[Walkthroughs] TryHackMe room "Eviction" Quick Writeup #nosound | "SOC Level 1" Learning Path
[Walkthroughs] TryHackMe room "Eviction" Quick Writeup
Another video in the "SOC Level 1 path" on TryHackMe
Unearth the monster from under your bed.
Sunny is a SOC analyst at E-corp, which manufactures rare earth metals for government and non-government clients. She receives a classified intelligence report that informs her that an APT group (APT28) might be trying to attack organizations similar to E-corp. To act on this intelligence, she must use the MITRE ATT&CK Navigator to identify the TTPs used by the APT group, to ensure it has not already intruded into the network, and to stop it if it has.
Please visit this link to check out the MITRE ATT&CK Navigator layer for the APT group and answer the questions below.
Answer the questions below
What is a technique used by the APT to both perform recon and gain initial access?
Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?
E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: technique 1 and technique 2)
If the above technique was successful, which scripting intrpreters should Sunny search for to identify successful execution? (Answer format: technique 1 and technique 2)
While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes?
Sunny identified that the APT executes system binaries to evade defences. Which system binary's execution should Sunny scrutinize for proxy execution?
Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?
It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?
It looked like the primary goal of the APT was to steal intellectual property from E-corp's information repositories. Which information repository can be the likely target of the APT?
Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: technique 1 and technique 2)
Congratulations! You have helped Sunny successfully thwart the APT's nefarious designs by stopping it from achieving its goal of stealing the IP of E-corp.
Room URL: https://tryhackme.com/r/room/summit
Contact Details
Blog: https://cyberwar.ro/
Twitter: https://twitter.com/VictorPetrescu
Видео [Walkthroughs] TryHackMe room "Eviction" Quick Writeup #nosound | "SOC Level 1" Learning Path канала CyberWar
Another video in the "SOC Level 1 path" on TryHackMe
Unearth the monster from under your bed.
Sunny is a SOC analyst at E-corp, which manufactures rare earth metals for government and non-government clients. She receives a classified intelligence report that informs her that an APT group (APT28) might be trying to attack organizations similar to E-corp. To act on this intelligence, she must use the MITRE ATT&CK Navigator to identify the TTPs used by the APT group, to ensure it has not already intruded into the network, and to stop it if it has.
Please visit this link to check out the MITRE ATT&CK Navigator layer for the APT group and answer the questions below.
Answer the questions below
What is a technique used by the APT to both perform recon and gain initial access?
Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?
E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: technique 1 and technique 2)
If the above technique was successful, which scripting intrpreters should Sunny search for to identify successful execution? (Answer format: technique 1 and technique 2)
While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes?
Sunny identified that the APT executes system binaries to evade defences. Which system binary's execution should Sunny scrutinize for proxy execution?
Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?
It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?
It looked like the primary goal of the APT was to steal intellectual property from E-corp's information repositories. Which information repository can be the likely target of the APT?
Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: technique 1 and technique 2)
Congratulations! You have helped Sunny successfully thwart the APT's nefarious designs by stopping it from achieving its goal of stealing the IP of E-corp.
Room URL: https://tryhackme.com/r/room/summit
Contact Details
Blog: https://cyberwar.ro/
Twitter: https://twitter.com/VictorPetrescu
Видео [Walkthroughs] TryHackMe room "Eviction" Quick Writeup #nosound | "SOC Level 1" Learning Path канала CyberWar
Комментарии отсутствуют
Информация о видео
6 августа 2024 г. 22:09:31
00:11:31
Другие видео канала
![[ChatGPT] I build a ChatGPT Agent so you don't have to](https://i.ytimg.com/vi/A4E4m8szVeY/default.jpg)
![[Bug Bounty Money] - $18,900 - Episode 1 - Week 11 / 2023](https://i.ytimg.com/vi/MWr_PTjHK8k/default.jpg)
![TryHackMe Advent of Cyber 2023 - [Day 7] Log analysis ‘Tis the season for log chopping!](https://i.ytimg.com/vi/pWIQAGUIsVc/default.jpg)
![TryHackMe Advent of Cyber 2023 - [Day 12] Defence in depth Sleighing Threats, One Layer at a Time](https://i.ytimg.com/vi/lNN9f-cYjUY/default.jpg)
![TryHackMe Advent of Cyber 2023 - [Day 14] Machine learning The Little Machine That Wanted to Learn](https://i.ytimg.com/vi/1cPdhoaTL7o/default.jpg)
![[Walkthroughs] TryHackMe room "DFIR: An Introduction" Writeup](https://i.ytimg.com/vi/tadg5HbFX08/default.jpg)
![Advent of Cyber 2022 - [Day 16] Secure Coding SQLi’s the king, the carolers sing](https://i.ytimg.com/vi/vw3dwFPI0gU/default.jpg)
![[Bug Bounty] I scanned 864,552 sites again with axiom-scan and built a Favicon hash database](https://i.ytimg.com/vi/o8es-jAuNzI/default.jpg)
