Threat Intelligence Tools | Task 5-8 TryHackMe Write-up

Posted on March 3, 2025 by Jon Jepma

This is a Write up for the Threat Intelligence Tools Room Created by Tryhackme & SecurityNomad

Task5: PhishTool

PhishTool is a link to the tool we will be learning.

This rooms looks to show us how to use the phishtool. Also keep in mind there are two versions: Community and Enterprise, Its required to sign up for an community account to complete this room.

The core features include:

Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
Heuristic intelligence: OSINT is baked into the tool to provide analysts with the intelligence needed to stay ahead of persistent attacks and understand what TTPs were used to evade security controls and allow the adversary to social engineer a target.
Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly. Additionally, reports can be generated to provide a forensic record that can be shared.

What are we missing by not using the enterprise version?

Can’t manage user-reported phishing events
Can’t report phishing email findings back to users to keep them updated
No integrations with o365 or google

After we submit a file .eml, .msg. and .txt

Finally time for the Scenario:

You are a SOC Analyst and have been tasked to analyze a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyze it and answer the questions below.

Go to the “Emails” folder that in on the desktop > Right-Click the file Email1.eml > open with Thunderbird.

Questions:

What social media platform is the attacker trying to pose as in the email?

The icon on top left did not load for me as the hint mentioned, but we can easily identify if we haven’t not seen this email many times before by looking at the text at bottom.

The Answer is Linkedin

What is the senders email address?

See the “From” field on top

The Answer is darkabutla@sc500.whpservers.com

What is the recipient’s email address?

See the “To” Field on top

The Answer is cabbagecare@hotsmail.com

What is the Originating IP address? Defang the IP address.

Since the room machine does not have access to internet lets boot up our attack machine (see top of room)

On the Target machine:

cd Desktop
cd Emails
python3 -m http.server

On the Attacker box:

cd Desktop
wget http://iptargetmachine:8000/Email1.eml

I forgot the files were case sensitive, hence you will see my first attempt to wget the file fails.

Lets load up PhishTool in our attack Box to finally use this new tool!

Clicking on Analysis we can upload our Email1.eml to investigate further.

Going back to the questions of what is the Originating IP address, we can clearly see it. Next the question asked up to Defang it.

If you don’t know the practice of Defanging in the security world, here is a quick breakdown;

Defanging is the process of modifying potentially harmful content such as URLs, scripts, or malware code so that it becomes harmless and cannot be accidentally executed or clicked. This is commonly done when sharing malicious links, file paths, or exploit code in reports, documentation, or forums to prevent unintentional activation.

Defanging URLs
- Original: http://malicious-site.com
- Defanged: hxxp://malicious-site[.]com
- The http is changed to hxxp, and . is replaced with [.] to prevent accidental clicks.
Defanging IP Addresses
- Original: 192.168.1.1
- Defanged: 192[.]168[.]1[.]1
- This prevents automatic recognition as a valid IP address.

Now that its clear lets use Cyberchef (a quick google search will guide you to it) to make this easy for us:

What is the Originating IP address? Defang the IP address.

The Answer is:“204[.]93[.]183[.]11“

How many hops did the email go through to get to the recipient?

For this answer we just need to click on the originating IP to show all the “hops”

The answer is: 4

Cisco Talos Intelligence

IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from their products. The solution is accessible as Talos Intelligence.

Cisco Talos encompasses six key teams:

Threat Intelligence & Interdiction: Quick correlation and tracking of threats provide a means to turn simple IOCs into context-rich intel.
Detection Research: Vulnerability and malware analysis is performed to create rules and content for threat detection.
Engineering & Development: Provides the maintenance support for the inspection engines and keeps them up-to-date to identify and triage emerging threats.
Vulnerability Research & Discovery: Working with service and software vendors to develop repeatable means of identifying and reporting security vulnerabilities.
Communities: Maintains the image of the team and the open-source solutions.
Global Outreach: Disseminates intelligence to customers and the security community through publications.

More information about Cisco Talos can be found on their White Paper

Talos Dashboard

Accessing the open-source solution, we are first presented with a reputation lookup dashboard with a world map. This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume on the day and the type.

At the top, we have several tabs that provide different types of intelligence resources. The primary tabs that an analyst would interact with are:

Vulnerability Information: Disclosed and zero-day vulnerability reports marked with CVE numbers and CVSS scores. Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be used.

Reputation Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes. Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found under the Email & Spam Data tab.

Task 6

Use the information gathered from inspecting the Email1.eml file from Task 5 to answer the following questions using Cisco Talos Intelligence.

Answer the questions below

What is the listed domain of the IP address from the previous task?

Using Cusco Talos we can put in the IP we found from the last task and we can gather the needed info.

The Answer is: scnet.net

What is the customer name of the IP address?

The WHOIS was not pulling any data for me, so in terminal on attackbox I did a
whois 204.93.183.11 and scrolled down till I could pull the Answer to the question.

The Answer is: Complete Web Reviews

Task 7

Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.eml found on the VM attached to Task 5 and use the information to answer the questions.

Answer the questions below

Question: According to Email2.eml, what is the recipient’s email address?

Lets upload this email into Phishtool and see what it can who us!

Ok this is an easy one! Who was the email sent to?

The answer is: chris.lyons@supercarcenterdetroit.com

Question: On VirusTotal, the attached file can also be identified by a Detection Alias, which starts with an H.

Lets view the attachment section and what we will want to copy is the SHA-256 hash.

Then upload it to virustotal.com via the search to find the following information

As we expected! This file is most likely not the one our recipient was looking for :-).

The Answer is: HIDDENEXT/Worm.Gen

Task 8

Scenario2 : You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.

Answer the questions below

What is the name of the attachment on Email3.eml?
What malware family is associated with the attachment on Email3.eml?

Just like last time, lets copy the SHA-256 hash and search it in virus total.

The Family Labels here should help us answer this question:

Lets also look this up in another tool we learned a while back MalwareBazaar | Malware sample exchange

Note: When searching in MalwareBazarr make sure to add a search Syntax

Bazarr is screaming out the answer for us under signature, and the large red box!

The Answer is: dridex

Congratulations on completing Threat Intelligence Tools!!! 🎉

MITRE TryHackMe Write-up

Posted on January 11, 2021February 6, 2024 by Jon Jepma

This is a Write up for the MITRE Room Created by heavenraiza

TASK 1 & 2 are simple click and complete tasks

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

Question 2: we need to head over to https://attack.mitre.org/

*Keep in mind it mentions to start your research on the Phishing page

Question 3: is found under the Mitigations section on the Phishing page

Question 4: can be found under the Detection section of this same page

Question 5: Is located on the same page near the top

Question 6: click on the Groups link to learn more about them and the information is located under

Associated Group Descriptions

Question 7: is located under the Software Section

Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.

Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers

Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5

And here is our TASK 3 Recap

Task 4

Question 1: Splunk search is pseudo

Question 2: Head to https://attack.mitre.org/ and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.

Question 3: Head to https://car.mitre.org/ and I searched for Zeek

Question 4: Head to https://car.mitre.org/analytics/ and I searched for hash ( only 3 results )

Question 5: There is a section for Test Cases located on the same page

TASK 4 Recap

TASK 5

Question 1 & 2: we need to go tohttps://shield.mitre.org/ > Matrix > this lists all the techniques and we see that Detect has the most.

Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >

Question 4: involves continuing your search from the DTE0011

Question 5: https://shield.mitre.org/attack_mapping/mapping_all > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.

Task 5 Recap

TASK 6

Question 1: Click the APT3 hyperlink they provided in the room to find this answer

Question 2: This can be located viahttps://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf > Phase 2 > Persistence | utilize the table of contents to find this easily!

Question 3: This can be found by reading the First Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow

Question 4: This can be found by reading the Second Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow

Task 6 Recap

TASK7

Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link https://attack.mitre.org/groups/ ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario

Question 3: Go to the APT33 Group page https://attack.mitre.org/groups/G0064/ > scroll to software

Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer

Question 5: Further on this page we have a Detection writeup that we can use.

Question 6: On the top right of the page we will find the ID information to finish up this room!

Task 7 Recap

Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!

CISSP Domain 1 Study notes and Resources

Posted on January 5, 2021February 6, 2024 by Jon Jepma

CISSP Domain 1 Study notes and Resources

Security Governance

CIA / DAD

(insert photo)

Parkerian Hexad

(insert photo)

Confidentiality

Integrity

Availability

Authenticity

Utility

Possession or Control

Confidentiality Terms

sensitivity – The Level of damage or harm that could occur if the asset is revealed or disclosed.

Discretion – The ability for a person to control the level of access to, or disclosure of and asset.

Criticality – The level of importance of an asset to the mission or objective.

Concealment – The act of hiding or preventing disclosure of an asset.

Secrecy – The practice of preventing or limiting information disclosure.

Privacy – The protection of confidential or personal information.

Seclusion – The act of storing something in a location that is out of the way and thus not easily observed or found.

Isolation – The act of keeping something separate from other things that are similar in nature.

Integrity Terms

Accuracy – The degree to which the data is correct and precise.

Truthfulness – The quality of a source of information being factual and realistic.

Validity – The quality of an asset being genuine.

Accountability – The condition of a person or entity being held responsible for their actions.

Responsibility – The obligation of a person or entity to take ownership or components.

Completeness – The quality of an asset that has all its necessary parts or components.

Comprehensiveness – The quality of an asset being complete in scope, and fully inclusive or all relevant elements.

Availability Terms

Usability – Learned, understood, utilized or controlled by a subject

Accessibility – Under a wide range of circumstances an asset can be used by a subject regardless of capabilities or limitations.

Timeliness – Asset ( for example information ) needs to be prompt and available within a reasonable frame of time with low latency.

Auditing and Accounting

Auditing – internal process of providing a manual or systematic, measurable technical assessment of a system or application
Accounting – logging of access and use of information resources.
Accountability – tracing actions to the source
Non-Repudiation – the assurance that an action taken cannot be denied
Identification – Claiming an identity – ie username
Authentication – Proving your identity – ie password, fingerprint, pin number
Authorization – What are you allowed to do / have access to after you are Authenticated

Security Terms – P4 and P5

Asset – Anything of Value

Threat – event or action that could potentially cause damage to an asset or an interruption of service.

Threat Actor – Person/group or other entity that could potentially damage attack or compromise a system resource.

||| Finish this section |||

IT Governance Institute – www.itgi.org

Security Control Frameworks

ISO/IEC 27000 Series

Security program Development standard on developing and maintaining an Information Security Management System (ISMS)
27000:2018 – Overview of ISMSs and vocabulary
27001:2013 – ISMS Requirements
27002:2013 – Code of Practice for IS controls
27003:2017 – Guidance on the requirements for an ISMS
27004:2016 – ISMS monitoring, measurement, analysis, and evaluation guidelines

Zachman Framework

Six Communications Questions
What
Where
When
Why
Who
How
Perspectives
- Executive
- Business Management
- Architect
- Engineer
- Technician
- Enterprise

TOGAF – The open architecture group framework

Technology
Applications
Data
Business

DoDAF – Department of Defense Architecture Framework

AV – All Viewpoint
CV – Capability Viewpoint
DIV = Data and Information Viewpoint
OV – Operation ViewPoint
PV – Project Viewpoint
SvcV – Services Viewpoint
STDV – Standards Viewpoint
SV – Sytems Viewpoint

MODAF

Strategic StV
Operational OV
Service-Oriented SOV
Systems Viewpoint SV
Acquisition AcV
Technical TV
All Viewpoint AV

SABSA

Sherwood Applied Business Security Architecture

(insert photo)

COBIT – Control Objectives for Information and Related Technology

Five Principles

o Meeting Stakeholder Needs

o Covering the Enterprise end-to-end

o Applying a single integrated framework

o Enabling a holistic approach

o Separating governance from management

Seven Enablers

o Principles, Policies, and frameworks

o Processes

o Organization Structures

o Culture, Ethics, and behavior

o Information

Services, infrastructure, and applications
People, skills, and competencies

NIST – National Institute of Standards and Technology – 800 Special Publication Series

HITRUST CSF (Common Security Framework)

14 control categories

o 0.0: Information Security Management Program

o 1.0: Access Control

o 2.0: Human Resources Security

o 3.0: Risk Management

o 4.0: Security Policy

o 5.0: Organization of Information Security

o 6.0: Compliance

o 7.0: Asset Management

o 8.0: Physical and Environmental Security

o 9.0: Communications and Operations Management

o 10.0: Information Systems Acquisition, Development, and Maintenance

o 11.0: Information Security Incident Management

o 12.0: Business Continuity Management

o 13.0: Privacy Practices

Center for Internet Security – CIS – Critical Security Controls

Inventory and control of hardware assets
Inventory and control of software assets
Continuous vulnerability management
Controlled use of administrative privileges
Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
Maintenance, monitoring, and analysis of audit logs
Email and web browser protections
Malware defenses
Limitation and control of network ports, protocols, and services
Data recovery capabilities
Secure configurations for network devices, such as firewalls, routers, and Switches
Boundary defense
Data protection
Controlled access based on the need to know
Wireless access control
Account monitoring and control
Implement a security awareness training program
Application software security
Incident response and management
Penetration tests and red team exercises

COSO – Committee of Sponsoring Organizations of the Treadway Commission Framework

Control Environment
Risk Assessment
Control Activities
Information and communication
Monitoring Activities

OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation

(insert photo)

ITIL – Information Technology Infrastructure Library

These certifications are GREAT add-ons for CISSP
Currently at v4

Six Sigma

(insert photo) and example

CMMI – Capability Maturity Model Integration

CRAMM – CCTA Risk Analysis and Management Method

Qualitative Risk Analysis Management tool
Three Steps
Identify and Value Assets
Identify threats and vulnerabilities and calculate risks
Identify and prioritize countermeasures

Due Care vs Due Diligence

[write definitions]

https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/due-care-vs-due-diligence/

Major Legal Systems

Civil Code Law
- Napoleonic
Common Law
- Criminal Law
- Civil Tort Law
- Administrative Law
Customary Law
Religious
Mixed

US Information Privacy Law – page 19

FERPA
ECPA
HIPAA
GLBA
COPPA
USA PATIOT Act
- USA Freedom Act
SOX
FCRA

Licensing and Intellectual Property

Patents

Trademarks

Trade Secrets

2 Issues

Piracy / Licensing
DRM – Digital Rights Management

CCCA – Comprehensive Crime Control Act of 1984

CFAA – Computer Fraud and Abuse Act – 1986

Raised threshold of damage from $1000 to $5000

Any computer used exclusively by the US gov
Any computer used exclusively by a financial institution
Any computer .., when the offense impedes the ability of the gov or inst. To use that system
Any combination of computers used to commit an offense when they are not all located in the same state
Amended in 1986, 1994 (Computer Abuse Amendments), 1996, 2001, 2002, 2008

Federal Sentencing Guidelines

Formalized the Prudent Man Rule
Minimize punishment by demonstrating due diligence
Three burdens of proof for negligence
- Legally recognized obligation
- Failed to comply with recognized standards
- Causal relationship between the negligent act and damages

National Information Infrastructure Protection Act of 1996 -NIIPA

Set of amendments to CFAA

FISMA – Federal Information Security Management Act – 2002

Replaced and Repealed

Computer Security Act of 1987 (CSA)
GISRA – General Information Security Reform Act of 2000

FISMA – Federal Information Systems Modernization Act – 2014

Cybersecurity Enhancement Act – 2014

NIST SP 800-53

NIST SP 800-171

NIST CSF

National Cybersecurity Protection Act – 2014

Risk Terminology

Asset
Asset Valuation
Threats
- Threat Agent – usually people – intentional
- Threat Event – Accidental (but could be intentional)
Vulnerability
Exposure
Risk
- Risk = threat * vulnerability
Safeguard
Attack
Breach

Quantitative Risk Analysis

AV – Asset Value

EF – Exposure Factor

SLE – Single Loss Expectancy

ARO- Annualized Rate of Occurrence

ALE – Annualized Loss Expectancy

Single Loss Expectancy

SLE = AV x EF

SLE = $20,000 X 25%

SLE = 20000 x .25 = 5000

SLE = $5,000

Annualized Loss Expectancy

ALE = SLE x ARO

ALE = 5000 x .5 = 2500

ALE= $2,500

Value of the Safeguard

(ALE before Safeguard) – (ALE After Safeguard) – (Annual Cost of the Safeguard) = Value of Safeguard

(ALE1 – ALE2) – ACS = Cost Benefit / Value

(2500 – 500) – 1000 = 1000

Residual Risk = Inherent Risk – Countermeasures

Residual Risk = Total Risk x Controls gap

Residual risk = total risk – security controls

A Great Resource for Risk Analysis by Thor – https://thorteaches.com/cissp-certification-quantitative-risk-analysis/