhishTool, to answer the following questions.

But the previous task didn't have me download it? I'm confused as to what it means.

I don't think you need any .eml file to answer the questions.

I'll forward that as it indeed seems confusing.

thank you!

Gave +1 Rep to @echo geyser

Is what we learn in this path fairly similar to a Network+ course?

Not really

Are they complementary or one is better than the other?

Network + covers the basics of networking, AFAIK. The SOC level 1 path could/would be the next step after learning those basics, as it covers the different concepts a junior Soc analyst would need to know (Blue teaming). It's important to understand networking before going into something more specific. Hope that helps 🙂

Oh yes thank you very much for the detailed answer. I was actually meaning Security+ but I somehow typed Network+, my bad! So I guess this path & Security+ are pretty similar?

Gave +1 Rep to @slender rover

Ahhh okay makes sense; Securityt + will cover a lot of the concepts in the SOC level 1, but without going into too much detail and with no hands-on training (unless you pay for the CompTIA labs I believe).
That being said, Sec+ also covers a lot of important concepts you won't see in the Soc L1 pathways (Governance, Risk, Compliance, Cryptography ...)
If you're planning on passing your Sec+, I would definitely recommend doing the SOC level 1 path during or after, to go a step further.
I passed the sec+ recently, feel free to DM me if you have any questions 🙂

Thank you very much! Will do!

Gave +1 Rep to @slender rover

im on the network miner room exercise 7 the pcap file is taking forever to load

anyone have similar issues?

hi guys, im doing the 'Cyber Defense Frameworks - MITRE - Task 8 ATT&CK® and Threat Intelligence', and I dont find the soultion for this question "Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?", all my answers seems wrong...

@wheat jewel isn't it about multifactor ? SMS are used for that. 2FA or MFA ? How many characters are expected ?

2 words, the first 12 characters, the second 14 characters

Okay, so I am doing the Splunk 201 lncident Handling. What is the difference between "dest_ip" and "dest"? In the example, "dest=192.168.250.70" resulted in a very significantly different result than "dest_ip=192.168.250.70". Anyone knows why?

Someone correct me if I'm wrong but I think different source logs can have different "names" for the same thing, such as dest or dest_ip

I’ll look it up to see. Thanks

Gave +1 Rep to @fresh furnace

Hello

Am I tripping or is the pyramid of pain room Task 9 incoherent?

There are 2 tools and 2 network/host artifacts descriptions but we can only put 1 in each

Ok, seems like a common problem

It can be done.

is Zeek Scripts not working for others? facing syntax error from a newly launch machine

root@ip-10-10-119-111:/home/ubuntu/Desktop/Exercise-Files/TASK-7/101# zeek -C -r sample.pcap -s 101.zeek
error: Error in signature (./101.zeek:1): syntax error

root@ip-10-10-119-111:/home/ubuntu/Desktop/Exercise-Files/TASK-7/101# cat 101.zeek
event zeek_init()
{
print ("Started Zeek!");
}
event zeek_done()
{
print ("Stopped Zeek!");
}

Actually, I have a problem, I already complete in the SOC Level 1 path the MITRE section, but in the progress show me it´s on 97%
My username is jero713123

sent a report in a bug communcations channel... you can re post it in #site-bugs if you want

i have the same problem

I just entered for this, in dashboard it does not seem green but like %97-98 smth and when I enter room I see %100 is done. Further more there is no any empty answer point

i want to know how to check all the logs in the system

like who logged in etc

could anyone tell the path

i thought it was /var/log/auth.log

but i thing it is wrong

and tell me if i am in the wrong space of life guys

https://github.com/mrm8brh/splunk

these help?
https://linuxhandbook.com/linux-login-history/
https://www.digitalocean.com/community/tutorials/how-to-monitor-system-authentication-logs-on-ubuntu

I came here for the same reason

Hello, I'm doing Snort Basics, task 9 Rule Structure and I'm not getting the expected output. I suspect my issue is IP ID 35369. I've used the following:

||alert icmp/tcp/udp any any <> any any (msg "Alert"; content:"35369";sid=million; rev=1)
alert icmp/tcp/udp any any <> any any (msg "Alert"; content:"IP ID 35369"; sid=million; rev=1)
alert icmp/tcp/udp any any <> any any (msg "Alert"; id:"35369"; sid=million; rev=1)||

I'm not even sure if I can use the icmp/tcp/udp as multiple tags or single use them individually. From what I understand I should be seeing a log file of sorts but no alert or file has been created.

Can anyone assist?

You only need one rule. I would edit your third rule. The id has wrong syntax.

well, the id:"35369" is slightly wrong

@wraith oasis I figured out the issue 🙂 I learned about a way to test my rules and it kept failing and even though I used a known good one, it still failed. I realized I was creating the rules in the /etc/snort/snort.conf location instead of the local.rules within the Task-9 folder. With the cmd I found to test my rules, I was able to refine it more.

Also, turns out you canNOT do the ICMP/TCP/UDP in a single line, they need to be done with a seperate rule for each protocol. Thank you 🙂

Sounds like what i did before haha. Glad you got it to work!

Hi, how am I able to answer sysmon room if I can't use copy and paste on the room VM. Am I supposed to copy those huge reg keys by hand?

if you open it in full screen instead of split screen you tend to be able to copy

if not try rdp

Will try, thanks

Gave +1 Rep to @nimble oasis

no problem

you can uses screen capture with read information

Thank you!

Gave +1 Rep to @polar kindle

Hey guys, I'm in the 'Threat Intelligence Tools' section under scenario 1. I have entered the hash into talos and I have detection aliases pulled up, but only one starts with an 'H' as the question suggests but the answer is coming up incorrect. Am I doing something wrong? Any help would be appreciated. This is for the question: From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H...

Hi everyone 🙂

Been sitting on this problem for a while with no resolution in sight. Working on the OpenCTI module, Task 6. Two of the questions I cannot get the answer too because the data doesn't seem to be in the VM's OpenCTI database.

Any help would be appreciated.

Are you still looking for help on this?

Did you identify the correct Attack Technique from the question previously?

Yes I did. Only 7 items are linked to the attack technique when there is space ofr 3 characters. I noticed some other folks in the channel had a similar issue but there were no resolutions posted in the chat so I'm stuck :/

So if we go to the malware ||Caddywiper|| and then click Knowledge at the top, this will give us an option on the right sidebar to click "Attack Patterns". This is where you got the Attack Technique. From there, if we click it, then on the next page click it at the top-right again, it takes us to the Overview page for that attack technique (Attack Pattern). From there we click Knowledge at the top and our answer will be in the distribution of relations table.

Yup, exactly that. Except that no attack patterns show, and there are only 7 linked relations.

That is very odd as I just launched a new machine to test this for you lol

I've lauched the machine maybe 5 or 6 times trying to see if maybe something didn't load correctly, but it remains the same with no info every time. I've completed the module otherwise lol

Hi, can you answer those tasks? I also want to know how it work.

Hi, I will help you after my shift

I'm working on the Pyramid of Pain room and am wondering if someone could clarify the difference between the "Process" name and the "Filename" (regarding task 5). The question asks for the name of the dropped executable, and seeing two different names in the report have me a bit confused.

F***, sorry dude I was busy

But I think I get the answers on how to complete the task in the channel #room-help

Or #room-bugs

Just search my nickname and maybe the admin wrote there

I'm sorry I will try to help you during the week

In the Yara room there's a VM that's attatched to the room, during Task 10 Valhalla the room wants you to enter the sha256 hash you just created in the attached VM, i'm struggling to find a way to copy the hash out.

any tips?

nvm, just had to boot up my attack box and SSH in, figured i might be able to just not do that.

@peak ledge

No prompts for IP address tier in pyramid of pain room. Am I right?

Two prompts given for Network/Host Artifacts tier. But I can only place one per tier

Yes.

All boxes have a prompt.

Hello 👋

What's up?

IP addresses one doesnt have any. If it does, Can you tell me which one it is?

Hold it with me.

I done the static site, and realised it's the wrong prompt in each box, this is in line to get updated in due time.

If you can DM me, I can give you a screenshot of my answers to get the flag, but I don't think you need to enter the flag anymore?

Yes You dont need the flag to continue further in the room

Hey @shut blade! Yes, I still have this issue. I feel like I've accomplished what is being asked but the answer doesn't seem to match. I can attach a screenshot of the detection aliases to show you if necessary.

task 8 question 4 ?

mitre task 8 question 4 ?

is there any solution

hello. Did you find the answer

• @iron gyro https://medium.com/@haircutfish/tryhackme-mitre-room-task-8-att-ck-and-threat-intelligence-task-9-conclusion-7314d008f6d5
  This page has a pretty good walkthrough

Gave +1 Rep to @wheat jewel

question 4 is not the same as my question

my question's '
Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?'

I put Multi-factor Authentication

It marked it correct

wow thank you so much

👍

it, all deparuted,, wgat you not to do worst think.

what?

when i was young we learn that IP-transfer. its lolke shake hands. 😉

ahhh

Can anybody explain to me what the heck is going on with Yara - especially Task 9 question:
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

The answer is: yara 1ndex.php file2/file2.yar. But where is 1ndex coming from? why is the yara file on the end? Isn't it supposed to be where 1index.php is? I'm 100% confused on this one.

https://medium.com/@haircutfish/tryhackme-yara-room-d279ccb5cbb3#:~:text=Answer%3A yara 1ndex.php file2/file2.yar

https://tryhackme.com/room/yara

i read the book linux basics for hackers

did udemy ethical hacking from scratch

but want more as it seems like nothin but a heart ache

could anyone help me

thaske thke kuureee..

What?

Is MFTECmd.exe bugged in Windows Forensics 2 room? It keeps crashing every time I open it in the VM.

Are you running it in the command line or trying to open it from file explorer?

Tried both

What command(s) did you try?
Running it from file explorer is futile, will just crash

Hi y’all— I’m gonna give this path a go before the Cyber Defense and RedTeam paths, so I’ll be hanging out here for a bit.

Only one I’ve done before this was PenTest+, so hopefully i can get through it😅🤷‍♀️

This is the answer ||yara file2.yar file2/1ndex.php||

In the snort challenge - basics room. The answer to this question "Write a rule to detect failed FTP login attempts with a valid username but a bad password or no password." is 41. My snort rule is alert tcp any any <> any 21 (msg:"Failed Login with valid usernames";content:"cannot log";sid:100001;rev:1;) . But the site accepts the value 42

Same goes for the next question which accepts the value 7 but the correct answer is 6

hey, i need help with the final mission in the part of cyber kill chain

who avilable to share screen now?

what do you need help with

I'm trying to do Threat Intel Tools task 5 (PhishTool). For this task we need to use the split view attack box (there are email on the Desktop that we need), but when I try to launch Firefox to navigate to PhishTool there's a pop-up saying "Firefox is already running, but is unresponsive." and it hangs up. Doing a Firefox refresh doesn't help, and pinging Google shows that the VM isn't even connecting to the internet.

Anyone know of a workaround so I can actually complete this task?

Edit: Turns out this actually also impedes completing some other tasks in that module. Is there another way I can snag the emails from the Desktop?

Use Thunderbird to analyse the E-mail.

Thunderbird? But when I try to launch it, it requests a login. I am confused.

I think you simply need to setup a fake account so you can open emails with it.

i cant success solve the final mission. can you help me?

You just press cancel or something like that, you do not need to setup an account

there is a cancel button for the login request that works wonderfully well

hello- my first assumption is im making mistakes, hoping someone can shed some light. In the OPENCTI room, the login and password don't work to access opencti. Has anyone experienced similar?

Thanks @fresh furnace and @nimble oasis
I didn't realize "cancel" would let you proceed anyway, and got confused with why the task has you learn about PhishTool but then use Thunderbird instead.

Gave +1 Rep to @fresh furnace

I am in Threat Intelligence Tools. I could not access internet to use phistool and talos. How could I access it ?

Read a couple posts above. I just had the same issue. Turns out you have to use Thunderbird and not PhishTool. I haven't done it yet myself as I was out all day, but others have advised.

Seems a lot of people never read the last 2-5 lines above the questions that tell you to use Thunderbird

I'm currently in https://tryhackme.com/room/yara. On Task 8. I'm using the browser-based connection, not the OpenVPN connection. I can navigate to cmnatic@thm-yara:~/tools/Loki$, but this is where I'm stuck. It asks to run "python loki.py -h" to see the options. However, the machine responds, "python: can't open file 'loki.py': No such file or directory." I've tried it also from "cmnatic@thm-yara:~/tools$ ls" and still no dice. Same error message. I'm sure there is something I'm doing wrong, just can't quite figure out what. Any suggestions? TYIA

Are you in the ~/tools directory?

Yepper. I cd'd to the tools directory and get the same message. However, I always have the "$" symbol at the end, and it does not reflect that in their instruction screenshots. From "cmnatic@thm-yara:~/tools$ ls" is where I attempted "python loki.py -h" and then that's where it gets snagged up and I can't progress.

I am having similar issues, working thru it now

I appreciate the help!

I was the main directory and entere the command from there. Seems like Python may not be in the path?

That's what it's acting like but I can't seem to figure out why not. I'm at the point where they want me to enact that line in order to access "Signature -base"

where you able to get the help output?

Sent dm

Hello everyone.
Anybody had a problem with answering the last question of task three(3) in the room https://tryhackme.com/room/velociraptorhp ?
I feel like I have the right answer, but Its just not taking it. I've answered everything else entirely. Any help will be deeply appreciated.

Is anyone else having trouble with any rooms that require the attack box to have internet connection? It seems that every room that I'm in where the attack box requires connecting to an outbound site, it never works. Even now, I'm in OpenCTI, Task 4. Attackbox started and machine started. They provided me the machine IP address and port to connect to as "http://xx.xx.xx.xxx:8080". I always get an "Unable to connect" message. I tried going to Google.com and it connects just fine. It's really frustrating paying for a subscription to learn and it always seems that either their machines aren't operating the way they describe or other things aren't functioning to properly be able to perform the exercises.

Update: After playing around with it a bit, I've resolved this particular issue if anyone else has trouble. On Firefox, upper right corner, I had to "turn Off" Foxy Proxy in order to get it to work.

Can somebody please help me with analyzing these logs? I have been stuck on this problem for like 30-40 minutes now and I don't get what I am doing wrong

In incident handling with Splunk, it says index=botsv1 . nothing comes up when i type this but some1 on youtube got 300+ events, saw similar comment on youtube vid with issue. Anyone experience similar?

Ensure your "timeline" settings is showing "all times" and not like "last 24 hrs"

Thanks, saw this noted previously and adjusted. nothing

Gave +1 Rep to @fresh furnace

In the Kape Room Task 7: Hands-on Challenge. Can't seem to get Kape to display properly in full screen mode. Seems simple, but it won't display the targets when double clicking.

Nevermind, I got it to work on a 2nd monitor. It wouldn't show up on my laptop.

Woot finished this learning path. Might as well do Cyber Defense since it's about 50% done.

im going to start this course after i finish the google course

my plan as well 🥹

what google course?

there's a Google cyber security course

how much is it?

it's free
but it's on Coursera, which is a paid platform

You can apply for financial aid then audit the course for free. Once you have audited all of the courses in the cert program you can sign up for the 7 day free trial. That’s when you submit any graded quizzes or labs. I’ve completed Google Cybersecurity, Google IT Support, and Splunk Search Expert all for free.

🤩

this information is gold to me fr!
Thanks fr!

Gave +1 Rep to @sick island

Hey gang,

I need some help with the OpenCTI room in the Soc analyst path
On task 4 when it says to connect to login to the OpenCTI dashboard via attackbox on http://machine_ip:8080/ , I can't get the page to load
Instructions for Task 4: OpenCTI Dashboard 1 (Soc Analyst path)

Follow along with the task by launching the attached machine and using the credentials provided; log in to the OpenCTI Dashboard via the AttackBox on http://machine_ip:8080/. Give the machine 10 minutes to start up, and using the AttackBox on fullscreen is advisable.

Username: info@tryhack.io

Password: TryHackMe1234

The machine is done initializing and I'm now launching firefox.
so now in firefox, I type http://(the/ ip assigned to my machine):8080 and I get this message:

Unable to connect
Firefox can't establish a connection to the server at (my assigned machine ip):8080.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection ( other pages like tryhackme.com are loading fine )
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web. ( Other pages are loading fine )
I am a subscribed user, so I think I shouldn't be having this issue

I just started this path. Seems like a lot of theory and not much practice so far. Does it get better later ? I am still at Cyber Defence Frameworks

yes it does, once you progress into cyber threat intelligence and beyond it gets a lot more practical

Hey, im in the Brim room. Why is there two sortin the query? cut id.orig_h, id.resp_p, id.resp_h | sort | uniq -c | sort -r

The Snort room is kicking my ass. Half the time I don't get the same output as the examples in the room. I even resorted to looking at a walkthrough just to see if I was using the proper commands. Did anyone else have this kind of trouble with the room?

I dont recall struggling with Snort. It was my first time using it.

I had to reboot the attack room. Now everything is working fine.

Awesome! Good luck wigh the room!

Please,I have completed all the free modules attached. I haven't done the rooms for subscribers . Will I get the certificate? Thank you

no, you need to complete %100 of the path and that includes the subscription only rooms in order to get the certificate

O .. thanks alot

But is there anything to show for the achievement

you're welcome :)

i mean you could probably get badges

hi, unable to connect to the kibana server

Fellas, am I just an idiot or do a lot of the TryHackMe rooms feel like they explian the content in a way that's pretty confusing?

I made sure I jumped around and did all of the recommended prereqs

I have completed all of the prerequisites for the soc1 learning path but some rooms still have way too many acronyms and names etc to remember so in order to complete them I do them one module/part? at a time

I end up watching a lot of the youtube stuff to see what exactly the questions are asking/how to do them. The ones that just point at answers are totally useless.

Like I just ran snort, I see the logfile I'm supposed to use, I ran it in Sudo, and when I try to access it its locked. It's probably just a part of the learning process but I feel like I'm not getting this fast enough.

Id say try taking them 1/2 tasks at a time and have a 15 min brake

File permission issue maybe ?

That part I know, I just don't know why I can't access it

Does it not give you any errors etc?

I'm even in the same terminal instance

bash: cd: 145.254.160.237: Permission denied

You trying to open a file with cd ?

Like what rooms?

They appear to be directories

Question called it a folder too so I'm pretty sure it is

Like which ones though

Try with ‘cat’

I understand the Linux syntax I'm seeing, and I can't think of what other rooms would be helpful

I could try. I was just happy to get a usable instance, they randomly go so slow they're unworkable

Well 🥲 that’s pretty much where my ideas end except that Ubuntu is owner of the file while the rest of the directories are owned by root 🧐

hmm maybe I can change owner...

I take it back.

I am unparalleled genius in the rough.

Lol thanks for the help/letting me vent there

https://tenor.com/view/pacino-al-al-pacino-always-devils-advocate-gif-22765866

It's not possible to run the machines locally if I install Linux is it?

Locally ?

They are hosted in aws I believe. You can connect your vm or host to their network with vpn

Like run it on my machine. Or interface with it through my machine maybe?

Like if I was on Linux, could I use my own Terminal and such so I wouldn't have to deal with their lag?

Yes. You can. Trough vpn

I might spend the rest of today doing that. Their machines have been giving me SO much trouble just using them.

I wish I could Alt+Tab between operating systems

Yeah not the fastest but at least you can be sure issue is not in you 😅😅 just download the vpn file on your Linux machine and run it

VM ofc but I don't think my main PC has the oomph to run a VM like that.

If you running Kali 4gb of ram is enough I’d say 🤷🏼‍♂️

I'm fairly certain my Gigabit fiber-optic internet with no packet loss isn't the issue.

Which might be worse news tbh but 🤷‍♂️

Personally I’m running a Kali vm on my laptop and just open THM from the browser there to avoid switching between windows so much

I have 16 and a Surface Pro 8 I run at 70% CPU.
I think what I'll do is install Linux on my Desktop PC and just Splashtop in.

btw if you're ever looking for a good remote for personal use Splashtop has been pretty good to me for like $20 a year

Do you find using your own Kali machine to be faster?

Yes and a bit more comfortable. Resolution of the browser machine is not great

But it will essentially depended on what resources you assign to it

If I boot it up on my Desktop and remote in it can use all of the CPU, RAM and my 3080ti lol

Yeah that’s also possible. Live boot or dual boot works good too.

I've heard dual boot can screw up your MBR or something if you're not careful

What is live boot?

You just boot up from a USB stick. You can install it with persistence on the USB so you don’t lose your files when you turn it off.

Btw it might be a good idea to move this discussion somewhere else so we don’t get in trouble ?

I vaguely remember when doing snort that it said you have to change file permission to access the log.

I forgot the exact wording as to why but pretty confident that it said it in one of the snort rooms.

I had the same issues and opened up 2 terminals and it started working fine.

That's what I ended up doing. I think I read it, forgot it was this lesson, changed permissions to access the file, and felt very smart for one (1) minute

Honestly those moments are the best when you feel like you solved it!

Mostly I've just felt like I'm not getting it. I think I'm going to try a different approach. I didn't realize that only a few of THM's models had a video lecture, so I might just get the lesson mostly elsewhere and use THM to test my knowledge

I'm a beginner, no IT experience. I've been doing well just by the reading itself. Occasionally I do use a write up, but only for that specific question.

Damn you're styling on me now 😂

I have a bit of IT experience too O.o

no no haha. i definitely use help too! I feel like the reading, at least for snort, was enough for me to understand what they were asking for

I get it to a point, but sometimes I think I get it until I get to the questions and I'm like

...did I just click on another lesson because what tf do they want

I tend to do the readings twice. Kinda like skimming it once, and then reading it again when I know the question

maybe try that?

might not work for everyone though.

In the Threat Intelligence Tools room, we're given a machine which contains some emails that we're supposed to analyze with Phistool. This seems very counter intuitive because you can't access Phishtool from within the vm... This room seems like it was written originally to have the example emails downloaded, rather than have a VM spun up just to access these files. Is there something obvious I'm missing here?

Is this the one with .eml files?

If it is, open the .eml file with Thunderbird, right click on the file then open with

Ah. I was just opening Thunderbird using the icon on the desktop which would then force me to create/log into an account.

I got it by just opening the files in a text editor

Hey guys I'm not sure if this is mentioned anywhere else in Discord, but for the "Snort Challenge - the Basics" room task 2, the question that says "What is the SEQ number for packet 62?" It should say "What is the ACK number for packet 62?" I submitted a bug ticket already, just wanted to let you guys know.

Is it? Why do you think it should say ACK? Just wondering as I'm not sure.

@wraith oasis the correct answer is the ACK number

Hmm. I did my write up and documentation. It seems like Packet 62 SEQ is 0x38AFFFF3. You're doing Task 2, "What is the SEQ number of packet 62?" right?

@vagrant root

unless it accepts two answers? Both 0x38AFFFF3 and 0x114C66F0?

@wraith oasis it accepted the answer for the ACK number but denied the SEQ number, for me.

Here's what I got. Hopefully we're talking about the same question @vagrant root

@wraith oasis yes, that's what I got

This is the screenshot from my documentation. The top packet is 61.

Packet 62 has Seq as 0x38affff3

Lol I dont feel convinced Im talking about the same question just yet.

@wraith oasis hmm, that's interesting, I must've been wrong on my packet numbers.

So I'm in the Snort - Basics challenges. I'm muddling through it with guides, but is it just me or are the questions like TOTALLY out of the blue?

I have been assuming that everything we needed was explained in the lessons, but am I supposed to be looking through the official documentation or something?

.
Like here's a walkthrough. How in the hell was I supposed to know to use a freaking Hex code?

gOOD EVENING. I AM NEW HERE. ANY HELP?

Oh i looked at my documentation

I wrote that i used the hint and gave me an idea on how to solve it

@lusty bloom

Im not particularly sure if it was out of the blue but it did stump.me a bit before i used the hint

Anyone know if it should be pospsible to access the OpenCTI Dashboard through VPN and not just the AttackBox in the OpenCTI room?

Yeah you can, just use the credentials provided in the room.

yo, anyone else struggling with the OpenCTI room?
i can ping the machine, i can see 8080 being "filtered", but i cant access machine:8080 in the attackbox or through VPN

It says it can take up 10 minutes to start up. Give it some time like the documentation says.

I just got in. It can take the full 10 minutes to load.

it was way too slow for me so i just used my own VM and it was much better

I'm on Task 5-8 on Threat Intelligence Tools and the VM version of Firefox will not connect to the internet/not load any page/Timed Out. Is this an issue for anyone else? Trying to get to the Phishingtool website to finish this up.

You use the thunderbird to analyse the email

Thank you @primal igloo I was able to get it eventually. It felt very very obtuse to do that. Much appreciated.

Gave +1 Rep to @primal igloo

TIT task 4 question 1, is giving me a run for my money any guidance?

Use the syntax ioc:<ip here> when searching for the IOC. The alias name should be there in the database entry 🙂

Hii guys, anyone has professor messer's SY601 notes

I think this is outside the scope of this channel. However, I remember Professor Messer has a website which you should be able to find with a quick Google.

Anyone else having issues with this setting "Enable Network Discovery"? I can put it "On", but its just instantly back to "Off"

Ah, the hint on the second question that I needed to solve the first question.

Thanks, sometimes TryHackMe just likes to to be funny I guess.

Onto the last room (in my case) before I finish SOC, a week straight of effort it's taken me so far but it's been a great learning experience! 😄

🥂🥳

I actually kept a timer, roughly 67 hours, 71 if you include time taken to research the two rooms I got seriously fumbled on which are volatility and velociraptor, so I might go over those again just to really solidify it but all around a great experience!

Great job! I couldn't stick to a single path for the life of me as I learn better by doing.

congrats im getting close to being done with Splunk. Can't wait to be done with this one. its definately very long but its a great learning path!

I too had this problem. I can’t remember now how I worked around it but I’m out of the house rn and when I get back I’ll do some poking

Hi everyone, can you please suggest how to answer to this question, from Autopsy room?

The majority of file events occurred on what date? (MONTH DD, YYYY)

It's asking for the month, date and year.

i understand that

i can not understand how set figure this out

the timeline shows only by years

dunno how to set up appropriate view

Hey everyone, I am stuck on this kill chain question "This term is referred to as a group of commands that perform a specific task. You can think of them as subroutines or functions that contain the code that most users use to automate routine tasks. But malicious actors tend to use them for malicious purposes and include them in Microsoft Office documents. Can you provide the term for it? ".... I beleive the answer is Weaponization but everything I enter is coming back as incorrect. Am I missing something?

Ive added every term from the section as well

Lol I feel so slow!! I must have mispelled the answer!!! I typed it in again and got it right! Thank you so much!!!

Gave +1 Rep to @compact bloom

hello guys, in https://tryhackme.com/room/c2carnage room, there is a question to identify the cobalt strike IP address, I found out one in http and another I cannot find, it turn out to be in HTTPS, and i read write up, they said that we have to try all ip in the packet. So in real life situation, how can we know that the cobalt strike in https without tls ? many thanks :v

If you found 1 IPs (http), then you can use that to lookup the second IP (https) on Virustotal.com for you to gather further information. However to answer your question, in a real life situation you'll need TLS to decrypt packets. There used to be a way to search for Cobalt Strike using extraneous whitespace after HTTP status code, but it was patched in 2019. https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

Hello guys, I believe it's here to ask for question: In Pyramid of Pain (Host Artifact section) They ask us to find the name of an executable in the report, even though I found the place before clicking on HINT, it does not help, there is no executable name

Question 3 is asking for the executable (.EXE) name from the image above the questions.

You are a savior !

Answer to Wormseen challenge

Does anybody have any insight into haw to download, install, and properly configure Snort on a windows 11 machine?

kinda stuck on this some help would be much appreciated

Threat Intelligence Tools
Task 7

https://www.talosintelligence.com/talos_file_reputation
then input the sha256sum of the attachment file

@mighty basin ⬆️

I've gone a few times to the tiny url and copied and pasted it with and without the https, but it keeps saying 'Your answer is incorrect'. A few of the questions in Task 4 (Domains) provide 'incorrect'.

hey all I am having trouble with 2 questions in the SOC velociraptor path:
task 3: What is listed as the agent version?
task 7: What are the arguments for parse_mft()?

Task 3 - They're looking for the agent version of Velociraptor. Look at the date and time.
Task 7 - Read the documentation, under Parsing the MFT at https://docs.velociraptor.app/docs/forensic/ntfs/

BRO HOW TO GET STARTED

I DONT KNOW EVEN THE ABC

Hello, i'm doing the investigating with elk 101 but in the task 5, i can't do the question about the 11th jan

it's empty

I found the solution

gentlemen it is with great pleasure I inform you that I have completed this path

i bid you farewell

gz @frank pelican

I'm currently stuck on yara room on task8 it says file2 (1ndex.php) doesn't have anything suspicious but the room asks what web shell is present 🤷‍♂️ I'm confused

Oh...nvm, I just opened the file itself 😅 the answers are right there. Hopefully it can help someone that gets stuck

nice one !

I don't know for you, but was doing the Yara room using the online attacker machine and, I got an error that there's no module named "request" Then when I tried to do a pip install there was no connection and if failed with a max try reach.

Also when running the command to test my Yara rule:
yara 1ndex.php file2/file2.yar

I've got this error (see image).

I've still managed to finish by hard trying all the answers, but that's not the point. Some fixes might be welcome

Hey everyone, anyone got any tips on taking good notes during this Soc level 1 path? A lot concepts im seeing on job descriptions and potential interviews ?

hello everyone

I'm stucked with this Question on MITRE TASK 8 what mitigation method suggests using SMS messages as an alternative for its implementation? this was my answer but it keeps telling me is wrong

anyone pls as I like to move the the next level thank you

Hey, I am having the same issue. Did you find a solution?

Turns out I just had the line wrong. The first question in this section has it backwards.

I'm stucked with this Question on MITRE TASK 8 question4 what mitigation method suggests using SMS messages as an alternative for its implementation?

Hint.

It's a sort of authentication

Notepad is what I used to reference commands and terms i haven't encountered before.

As for job descriptions, you can add similar programs if you haven't done everything they ask for.

As for interviews, make sure you have specific rooms you found to be memorable/challenging and how you solved them

Hey everybody! 🙂

Maybe I'm missing something here with the "Snort Challenge - The Basics" room but I'm trying to get the TTL for packet 65 from the log and I'm getting "47" when it's asking for a 3 digit number 😅 Unless like the "SEQ Number of packet 62" question it's meant to be something else but wasn't updated? 😅

Nevermind found the answer 🤦🏻 If like me you reached the initial conclusion of 47 or similar - go double check that 1) Your Rules are correct and not by accidently added a duplicate to them. 2) That you are reading from the latest log after correcting any rules from a new search. 🤣

Hey! Someone familiar with Splunk and search queries?

CherryTree is a good note taking application and it’s free. Organizes well once you get use to it so you can have tiered outlines in one file instead of separating multiple notepad files in multiple folders

Doing that room right now actually and did some of Splunks free video trainings beforehand. What do you need help with? 😊

hey, im currently at the task9 of the sysinternals room
in the powershell, I execute the following command: ||strings.exe Desktop/SysinternalsSuite/ZoomIt.exe | findstr /i .pdb*||, which gives me a path starting from the D:/ partition, but its not the correct answer

I even searched for the D:/ partition in the machine but it doesnt exist from what ive seen

any idea what I couldve done wrong

i looked at my write up. i had to use an older write up. i dont think the room is updated @sweet bloom

answer starts with C: instead

yea, to be completly honest, I looked up in the internet afterwards 😅, I guess thats why it doesnt work

thanks for the reply @wraith oasis 🙂

Gave +1 Rep to @wraith oasis

but its still weird that the partition mentionned doesnt even exist in the machine

i wonder why thats the case 🤔

Yeah lol im not sure why

Hi Guys

can someone pls help me solve Threat Intelligence Tools task 7 pls ??
I'll be glad if anyone can be of help with this task as I'm having strugling with for hrs now

Love to help, but next time, just post what question or task you have a question on, instead of generally asking for help. You may get more people willing to help if they know how to help from the get go.

Drop the question

hi Bro thanks for comeing to my rescue

Gave +1 Rep to @elfin elk

i stucked on this question, scenario 1 sub question 2, founding it so challenged to get the hash to take me to talos...... I'l be glad if you can help pls. thanks

Gave +1 Rep to @elfin elk

hello i stucked on this question, scenario 1 sub question 2, founding it so challenged to get the hash to take me to talos...... I'l be glad if you can help pls. thanks

I already told you how?

hi bro

@primal igloo still can't figure it out bro

@primal igloo I really love to

I love this room people are coming to my aids

@primal igloo I don 't wna get tired of this I need to win by your help

You need to go to the directory and sha256sum the E-mail.

here is my question,,, how do I get sha256sum? pls

Do the command

sha256sum filename

I did went into sender email but I can't get trough

on the termina, I did put sha256sum email2.eml nothing comes up

You need to be in the directory of the emails...

As my screenshot above shows.

let me try

I'm not sure about what you mean by dicretory Emails, because I've copy the sender email so I can open it in termina but I can't

Open the folder which contains the emails, then right click and "open a terminal here"

ok let me try that now 1 SEC Thanks

Gave +1 Rep to @primal igloo

I wanted to beleieved I did just that,, I did right click on the sender email to copy into the termina but once I did that is not opneing in the termina

You don't need the senders email for question 2

ok! what do I need to do pls

I've told you three times now...

#soc-level-1-path message

I did what you told me but I don't just why I'm still strugling to do it

you can change directory (folder) in a Linux terminal using the cd command

!docs verify

Can you please link your account so you can post screenshots.

Hello everyone,
I'm stuck with the question below
Referencing the dmarcian SPF syntax table, what prefix character can be added to the "all" mechanism to ensure a "softfail" result?

I answered v=spf1 ~all but it does accept the answer

This room is on SOC ANALYST 1 - Phishing - phishing prevention - Task 2 - SPF.

The answer is found on https://dmarcian.com/spf-syntax-table/
It's looking for a prefix character in front of "softfail."

I read the table and i wrote the answer as v=spf1 ~all it didn't work and i also tried ~all

It's strange why it is not accepting the answer

It's looking for a single character.

Thanks I got the answer. It was ~
It's strange they should atleast give us some hint

Gave +1 Rep to @haughty lance

Hey, how come I can't transfer files from my local machine to tryhackme attackbox using scp?

Is it on the vpn?

The Answer is wrong? Its a Bug?

Which room?

hello guys, I'm currently following the CTI module, however, in the TI Tools room, task 5, "phishtool", the VM has no access to internet, hence, I can't use firefox with phishtool. I raised a ticket but it will take long time, I suppose.

as I have no time to lose 😄 could anyone send me the last 2 answers?

I would really like to complete this room today

That would be cheating 😛

i dont recall needing internet access but i didnt do a write up for that section

it's not cheating, the answers are quite easy to guess if having access to phishtool. And indeed, I don't want to wait days for finishing this part

You can use Thunderbird.

i just know i never had to contact support

well, the questions should be related to the scope of the room no? 😄 but yes, if they don't answer to my ticket soon i will try to end this with thunderbird

I didnt have to contact support so based from my own experience, I answered it without needing to wait

i really wish i remembered the room though, and that i did a write up

thanks!

shame anyway, I wanted to use phishtool indeed

No worries. I wish I can help more though! I did remember not liking any of the CTI rooms lol

so far lots of good insights i can tell

completed

I wasn't really sure about the word "defang", tbh

Yeah. defang is usefull.

voilà, mistery resolved 😄

Yup.

Comsidering what is on the machine, it will never have internet.

no

That's why, it needs to be on the vpn to communicate

Hey Anyone Knows At Command & Control phase, can the attacker send payloads to the victim system ?

Well….what is the payload transport system on your attack?

I am just asking in general out of curiosity.No such specific details.

During command and control, the attacker has a connection with the victim computer and can typically issue commands remotely or malware is reporting back to the attacker, depending on the type of attack, to be able to secure whatever objectives the attacker was looking to secure. So yes, the attacker would be issuing commands, if not built into the malware to do things like deface, exfiltrate data, corrupt/encrypt data, etc. Depending on their mission in the first place. Hope this answered your question.

Hi.. Im currently on the Sysinternals room, I'm trying to turn on networking sharing, but whenever I click on and save it automatically reverts? Any ideas thank you

if i remember correctly, i dont think it has connectivity

i vaguely remember struggling for 30 minutes only to find out it doesnt, so I have a bit of trauma from that. @azure bronze

I temporarily left the room it was doing my head in ahahaha.. Cheers for letting me know otherwise Id have probably done exactly what you did

hi guys can anyone pls help me with this task, I have been struggling with this for long now

Hey I actually made this mistake too

You need to make sure you're in the directory where the email file is located THEN you hash it

so type ls in your terminal, then cd desktop, then cd... I think emails if I remember correctly, then do your sha256sum email2.eml

this is what I have been doing, but let me try it the you adviced

bro sorry for disburbing

can you pls help how do i need to cd then the hash

i'm so confused

i think you're saying that you're not sure how to move to the email folder in Linux

type ls in your terminal and show me a screenshot of what you see when you do that

and I'll help you the rest of the way

ok sec thanks

Gave +1 Rep to @full jay

this is what I have tried but isn't working

I understand

type ls

and send me a screenshot

ok

okay so this listed directories on your system. I might not be using the right vocab here but I think thats correct. If you want to hash your email file, we first need to FIND THE EMAILS.
In order to change the directory you're in, you need to use the command cd.

Type cd Desktop

then type ls again and tell me what you see

ok

this is my linux email

I did this section last week. I understand your assignment you don't need to explain it to me anymore

type cd Desktop in your terminal

then type ls

and tell me what you see

ok

this is what I got

So like I said earlier, in order to hash the emails first we need to FIND the emails

I think we should check the Emails directory

so type cd Emails

then try your sha256sum Email2.eml command

and see if it works

ok

i'm in the email directory but can't move from there

Yeah now you've found the emails

So do sha256sum Email2.eml

and it should give you the hash

And boom you've done it. Just paste that into the website they gave you and you're all set

Hi all, do you have some lag too in the windows forensic 2 ? thanks for your responce

Guys,

I am having difficulty in getting the answers of Task 9 pyramid of pain.... anyone faced the same..

There is an issue with the answer....

@nocturne cave Just click on question done and move to next module

https://tryhackme.com/room/wiresharktrafficanalysis
Task 6 last question...how was I supposed to find that it was CHMOD 777? The lesson didn't give me any tools for looking up elevated permissions in Wireshark right?

I'm not sure if I'm doing something wrong or the site no longer displays that record, but on Task 6 in intromalwareanalysis, there is a question which asks you to obtain the hash for the redline sample and check out the report generated on 9 Dec 2022, except this doesnt exist?

W4nna Fl4g
100 Points
348 solved
Medium

this is a memory image of a machine that was infected with a famous malware, analyse it and provide answers for the following questions:

1. What is the name of the initial malware process?
2. What is the name of the malware according to DrWeb?
3. What can be a good host based IOC (Mutex)?

Flag format: Flag{ANS1_ANS2_ANS3}.

Note: better to use volatility 3.
Please help to solve this.

Hi all, anyone have a tutorial for Cyberchef utility? 🙂 Because i have much difficult for use this, i'm going to finish the room "Splunk boss of the SOC"

You may have to check the github page and other resources from Google.

The website says you can press F1 over any function to learn more about it.

why when i use string *dmp | grep -i "user-agent" ist shows me nothing in volatility room

Can you try adding a -i (to make the match case insensitive) option in your grep command? User-Agent is oftentimes written as User-Agent.

uhm hey ,,,i am super new into this...

hey i am also super new into this i have started the soc level 1 path what about you?? which path you are going on in tryhackme

i will try to find out

as new to the field there are alot of questions in my mind like how can i land a job in this field , recently i completed the google cybersecurity course, have you done any course yet related to this field?

no i am super new just a beginner

ok i am also new lets be friends and help each other to progress in our career nice talk with you, lilly

that's really amazing nice to meet u

@stable junco just start with intro to cybsec then presec then you get comfortable with the path

I completed the intro part

just go in presec path

if you are interested in soc path

okayy tq

can i nistall zeek in kali linux and how ?

install

Hello, I just tried one of those on a Kali VM and it worked : https://installati.one/install-zeek-kalilinux/
So just make a general update with : sudo apt update
It didn't work for me without that first step
Then use : sudo apt -y install zeek.

thanks

Gave +1 Rep to @white ferry

Hi, so i've been struggling in the 2nd question of task 7 of the Event Logs room
I used the FilterHashtable parameter like the following ||Get-WinEvent -FilterHashtable @{ProviderName='PowerShell'; ID=400}|| but obviously its not precise enough so I looked up at the EventData part in Event Viewer and luckily found different a different "HostVersion" in one of the events ( one has the 2.0 version while all the others have 5.1 version ), the thing is idk how I can implement it in the powershell

I thought maybe it could work with asterisk symbol like this ||Get-WinEvent -FilterHashtable @{ProviderName='PowerShell'; ID=400; Data='HostVersion=2.0'}|| but doesnt seem to work

Also, for some reason the XPath query commands do not seem to work for me in my case, do I have any syntax problems in this command : ||Get-WinEvent -FilterXPath '*/System/EventID=400'||

You might want to post a redacted version in #cyber-and-careers

Possibly best a sreenshot too

SOC Level 1 --task 4 confuses the mess out of me.. I do not understand what its asking me

What room?

pyramid of Pain ... i am brand new to all of this

task 4

Is there a certain part of the task you don't understand? Are you stuck on the first question or what?

My apologies , the very last one about the redirect URL

It is asking where the given link redirects you to, I would recommend you reread this section of the task to try and figure out how to get your answer.

I appreciate it. I ve been at this all day and evening . I was on the any.run site looking. Thank you

np

In the Snort room are you supposed to download TCP Replay yourself? I tried running the traffic generator but it says "Failed to execute child process "tcpreplay" (No such file or directory)"

Hello Guys, I am a newbie, just started SOC lvl 1. Can someone help me with this question cus I tried reading this report and could not find the name of the executable...
The actor drops a malicious executable (EXE). What is the name of this executable? Its on the Task 5 Host Artifacts (Pyramid of Pain)

there is a report file attached to the room and the hint says the answer can be found on page 39

Yeah mate, Just sorted it out, it is actually at page 6, at the bottom

Thx for the response 🙂

as stated by jayy it is on multiple pages

Hello all. Has anyone experienced any issues with browser-based VMs in the pathway?

I'm working through the module on Yara and Loki, and when I execute commands that are supposed to produce a scan of a suspicious/malicious file, the scan only completes with positive results. I have triple-checked my commands and the file path, they are exactly as indicated in the instruction. Its got me wondering if perhaps there is some sort of configuration error or something? Any help is appreciated. Thanks.

Yeah, I'm having issues with the Yara room as well, Loki can't update presumably because lack of internet connection. Presumably this wouldn't prevent a rule from being created, but the rule that does get created doesn't flag 1ndex.php so I can't finish the Task.

Hi All,
Anyone else having this issue?

#room-help message

Hello

in the OpenCTI room, can someone explain where or how to connect to this tool?

is it supposed to be webbased? because surfing to the adress of the server that i had to launch isn't doing anything

The room tells you

Probably will be Web based

Ok, my bad, forgot to add the correct port number in the url

Trying to do the room, Velociraptor v1.6 24052023 (velociraptorhp)

Does anyone know the password to it so I can proper RDP into it?
The room is setup to use the bulit in side by side connection to the windows VM. Some of the commands I have to run on the VM are silly long to manually type. And some of the answers are too ling to type. Copy and paste seems to be broken and it's not the VNC based client so I don't get the little built in clipboard on the left.
I tried connecting to it via the VPN and RDP but I don't know the password. I try to change the password and it still doesn't let me connect and then it breaks the web viewer.

Unsure what the password is but you could possibly try a different browser to fix the copy and paste issue? For some reason it works OK for me with Chrome/Brave but Firefox copy and paste is broken

Hey peeps. I'm a newb here. On SOC 1 threat intelligence tools.

For some task 7/8 I am required download .elm documents in my pc but have no idea how.

I tried also tried opening Firefox to email to me but the VM have no internet.
Thx a lot for help.

What term refers to an address used to access websites? Can someone help me out with this????

@abstract grove dns?

thank you.....

👍np

Hey everyone, so I'm in the Velociraptor room and I can't access the tool via chrome it says This site can’t be reached127.0.0.1 refused to connect.

does anyone why?

Did you start the Velociraptor server in a Linux terminal using the following command? ./velociraptor-v0.5.8-linux-amd64 --config velociraptor.config.yaml frontend -v

I didn't, thank you!!

Gave +1 Rep to @haughty lance

Anyone available to help me with SNORT? In particular Task #6?
It says to run the command "sudo snort -dev -K ASCII -l ." followed by running the traffic generator script

It says I should be seeing this

but instead i'm seeing this

I granted myself ownership and inside each folder, it shows a single file, not multiple like the task shows

This is what the task says I should be seeing

but this is what I see

so am I doing something wrong? Is the task simulation not going correctly?

Can't answer but I have exactly same result. So or we both do smth wrong, or it simply works this way.

Yeah, it didn't stop me from progressing or getting a wrong answer but it made me think I was doing something wrong

Same, i just moved forward

Need some help. Is there something I'm doing wrong here where I can't see the specific IP folders after running sudo snort -dev -K ASCII and then running the script to start ICMP Traffic and HTTP Traffic. I'm only seeing the original snort.log I used in the previous command which was sudo snort -dev -l . would appreciate some tips. Thanks!

Exercise-FIles there are 2 folders there. Thats it.

anyway i have issue with a room.

why i cant add image lol.

You need to verify your account to do so.

!docs verify

Room Machine
Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP Machine IP: 10.10.34.69. The machine will take up to 3-5 minutes to start.

but when i go to the IP it says

502 Bad Gateway
nginx/1.14.0 (Ubuntu)

even i waited for 10 mins

is this a bug?

Didn't see the Machine Room. Have you scanned it with nmap to look at opon ports?

i just respawn it not the machine is not loading properly. it should be spunk

Question, Snort room, task 9. Snort rules.

alert tcp !192.168.1.0/24 21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
This rule will create alerts for each TCP packet originating from port 21.

Question: shoult it perhaps be that this rule creates alerts for each TCP connection from port 21 except these that orginate from 192.168.1.0/24 subnets?

Perhaps any would make description of rule more accurate, or if I am wrong someone can correct me? 🤔

alert tcp any 21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
This rule will create alerts for each TCP packet originating from port 21.

alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
This rule will create alerts for each ICMP packet originating from the 192.168.1.0/24 subnet.

if you add the port 21, then it does the same thing but must match source port 21 as well

Thanks.

Gave +1 Rep to @dense thicket

Hey guys. I'm a newb here. On SOC 1 threat intelligence tools.

For some task 5 ....to analyse a suspicious email, (Email1.eml ) from where i will get this email?
Thx a lot for help.

You need to start machine, Email1.eml is in folder Emails on Desktop.

spawn the machine. it is there.

Hey guys. im new here on SOC 1.

Need some help in this question for task 4.

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

task 4 of what? the link did not show anything other than the website homepage

Have you tried expanding it? Just search "URL Expander" on google, or use https://urlex.org/

In this case, you could just click the tinyurl. In most cases, you will want to expand it or track the redirect to ensure its safe before wildly clicking on a shortened URL

you can append + to the url. Like so: https://tinyurl.com/bw7t8p4u+

@shell spoke is correct. If you just copy/paste the shortened URL into the URL bar in your browser but then add a + then it'll show you where that shortened URL is directing you to (without actually going to the website)

I am running the command "sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap" but I am not getting any logs in the folder I am in

the command is executing fine and the output is even saying it's reading the alert

but I am not getting the snort.log file

Same thing happened again when I went to task 4. It worked once to locate the PNG file (task 4) but then is failing to generate the log file for Task 4 GIF file rule. I have a feeling this is a problem with the simulation

Hi, Please how does one access the kibana interface on the AttackBox

Thankyou.. Its working the way you told.

But does it finds any packets? If not then it will not generate a log.

I think you need to open browser and type there ip address that is provided in the task.

Hi,

Need some help in Pyramids of pain, task 6, Q1

What browser uses the User-Agent string shown in the screenshot above?

What would be the answer?