#soc-level-2-path

🚨

vamos!

letsgoooo @abstract crystal

Finally

You're spoiling us.

12 new rooms in this release. See if you can find them all. 😎

Not listed in the path?

even more paths shadow need to focus and complete

All part of the learning path. 🙂

There is an error in the the intro to log analysis room for the new soc lv 2 path. Issue is in task 6 question 2 where it asks how many http 200 responses are present in the log. The file expects an answered that is greater than the number of HTTP 200 responses.

Sorry was running out the door as I typed this. The answer that the room question expects is equal to the nber of lines in the log file but not all entries in the log file contain a Http 200 response. Hope that reads a little more clearly 🙂

Hey all, working my way through the "Log Analysis Tools: Command Line" room under the Soc Level 2 Pathway. It looks like the file mentioned under task 6 "/root/Rooms/IntroToLogAnalysis" doesn't exist in the Attack Box?

root@ip:~# cd Rooms/ root@ip:~/Rooms# ls ADEnumeration Compiled Follina-MSDT SplunkBasic AoC3 cryptographyintro introdigitalforensics Spring4Shell BPVolatility ctf-event-2022 OhSINT Wireshark101 BreachingAD CVE2022-26134 ParrotPost caldera CVE2022-26923 sigma CapstoneChallenge ExploitingAD solar

Not the end of the world as the task files are attached/downlaodable - just thought I would mention it here.

I'll check on that 🙂 Thx for mentioning it

Gave +1 Rep to @pallid flame

Thank you sir:)

mmh right now it does not accept as an answer nor the total number of lines , neither the number http 200 lines .... some more to bruteforce ...

no sorry - last line does not end with \n so wc was giving total-1

Thank you for that - I was getting desperate and got it now. Makes more sense it's for http 200 and above as that was showcased in the commands above.
Also seconding the missing files on the attackbox for log analysis, I was just doing the exercise in my local WSL.

Gave +1 Rep to @alpine abyss

Hi everyone, is there Anybody who did, Eradication & Remediation room, task 6, where can I find suspicous IP?

Thank you for catching that, the answer should make more sense now 🙂

Gave +1 Rep to @alpine abyss

Splunk: Data Manipulation Task 8 , answer is supposed to be s/-\d{4}-\d{4}-\d{4}/-XXXX-XXXX-XXXX/g but its not showing correct ?

It is asking for a generic SEDCMD pattern to mask sensitive information - not specifically to mask CC information, as we can have different patterns to achieve the same goal.

Like ||/old/new/g|| ?

Yes - something like that - no hints about answers here please.

Okay

Thanks

Hi, I´m stuck on the third question, maybe someone it´s able to help me?

I found it out checking into /etc only the folders with five letters in it´s name, not the right way but...

If someone did it on the correct way i would like to learn how. thanks in advance

If you ingest these auth logs into Splunk by following the steps shown above, you locate the particular events - the answer is right there.

There was a problem i think, log were not ingesting into splunk for any reason, the first ones yes but the stopped, thanks for the answer

Gave +1 Rep to @odd bronze

Post a SS or point to the issue if you are still facing regarding data ingestion. Will figure it out.

I closed it some hours ago, i was facing the same problem on the windows machine, i solve it using the Monitorint instead of Forwarding

Had the same issue with not ingesting windows logs using the forwarder.

Can you share the exact point or screenshot etc where you were having issues? I will try to reproduce the issue and see if anything can be done to prevent this issue from happening to others.

It's just the same screen as the illustration in the task, same index and sourcetype, but with no logs!

If ypu didnt solve it yey, try to use Monitoring instead of Forwarding in Data ingestion

Mea culpa - maybe I was being impatient. Logs turned up eventually this time around.

@pallid crescent how do you use Monitoring instead of Forwarding in Data ingestion

When u click on Add Data, you have 3 options, Monitoring is the one on the middle, and forwarding the last one, select monitoring and follow the steps as its was forwarding

Oh yes, i was to far, thanks

Gave +1 Rep to @pallid crescent

you are welcome mate

How can i give you +1

i think bot do it automatically

OK

How can i do it?

👍

When u say T.hanks it gave the rep

OK Thanks

Gave +1 Rep to @pallid crescent

lmao just got like 3 reps like that lol

smart

help me out

Its asking to mention the generic pattern ( format ) used to mask sensitive fields using SEDCMD.

Hi guys, can send anyone hint of Dynamic Analysis: Debugging Task 2?
Malware sometimes checks the time before and after the execution of certain instructions to find out if it is being analysed. What type of analysis technique is bypassed by this attack?

The answer in the first half of the task.

solved, Thanks

Gave +1 Rep to @odd bronze

Hey, can anyone tell me how can I access the inputs. conf file

Hello!
In "Task 6" of "Basic Dynamic Analysis", I believe I've provided the correct answer, but I keep getting the message "Uh-oh! Your answer is incorrect." I used Regshot to compare the registry before and after using 3.exe. Is there any issue or bug occurring?

You have to create one in the right place. Explained in detail in the Splunk: Parsing and Manipulating Data room.

Thank you

Gave +1 Rep to @bitter storm

I've resolved it myself!
It seems the string I entered was too long, so I solved the issue by trimming the first half!

Finally finished this pathway! The last section on malware analysis was really cool. Big thanks to everyone that helped make the rooms etc

It says that I have to create in the default dicrevtory. Which one?

Yes, We will place our conf files in the default directory of the App.

Hey, I am in the Tactical Detection room. To answer some of the questions of the room I have to use a tool called Uncoder.io, but for some reason I can't use it. Is there any alternatives?

Uncoder.io doesn't seem to really exist anymore. I was able to make an account and use the community uncoder AI (at least so far, only answered the first two questions of this). You need to set the right-hand side as ElastAlert -> Alert (License)

Reach out to me if you run in to trouble, I can try to help out!

Cleared that section using the Uncoder AI option. It was a little bit of a pain, cuz the translations are set up differently, so I had to figure out what I need to set it to. But I did get all of them.

Splunk: Setting up a SOC Lab
for this room i have to install splunk on my system for answering question?

I tried to create an account my it says that I didn't pass the verification.

That's weird. Let me create one with a random Gmail I use for stuff like that. Did the email you use receive the verification code?

If I remember right, they have VMs in the room itself that have all the files you need and it walks you through what to do.

So without installing splunk I can still solve it right

You will install it. You'll just be doing the installation in a Linux and a windows VM through the room.

If you look at task 3 and task 7 on the Setting up a SOC Lab room, you will see the little green icon on the right - Task 3 has a linux virtual machine that you will need to start then follow the guide for installing splunk. Task 7 has a Windows VM. Once you get to Task 7 you will end the Task 3 machine and start the Task 7 machine which will start the Windows machine where you will follow the steps for installing and configuring splunk.

ok so it will be on their vm only

yup!

alright thanks

Thanks @warped hawk for answering these questions.

Gave +1 Rep to @warped hawk

No problem. Ironically I came here originally looking for an answer to the question with Decoder haha. Ended up figuring it out, so don't mind spreading the word 😁

Let me know if you still have any query 🙂

sure if in future i have i will ask here

Yep

Want to throw it out there:

Room: SigHunt, Challenge #9 - there appears to be a bug. If you have the word 'ransom' anywhere in the description, it errors out when you try to run it.

Error: Sigma Rule too specific (String: random). Focus only on generic IOCs.

I had the word ransomware as part of the description and was going crazy trying to figure it out.

Room: Sigma
With Uncoder.io not being around anymore, I attempted to use the Uncoder AI to figure out the necessary syntax to get the Sigma Rules translated into something usable. I was unable. My theory is that Uncoder.io used to translate into KQL, but the new version doesn't have that as an option. You'll need to seek alternatives. (Note: I'm not certain that's the reason, just seemed like KQL wasn't an option and maybe that's why I can't get it to translate).

I have the same issue with undercoder AI, the translation doesnt fit for kibana

Hi, im needing a bit of help

I think that it´s trying to say me that on condition field i should put something for select hashes or the rest of the fields

But when i try to separate hashes from the others creating a new selection it´s say invalid sigma rule

Thanks in advance

I tried this, but nothing

After doing all the others, i came back to this and i solved it just writing on the CommandLine|contains:

• ' -e'

Thanks anyways

In the fixit room I'm getting hung up on the line breaks for some reason. I have tested my Regex and it appears to be correct, restarted Splunk but it still won't break the events where I want. Here is my props.conf [network_logs]
SHOULD_LINEMERGE = true
MUST_BREAK_BEFORE = \WNetwork-log]:/g Any ideas?

You need to fix this -> MUST_BREAK_BEFORE = \WNetwork-log]:/g - The regex does not seem to be correct.

Yep. I couldn't see the forest for the trees. I fixed the regex and it works fine. thanks

Gave +1 Rep to @odd bronze

@odd bronze -- Great work on the "Fixit" challenge. I was quite stuck yesterday when attempting it (specifically, pulling out the different names properly). I came back to it today after reading some of the Splunk documentation and brushing up on my Regex skills, and finally completed it & learned a lot in the process!

Thank you!

That's great to hear @daring quartz - This challenge actually presents a very common challenge a SOC Analyst would face while ingesting logs from unknown log sources in a day-to-day job. Glad you enjoyed the room.

@cobalt lichen -- I think there is a slight error in "Advanced Elk Queries" on Task 4 & question 2:

How many incidents before December 1st, 2022 has AJohnston investigated where the affected system is either an Email or Web server?

||If the data is sorted from January 1, 2022 to Nov 30th, 2022 -- it returns 64 hits (screenshot). The "correct" answer is 63, but that only works if you sort the data from January 1st, 2022 to Nov 29th, 2022 (screenshot 2). There is an event on Nov. 30th not being accounted for. ||

nice catch tyler

Hi, I'm stuck on Task 6 from Splunk: Data Manipulation. I Copy the ./vpnlogs from download to /opt/splunk/etc/apps/DataApp/bin and then create inputs.conf in the same path. However, I didn't find the log from splunk GUI (Splunk was well restarted).
Is someone can help me at this point, I didn't know where I can misread/mistype something ! Thank you

Resolved, as the inputs.conf is located under ../DataApp/default 😅

Fixit was probably the hardest room in this path

Your video using extracting fields made everything 10 times easier 😄. Saved me a lot of time

For logstash: data processing unit. task 3,4,5 there is no file at all for all 3 installation
[10:32]
anyone had same problem?

"What the regex pattern will help us define the Event's start" question for splunk FIXIT room. I can't undertsand why my answer is not true with [Network_log] as this regex work on my props.conf and logs aren't split anymore from splunk.
Anyone on this ?

@severe geyser Copy the logs into https://regex101.com/; try using this regex to see if it captures the start of the logs. Hint: It has something to do with the Escape Characters

Can you please check again on the path /home/tools. All installation files are available as shown in the image.

there is no tools

Can you try checking with the username analyst? It should be in the homes directory of the analyst user.

Thanks. need SSH first

got it

I like watching walkthrough videos in order to learn from other peoples knowledge in the SOC field. I have gained many valuable insights from these videos that are not taught or sometimes not explained as well in the THM rooms. Lately all of the videos related to the SOC level 2 rooms have no sound. Is THM having the sound blocked on these videos for some reason?

Why would THM even do that? THM always appreciate and encourage these content creators.

I agree but there doesn't seem to be any other explanation. If I click on any other video the sound works fine. It's only the SOC level 2 related videos that don't have sound.

Can you provide a few room URLs so we can investigate? :)

Here are 3 links but I have had several others with no sound. I just didn't have time to find them all. https://www.youtube.com/watch?v=WJKVIKCNlmc&list=PLrY_AbzZGqt8Cw_lcF5YT3LPG2uJpKlkY&index=9

https://www.youtube.com/watch?v=FgUNTgZ9W2A

https://www.youtube.com/watch?v=FRgn9eiOYqc

Sorry, I forgot to hit the reply before I posted the comment above.

Hey, I don't know if it is the proper way to ask a question or not, but I'm currently on the SOC L-2 path and solving Malbuster Room, and there is a question that is not accepting the actual answer. Do any of you also face this issue?The question is:
Based on VirusTotal detection, what is the malware signature of malbuster_2 according to avira. And answer is clearly present on VirusTotal, but the site isn't accepting it. Answer is HEUR/AGEN.1306860

I know Djalil probably didn't add audio because rooms in SOC are self-explanatory, also he used to does this kinda walkthrough often with some music or without any sound (many youtuber does) but I will ask him if he added audio and if there is any issue.

I guess avira have changed it's malware signature database cause I got the answer and it is according to the previous malware signature.

It is HEUR/AGEN.1202219
Hope tryhackme will update it's answer as it is causing some inconvenience and wasting time.

Team is looking into it. Thankyou for bringing this up. @plucky ledge

Fixed the issue. Thanks for raising it here.

Gave +1 Rep to @plucky ledge

HI, reg101.com is not working no more. what other website should I use?

❤️

try https://regex101.com/

There are no URLs in that message.

not sure if i missed anything but the task is asking me to use existing report that isnt available on splunk

well apparently it doesnt let me attach screenshots here anymore

https://gyazo.com/6236b2f7ca344fd8385a23f8a6cab5e0

Can you please share the room name - for us to understand the query and respond accordingly?

You'll need to verify your account to do so.

^

#bot-commands

Done!

Hi I am stuck at Slingshot room with this question:
What was the first scanner that the attacker ran against the web server?
Any help will be highly appreciated. Thanks

Please don't spam the same concern in multiple channels. Someone will get to you when they get a chance or know the answer.

Threat modelling module not accepting answer on number of techniques in apt33. Task 4

Anybody?

hi can helpme Room Caldera

During the execution of the sixth ability, what is the title of the Sigma rule that flagged the usage of the string 'join ''; $split'?

events are not generated by heating up some alternative?

Hello,

I'm struggling with the Rule Writing & Conversion of Sigma Room

When i try to translate my Sigma Rule using Uncoder.io or Sigma-cli/Sigmac the CurrentDirectory field of the rule does not match the process.working_directory field name expected in winlogbeat index

I checked walkthrough videos on YouTube and their side they don't have the same output query than me.

They are few differences i noticed :

1. In videos all fields parameters end with .text

2. CurrentDirectory is well translated into process.working_directory.text

Anyone knows what i'm doing wrong ?

This is the output of sigmac and undercoder.io :

((process.command_line:--install AND process.command_line:start-with-win) AND CurrentDirectory:C:\ProgramData\AnyDesk.exe

Note that i removed the useless wildcard and backslash on the query

I'm currently working on the Advanced Static Analysis room, trying to follow through one of the early tasks to use Ghidra against Hello World, in the instructions it is stated "To find the assembly code for HelloWorld.exe, we will **double-click on .text **in the Program Trees section", but when I click .text in Ghidra, I don't see the same data that can be seen in the screenshot that goes along with that instruction in the room, which means I can't answer one of the questions on that task. Now, most likely it's a me problem, it usually is, but can anyone else confirm or deny what I'm seeing? Even better yet, can anyone point me in the right direction?

What I see when I click on .text

What I'm meant to see, according to the room:

So I feel like I am beating my head on this. I am on the FixIt room. I've created the regex need to group the different fields that are needed for the challenge. After creating my three conf files. Splunk still doesn't show the custom fields! I checked my regex on regex101, and it shows me that I have it correct. I just don't know what I am missing. Any help would be appreciated
Also I have looked over different write-ups to check my work, they are doing the same thing I am doing. So not sure what I am missing.
Update: I over complicated my regex and tried to pull both the path from the domain and the timestamp at the end of the log. Both of which were the reasons for the issues I faced. I additionally, asked ChatGPT to simplify my regex and tested it against the sample logs. It worked good, so I put it in the transform file with the updated group numbers, and it worked. Remember Fast is slow, slow is simply, Simply is safe

hello, i have some issue in room MalDoc: Static Analysis Task 7 in defang url i find it but answer incorect

Just wondering, did you manually defang or use Cyberchef?

If manual, I recommend cyberchef, and if you did already use it, then either you possibly selected the wrong URL. Aside from that the only thing I can think is there was some error during copy and paste?

cyberchef

can i send you the resultat??

@burnt lance

Yeah sure

|| hxxp[://]aristonbentre[.]com/slideshow/01uPzXd2YscA/ ||

Maybe slap a spoiler tag over it

You hand typed it into cyber chef didn't you?

Always copy and paste where possible.

it's the result of

cyberchef

That first 0 is not the number zero, it should be the letter O

Other than that looks the same as mine

you mean in aristonbentre???

no, the last part of the URL

it's o not 0 (zero)

Between the forward slashes

aa yeah

done

but cyberchef give me that one

haw to fix this error in the future

anf thank you so much for your help

You're welcome

Hello. Currently in Tactical Detection room, Task 3, last question regarding the source of the log. I see what is the result but seems not working anymore, it is accepting longer answer. Ihave checked two different blogs and the result should be what I see but does not work. Any help there?

I have a question about Wazuh. Has anyone used the ion-storm XML listed in the Wazuh room on their agent ossec.conf file? If so do you know where to find the XML for the manager rules that would work with the ion-storm agent XML?

anyone could recommend some good reverse engineering resources like free Books, online courses, or tutorials. Thanks in advance!

Sigma room
Soc 2
The kibana service isn't working and i can't access it to restart the service

Does anyone provide help here ?

I have raised this and the team are working on it

Thank you

Gave +1 Rep to @river sedge (current: #53 - 137)

Hello! Currently in Threat Emulation | CALDERA room. I am stuck in Task 3. Can someone support me.
https://tryhackme.com/r/room/caldera

I waited so that "All system ready".
Accessed using provided Username and Password.
I managed to get to [Deploy Agent] screen and chose Manx.

The problem is that all the fields are blocked and empty.

These Rooms aren't working as supposed:

1. Sigma
2. Aurora EDR

is the problem solved ?

Hello! Yes. Thank you

Gave +1 Rep to @real shoal (current: #865 - 4)

Hi, I'm currently on the "Practice Time" task in the Malware Analysis module, in the x86 assembly crash course room.
For the lea instruction code, why, after the instruction mov [ebx+ecx], eax, is the value in 0x4b equal to 0x50000000 instead of 0x00000050 (which was the value of eax)?

Hi all,
Anybody had experience connecting a machine with Snort to a network and using it the "inline" mode for IPS? I've been through all of Snorts resource videos and their documentation but I can't find if they tell where to physically connect to your network to accomplish "inline" mode.
Does anybody have insight into this topic?

Hi Rosana!.. I am having the same problem... How did you solve your problem? Could you help/guide me please? At the beginning, I thought I am making a mistake somewhere.. I stuck on Task 3, when I run the cmd in powershell in the windows device I connected, it gives a series of red errors and Caldera didn't deploy an agent... So, I couldn't complete other tasks...
But now, I am sure it is not me.. it looks like something changed and the written guidance need to be updated... Am I wrong? What did you do?

I'm in the Splunk: Data Manipulation room, trying to start splunk via the terminal .. bin/splunk start. I'm getting permission errors, so I do sudo bin/splunk start and it starts but when I create the DataApp the DataApp/bin directory are not accessible. Any suggestions?

anyone here can help me? support is asking me to come here for help

The answer is : sudo chown -R $USER:$USER /opt/splunk The $USER:$USER part is what tripped me, I was looking for a splunk user which did not exist. Thanks to @Noodles

just saw this.

Yes you have to be in the opt dir then use ./splunk start

Don't forget to use https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/StartSplunk and https://community.splunk.com/t5/Splunk-Answers/ct-p/en-us-splunk-answers if needed.

it connects to IPS software like picus for example.

Having the same problem

im not sure if this is working as intended it seems like the answer should be Recovery and Lessons Learned I also looked on 2 write ups and they came up with the same answer

This is the incident reponse module in the room preparation

answer solved type in & instead of amperstand

I was stuck on the exact same one 😄

CALDERA room needs to be fixed

there is a mismatch in sigma rules title that is generated in event viewer and the correct answers for task 5

That is true

For the Emulation of APT41 for example all the Abilities fails doesn't matter what I do. Someone is having the same thing?

I found my mistake... I was putting the wrong IP in the caldera abilities... There are two IPs: Target IP address and AttackBox IP address.. Needed to be more careful... Every mistake teaches another thing.. Just wanted to share, just in case if there is anyone who get stuck in Caldera Task 4

Hello,
I can figure out what is expected in the easy learning module "intro to logs", task 6, first question. I got no errors filtering, both with the aggregated file or the raw cron file. I found no error which pattern matches the answer format. And the hint didn't help me at all. Can anyone contact me in mp and give me a clue?

@broken kayak Hello brother, what's your progress?

almost 90%

In Shaa Allah, I think I will be done in like a day or 2

Noice

yessirr

🫡

Guys Praise be to God, I got the cert @kind remnant

🎉

@broken kayak may i dm you?

sure

Anyone else having issues with Caldera? Pasting the Caldera commands into the Remote Desktop Powershell terminal is disabled for me. Not able progress beyond this setup stage

on the soc level 2 I cant find the right answer for that :
Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?

I'm getting a problem whenever i'm trying to solve Task 4 on Intro the Logs room.

damianhall@WEBSRV-02:~$ sudo systemctl status rsyslog.service
[sudo] password for damianhall:
Sorry, user damianhall is not allowed to execute '/usr/bin/systemctl status rsyslog.service' as root on WEBSRV-02.

What i will do?

For the Splunk: Setting up a SOC Lab Task 7: I've been waiting over an hour for the splunk_instance to install. After waiting for over an hour I received an error message that said "Splunk Enterprise Setup Wizard has ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard."

issue resolved.

Can you share the screenshot? I just saw this message. Let me know And I will try to figure out the issue.

I do not have a screenshot for it. I will try the lab again tonight and if the same problem occurs again I will snag a screenshot of it.

Can you put the room name, the task number please ?

I have the same issue. And the Lab is just too slow. Installing the splunk instance take 30mins!!! When i tried to install on my VM it took less 5 mins.

Same I'm facing the same problem, I thought of connecting throught mremoteNG (thought that the problem was the web interface), but unfortunately no credentials.
I'm thinking of creating a splunk instance in my machine and try to do only the forwarder in the lab. anyway to get splunk instance without filling the splunk form?

also it seems there are problems with the lab loading

Are you still having this problem?

It does connect right now, but it takes a lot of time to load the interface and for interactions to take effect

I actually have this problem with mostly all the windows machines.. any idea how to solve it?

Am stack in task 4 in Log Analysis Intro to Logs

?

finding answer for task4,5,6 is a headache to me .Could you help please?

Yea

Are you in intro to log analysis

Can you describe question over here

So, I can help you

yeah

After configuring rsyslog for sshd, what username repeatedly appears in the sshd logs at /var/log/websrv-02/rsyslog_sshd.log, indicating failed login attempts or brute forcing?

okay no problem

Did you follow this steps?

splunk is the bane of my existence

Hey all I'm having issues with task 4. I've followed the steps to configure rsyslog to collect sshd. When i ssh, it's logged to the file. But that's it. So for the question about brute force, I'm at a bit of a loss. There are no other logs.

Which room ?

Sorry, Intro to logs.

Can you tell us which task and what's the problem 🙂 ?

Sure.

Task 4: Collection, Management, and Centralization

Ive followed all the steps outlines in Practical Activity: Log Collection with rsyslog.

I ensured rsyslog is running, created the .conf file with the lines to ensure sshd is logged to the .log file.

Then I restarted rsyslog and tested the log file by running "ssh localhost"

When i check the log file, I see my ssh attempt.

When attempting to answer question 1 related to brute forcing ssh. There are no other logs in the log file other than my ssh attempts.

Go to /var/log/websrv-02/ dir

I'm there.

Do you see file rsyslog_sshd.log

Yes

Try to open it up 🙂

I ran "cat rsyslog_sshd.log" the only logs in there are my own when I was testing it's functionality.

Try to use tail instead of cat

Same result. Only my login attempts.

Can you provide a screenshot 🙂 ?

I don't have permissions to do that.

You do but you will need to verify first 🙂

https://help.tryhackme.com/en/articles/6495858-discord-how-do-i-verify-my-tryhackme-account

Seems like you're running commands on your attackbox

Youre right. I forgot about the machine from Task 2. Thanks.

Yeah , you can use the machine in split-screen view on the website 🙂

Thank you.

Anytime buddy , feel free to reach out whenever you need help 😄

ah yes joseph blargh blurgh

spoken like a true joseph blargh blurgh

just having fun

But you have made it too easy for them.

It's so simple it's brilliant.

Alright well I don't really get the joke but it's making me feel dumb for posting so that's that I guess.

I just seen this.

You removed your name from the cert, but there is a THM flag in the cert that reveals the name,.

in Intro to Log analysis, task 7, question 1:How would you modify the original grep pattern above to match blog posts with an ID between 20-29?
isnt the answer ||post=2[2-6]|| ??? or smthn i didnt do right?

We need post from 20 to 29 , so try with || post=2[0-9] || 🙂

i see, thank you brate

Gave +1 Rep to @young echo (current: #1 - 3838)

Tryhackme you failed with your fucking shit exam. Thats the worst i have ever seen in my life. No SOC except a SOC which has no idea what they are doing is working like this. I canceled my Subscription and hopefullly many other will do this.

Your AI sucks fully.

remove this exam sit down and create a better one which is competitive

Please reach out to #feedback-and-ideas and don't post the same message over multiple channels.

If you continue, I may have to mute you.

I'm a bit stuck on the fixit room.

I'm trying to answer the question about the 3 files used to fix the problem. I put them in there in alphabetical order but it's saying it's wrong.

I put the 3 .conf files I used, in alphabetical order, but it's saying it's wrong. It's saying the answer may not be in english

What is your answer 🙂 ?

Inputs.conf, props.conf, transforms.conf

Which task and which question 🙂 ?

Fixit room.

Question: Which configuration files were used to fix our problem? [Alphabetical order: File1, file2, file3]

You got two right 🙂

check the first one once again

Just got it. Thanks.

Gave +1 Rep to @young echo (current: #1 - 4402)

Thanks @young echo for stepping in and responding on time 🙂

Gave +1 Rep to @young echo (current: #1 - 4416)

Anytime 🙂

Hi, I am completely stuck on the Fixit room and do not see what I am missing with the custom fields extraction. I have the 3 required files and to me they seem right. Does anyone have a pointer as to what is wrong with my configuration?

Is anyone facing Instance termination issue in Splunk setting up a Soc lab room, Task 7?

I reached thm support through mail

Is no one doing Soc Level 2 path?

I'm facing the same issue again

In Aurora EDR room

Instance is automatically terminated due to cost cutting management

the batch file in Task7 is not working properly and not producing events in event viewer

https://tryhackme.com/room/auroraedr

@young echo

@young echo spam message here

Removed 👍 🙂

for Storage, Retention, and Deletion in Intro to logs, is the answers wrong?

logrotate config

/var/log/websrv-02/rsyslog_sshd.log {
daily
rotate 30
compress
lastaction
DATE=$(date +"%Y-%m-%d")
echo "$(date)" >> "/var/log/websrv-02/hashes_"$DATE"rsyslog_sshd.txt"
for i in $(seq 1 30); do
FILE="/var/log/websrv-02/rsyslog_sshd.log.$i.gz"
if [ -f "$FILE" ]; then
HASH=$(/usr/bin/sha256sum "$FILE" | awk '{ print $1 }')
echo "rsyslog_sshd.log.$i.gz "$HASH"" >> "/var/log/websrv-02/hashes"$DATE"_rsyslog_sshd.txt"
fi
done
systemctl restart rsyslog
endscript
}

Questions

1. Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, how many versions of old compressed log file copies will be kept?

2. Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, what is the log rotation frequency?

I typed 30 and daily for each questions respectively, but it says I'm wrong.

Update
Based on the letters requirement in the second question, i guessed hourly and it is correct. And based on that I used 24 because there's 24 hours in a day and it is also correct. Maybe the content of the lesson got changed but THM forgot to change the answers.

im getting this error in Atomic Red Team room Task 5

https://tryhackme.com/room/atomicredteam?taskNo=5

@young echo

need help

Add --accept-eula

--license-path string ill try adding this manually

it says there is no license

@young echo THM should fix this , everyone is facing it

i found it in writeup

also windows vms are crashing in atomic bird rooms

aurora is also not working in Caldera room

license expired

@young echo please inform someone Aurora is not working in any rooms

@cobalt lichen

https://tryhackme.com/room/caldera?taskNo=7

same problem in atomic red team room

@river sedge

I am not a staff member I don't have access to machine configuration . You can send a report in #1333993673381253162 channel

Not sure if this is the right channel for my question. I don't see a malware analysis channel here. So I'm just going to put my question here. I'm working on the Basic Static Analysis and the machine has the FLARE tool. In the readme.txt, it said "Please change the virtual machine network mode to Host Only to prevent...". I don't think I need to do that because I'm on the THM platform (not using my own VM). Am I correct?

yes

thanks

Gave +1 Rep to @woeful aspen (current: #3119 - 1)

guys can you help ?

i can't execute Procmon in the VM

Run as admin

i did, in fact, the problem was that I needed to run the x64 version and the shortcut was x86, so I accessed the Sysinternals suites in the C drive to run the x64 ver

Guys there's a problem with the oletools from the MalDoc room ! @fringe ice

hello need help Why can’t I type anything in the fields
app.contact.http, app.contact.tcp, agents.implant_name, and app.contact.udp?

must be a resolution problem

Im in the same module as you, and im having problems with the challenges where you should use aurora to answer but the license expired last month

maybe too late, but why not: check this #room-help message

alright, time to learn how to decompile and reverse-engineer 😄

Just asking, they have attackbox mainly used for pentesting. Do they have defense box? A VM purposely being used for Malware Analysis, Forensic or anything? I know theres VM in each room but do they have a global VM for defense?

Hello everyone, I am taking the soc level 1 course. I have a question: in the soc level 1 classroom, when I complete all 9 rooms in soc1, will I be provided with a certificate of completion of the soc level 1 classroom, or do I have to register for the final certificate exam in that classroom to complete the room?

You get a cert for path completion but if you want a SOC L1 cert you gotta pay

Hello everybody,
Sorry if this isn’t the ideal place to ask, but since the SOC L1 path was recently revamped, I’m wondering: is there a chance the SOC L2 path will also be updated in the near future?

There is a possibility of a revamp as many modules in SOC L2 path are more than 3 years old.

Really enjoying this path so far!

Hi

I'm new

This Person Is Promoting His Business @noble terrace @visual fiber @young echo

? How can you explain

is This not ur personal business ?

You first tell me how I promoted it, giving free resources is wrong?

is This not ur personal business ?

First tell me @dense vale

Where i mentioned this ?

u are promoting ur own business is not a resource

That i asking

Explain me how !!

You saying this

my business

is This not ur personal business ?

Jitna puch rahe ho wo batao na phale

This is A English Language Server, Please Do Not Use Other Language In That Server

u should read rule 7 in #rules

Alr just tell me ! That i asking

Please Don't Argue

U Are Promoting ur own business that's why i reported to moderators

Not arguing champ but before saying anything about anyone no firstly about that

Again that's what I am asking, so tell me friend, where do you see that as my business, yes I wrote it like this

seems like SAMCommunity

I Don't want to argue

Go to Google and do research first about organisation and then tell anything

If U Are Right Why Did U Deleted The Original Message

@dense vale

Don't tell me

I don't deleted man !!!

what is that then

Deleted by moderator or maybe sever admin

When you tagged him and made a fake allegation

so why did u think moderator deleted that

did u want me to tag moderator again ?

I Am Not Wrong I First Checked Then Report It

Hi everyone!
Has anyone solved Task 5 in the CALDERA room ?
The question is:
"During the execution of the fifth ability, what is the value of the Match Strings field in Zip A Folder With PowerShell For Staging In Temp detection?"

I checked the Sigma rule "Zip A Folder With PowerShell For Staging In Temp - PowerShell (see Details tab for more information)".
In the rule, I found the following:

Match_Strings: 'Compress-Archive -Path $env:USERPROFILE\\Downloads -DestinationPath $env:TEMP'
Opcode: 0

However, this doesn’t seem to be the correct answer.
If anyone has solved this or has any hints, I’d really appreciate your help!

Hello guys,
am stucked in SOCL1 Alert reporting The question is What flag did you receive after correctly escalating the alert from the previous task to L2? Note:If you correctly escalated the alert earlierjust edit the elart and click "save" again
MY ANSWER IS
THM{nice_attempt_faking_microsoft_support} But it says incorrect answer search on internet and medium.com website blog also show this answer. CAN ANYONE PLEASE HELP ME IN THIS QUESTION

The answer is "THM{good_job_escalating_your_first_alert}"

Oh it's too late

Did anyone completed the "Aurora EDR" room. The batch file is not updated and attack machines are too slow, Frequently got stucked.

yep, had the same issues with Aurora EDR batch file. The SOC2 Path seems to have a lot of old data (answers, files etc.)

Hey everyone, 👋

A quick heads up from the room dev team. We've started refreshing the Advanced Splunk and Elastic content (you should already see some improvements), and over the coming months, we'll be taking a closer look at SOC L2 path issues and the covered topics.

Thanks for your active involvement and for your feedback on the rooms. Stay tuned!

Hey, I’m new

Hey everyone just enroll on the SoC path level 2 and I'm new here

Hi I'm new here

I want to ask if the recommended learning path is good enough for SAL2

Can anyone who has taken the SAL2 test tells me about this?

Hey, the recommended resources from this page should be enough. But since the exam is practical, I'd also suggest completing THM blue challenges and reading external sources on how typical attacks on AD/AAD/Linux/Cloud look like. It should help with the hardest scenarios.